Skip to content

Instantly share code, notes, and snippets.

@osowski
Last active June 4, 2021 15:02
Show Gist options
  • Save osowski/d536d42dd90b9a854737ef90f74d7792 to your computer and use it in GitHub Desktop.
Save osowski/d536d42dd90b9a854737ef90f74d7792 to your computer and use it in GitHub Desktop.
Kafka Security Article #2 Snippets - TLS
bootstrap.servers=kafka.{kubernetes-cluster-fully-qualified-domain-name}:443
security.protocol=SSL
ssl.truststore.location={/provided/to/you/by/kafka/administrator}
ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
ssl.key.password={__generated_in_coordination_with_kafka_administrator__}
bootstrap.servers=kafka.{namespace}.svc.cluster.local:9071
security.protocol=SSL
ssl.truststore.location={/provided/to/you/by/kafka/administrator}
ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
ssl.key.password={__generated_in_coordination_with_kafka_administrator__}
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
- name: external
port: 9094
type: route
tls: true
authentication:
type: tls
curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
tar xvf kafka.tgz
cd kafka_2.13-2.6.1
export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
export CONFIG_FILE=local-config-tls.properties
export CACERT_DIR=cacert-blog
export KAFKAUSER_DIR=my-user-blog
rm -f ${CONFIG_FILE}
echo "security.protocol=SSL" >> ${CONFIG_FILE}
rm -rf ${CACERT_DIR}
mkdir ${CACERT_DIR}
oc extract secret/my-cluster-cluster-ca-cert --to=./${CACERT_DIR}
echo "ssl.truststore.location=$(pwd)/${CACERT_DIR}/ca.p12" >> ${CONFIG_FILE}
echo "ssl.truststore.password=$(cat ${CACERT_DIR}/ca.password)" >> ${CONFIG_FILE}
rm -rf ${KAFKAUSER_DIR}
mkdir ${KAFKAUSER_DIR}
oc extract secret/my-user --to=./${KAFKAUSER_DIR}
echo "ssl.keystore.location=$(pwd)/${KAFKAUSER_DIR}/user.p12" >> ${CONFIG_FILE}
echo "ssl.keystore.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
echo "ssl.key.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
--command-config ${CONFIG_FILE} --list
bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
--producer.config ${CONFIG_FILE} --topic my-topic
bin/kafka-console-consumer.sh --bootstrap-server ${BOOTSTRAP} \
--consumer.config ${CONFIG_FILE} --topic my-topic --from-beginning
curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
tar xvf kafka.tgz
cd kafka_2.13-2.6.1
oc project kafka-security
export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
export CONFIG_FILE=local-config-tls.properties
export CACERT_DIR=cacert-blog
export KAFKAUSER_DIR=my-user-blog
rm -f ${CONFIG_FILE}
echo "security.protocol=SSL" >> ${CONFIG_FILE}
rm -rf ${CACERT_DIR}
mkdir ${CACERT_DIR}
oc extract secret/my-cluster-cluster-ca-cert --to=./${CACERT_DIR}
echo "ssl.truststore.location=$(pwd)/${CACERT_DIR}/ca.p12" >> ${CONFIG_FILE}
echo "ssl.truststore.password=$(cat ${CACERT_DIR}/ca.password)" >> ${CONFIG_FILE}
rm -rf ${KAFKAUSER_DIR}
mkdir ${KAFKAUSER_DIR}
oc extract secret/my-user --to=./${KAFKAUSER_DIR}
echo "ssl.keystore.location=$(pwd)/${KAFKAUSER_DIR}/user.p12" >> ${CONFIG_FILE}
echo "ssl.keystore.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
echo "ssl.key.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
--command-config ${CONFIG_FILE} --list
bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
--producer.config ${CONFIG_FILE} --topic my-topic
bin/kafka-console-consumer.sh --bootstrap-server ${BOOTSTRAP} \
--consumer.config ${CONFIG_FILE} --topic my-topic --from-beginning
keytool -exportcert -keypass {truststore-password} \
-keystore {provided-kafka-truststore.jks} \
-rfc -file {desired-kafka-cert-output.pem}
bootstrap.servers={kafka-cluster-name}-kafka-bootstrap-{namespace}.{kubernetes-cluster-fully-qualified-domain-name}:443
security.protocol=SSL
ssl.truststore.location={/provided/to/you/by/kafka/administrator}
ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
ssl.keystore.location={/extracted/from/generated/kafka/user/secret}/user.p12
ssl.keystore.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
ssl.key.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
bootstrap.servers={kafka-cluster-name}-kafka-bootstrap.{namespace}.svc.cluster.local:9093
security.protocol=SSL
ssl.truststore.location={/provided/to/you/by/kafka/administrator}
ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
ssl.keystore.location={/extracted/from/generated/kafka/user/secret}/user.p12
ssl.keystore.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
ssl.key.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment