Deploying kafka connect worker on kubernetes. Helm charts are used for deployment. Kafka cluster is SSL encrypted so we are using JKS keystore and truststore. Kafka connect couldn't access the offset storage topic and throws the TopicAuthorizationException.
I baked the jks in the image and it worked, but volume mounting secrets isn't working. Hoping to get a solution to volume mount it. Using this image confluentinc/cp-kafka-connect-base:7.2.2
Secrets.yaml:
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.appName }}-jks-files
namespace: {{ .Values.namespace }}
labels:
app: {{ .Values.appName }}-jks-files
data:
keystore.jks: {{ .Files.Get KeyStoreLoc | b64enc }}
truststore.jks: {{ .Files.Get TruststoreLoc | b64enc }}
Deployment.yaml (only template obj): Password for jks comes from configMap.(Not shown here)
template:
metadata:
labels:
app: {{ .Values.appName }}
spec:
volumes:
- name: ssl-keystore
secret:
secretName: {{ .Values.appName }}-jks-files
containers:
- image: {{ .Values.imageName }}
imagePullPolicy: Always
name: {{ .Values.appName }}
** volumeMounts:
- mountPath: "/etc/connect-ssl"
name: ssl-keystore
readOnly: true**
ports:
- containerPort: 8080
name: http
protocol: TCP
envFrom:
- configMapRef:
name: {{ .Values.appName }}-config-map
- As I mentioned, baking jks into image works fine, but we dont want to do that.
- Did a base64 encode with mac and added that to secrets instead of helm .Files.Get. Didnt work.
- I fiddled with file name with and without .jks, didnt matter. Didnt work.
- Exec into pod, the jks files are present in the location.
- Decrypted the jks with keytool and its able to decrypt inside the container.
- Tried pointing CONNECT_SSL_KEYSTORE_LOCATION to a different loc to test, it says on no file exists, as expected.
Any help would be much appreciated!
