I have a question for external connectivity to our self managed SSL enabled Kafka cluster. What I am trying to do is connect AWS IoT rule to Kafka brokers to send the messages to Kafka which is SSL enabled. I am facing post KafkaAction failed to send a message to the specified bootstrap servers. Failed to process post-handshake messages when I use the certificate directly generated by operator and placed in backbone-user-client secret where backbone is my cluster name.
So the below doesn't works and fails:
k get secret backbone-user-client -n redpanda -o go-template='{{index .data "keystore.jks"}}' | base64 -d > keyclient.jks
k get secret backbone-user-client -n redpanda -o go-template='{{index .data "truststore.jks"}}' | base64 -d > truststore.jks
aws secretsmanager create-secret --name redpanda/dev/keyjks --secret-binary file://keyclient.jks
aws secretsmanager create-secret --name redpanda/dev/trustjks --secret-binary file://truststore.jks
While when I generate the certificate for client separately it works fine as below:
# connect to redpanda cluster
kubectl exec -it -n redpanda backbone-0 -- bash
# copy cert file from /etc/tls/certs/tls.crt to local: redpanda.pem
# convert
openssl x509 -outform der -in redpanda.pem -out redpanda.der
keytool -import -alias certificate -keystore truststore.jks -file redpanda.der
aws secretsmanager put-secret-value --secret-id redpanda/truststore --secret-binary fileb://truststore.jks
# KEYSTORE
k get secret backbone-user-client -n redpanda -o go-template='{{index .data "tls.key"}}' | base64 -d - > tls.key
k get secret backbone-user-client -n redpanda -o go-template='{{index .data "tls.crt"}}' | base64 -d - > tls.crt
openssl pkcs12 -export -in tls.crt -inkey tls.key -name client -out client.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore client.p12 -srcstoretype PKCS12
aws secretsmanager put-secret-value --secret-id redpanda/client/iot/keystore --secret-binary fileb://keystore.jks
but this 2nd option is a customised one and thus is difficult to automate since the cert is rotated after 30 days by the operator and here I want to keep the AWS secrets upto date so that my messages from AWS IoT rule doesn't get lost. Does anyone has some suggestion/advice/solution for the same ?
