mirror of
https://github.com/bitnami/charts.git
synced 2026-03-05 14:57:31 +08:00
[bitnami/kafka] Only set ssl.client.auth to required when mTLS is used (#5581)
This commit is contained in:
Juan Ariza Toledano
committed by
GitHub
GitHub
parent
3294c3583b
commit
297bbcb467
@@ -29,4 +29,4 @@ name: kafka
|
||||
sources:
|
||||
- https://github.com/bitnami/bitnami-docker-kafka
|
||||
- https://kafka.apache.org/
|
||||
version: 12.9.1
|
||||
version: 12.9.2
|
||||
|
||||
@@ -105,16 +105,39 @@ ssl.truststore.password={{ .Values.auth.jksPassword }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
EOF
|
||||
{{- else if (include "kafka.client.tlsEncryption" .) }}
|
||||
|
||||
You need to configure your Kafka client to access using TLS authentication. To do so, you need to create the 'client.properties' configuration file by executing these command:
|
||||
|
||||
cat > client.properties <<EOF
|
||||
security.protocol={{ $clientProtocol }}
|
||||
ssl.truststore.location=/tmp/kafka.truststore.jks
|
||||
{{- if eq .Values.auth.clientProtocol "mtls" }}
|
||||
ssl.keystore.location=/tmp/client.truststore.jks
|
||||
{{- end }}
|
||||
{{- if .Values.auth.jksPassword }}
|
||||
ssl.truststore.password={{ .Values.auth.jksPassword }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.auth.tlsEndpointIdentificationAlgorithm "" }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
EOF
|
||||
|
||||
{{- end }}
|
||||
|
||||
To create a pod that you can use as a Kafka client run the following commands:
|
||||
|
||||
kubectl run {{ $fullname }}-client --restart='Never' --image {{ template "kafka.image" . }} --namespace {{ $releaseNamespace }} --command -- sleep infinity
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} /path/to/client.properties {{ $fullname }}-client:/tmp/client.properties
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} /path/to/kafka_jaas.conf {{ $fullname }}-client:/tmp/kafka_jaas.conf
|
||||
{{- if eq .Values.auth.clientProtocol "sasl_tls" }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} ./kafka.truststore.jks {{ $fullname }}-client:/tmp/kafka.truststore.jks
|
||||
{{- if eq .Values.auth.clientProtocol "mtls" }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} ./client.keystore.jks {{ $fullname }}-client:/tmp/client.truststore.jks
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
kubectl exec --tty -i {{ $fullname }}-client --namespace {{ $releaseNamespace }} -- bash
|
||||
@@ -124,13 +147,13 @@ To create a pod that you can use as a Kafka client run the following commands:
|
||||
|
||||
PRODUCER:
|
||||
kafka-console-producer.sh \
|
||||
{{ if (include "kafka.client.saslAuthentication" .) }}--producer.config /tmp/client.properties \{{ end }}
|
||||
{{ if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}--producer.config /tmp/client.properties \{{ end }}
|
||||
--broker-list {{ join "," $brokerList }} \
|
||||
--topic test
|
||||
|
||||
CONSUMER:
|
||||
kafka-console-consumer.sh \
|
||||
{{ if (include "kafka.client.saslAuthentication" .) }}--consumer.config /tmp/client.properties \{{ end }}
|
||||
{{ if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}--consumer.config /tmp/client.properties \{{ end }}
|
||||
--bootstrap-server {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.port }} \
|
||||
--topic test \
|
||||
--from-beginning
|
||||
|
||||
@@ -114,11 +114,11 @@ data:
|
||||
{{- if and .Values.auth.jksTruststoreSecret .Values.auth.jksTruststore }}
|
||||
JKS_TRUSTSTORE="/truststore/{{ .Values.auth.jksTruststore }}"
|
||||
{{- else if .Values.auth.jksTruststoreSecret }}
|
||||
JKS_TRUSTSTORE="/truststore/kafka.trustore.jks"
|
||||
JKS_TRUSTSTORE="/truststore/kafka.truststore.jks"
|
||||
{{- else if .Values.auth.jksTruststore }}
|
||||
JKS_TRUSTSTORE="/certs/{{ .Values.auth.jksTruststore }}"
|
||||
{{- else }}
|
||||
JKS_TRUSTSTORE="/certs/kafka.trustore.jks"
|
||||
JKS_TRUSTSTORE="/certs/kafka.truststore.jks"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.auth.jksKeystoreSAN }}
|
||||
|
||||
@@ -246,6 +246,8 @@ spec:
|
||||
{{- if (include "kafka.tlsEncryption" .) }}
|
||||
- name: KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM
|
||||
value: {{ .Values.auth.tlsEndpointIdentificationAlgorithm | quote }}
|
||||
- name: KAFKA_CFG_TLS_CLIENT_AUTH
|
||||
value: {{ ternary "required" "none" (eq .Values.auth.clientProtocol "mtls") | quote }}
|
||||
{{- if .Values.auth.jksPassword }}
|
||||
- name: KAFKA_CERTIFICATE_PASSWORD
|
||||
value: {{ .Values.auth.jksPassword | quote }}
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/kafka
|
||||
tag: 2.7.0-debian-10-r35
|
||||
tag: 2.7.0-debian-10-r64
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
||||
|
||||
Reference in New Issue
Block a user