我们如何在 KafkaConnector 资源中以抽象的方式使用 kafka connect truststore 密码?
How can we use the kafka connect truststore password in an abstract way in the KafkaConnector resource?
我们有一个包含 3 个节点的连接集群。我们的连接集群信任库中需要几个证书。我们已经通过以下方式安装了这些证书。
...
spec:
tls:
trustedCertificates:
- certificate: ca.crt
secretName: my-cluster-cluster-ca-cert
- secretName: root-cer
certificate: RootCA.crt
- certificate: IntermediateCA.crt
secretName: inter-cer
- secretName: solace-broker-secret
certificate: secure-solace-broker.crt
...
如您所知,在三个连接集群启动后,证书已安装到以下信任库 /tmp/kafka/cluster.truststore.p12。此外,我们可以在以下文件中找到随机信任库密码:/tmp/strimzi-connect.properties.
我们在 KafkaConnector 资源文件中指向 truststore 路径和 truststore 密码。
apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaConnector
metadata:
name: solace-source-connector
labels:
strimzi.io/cluster: my-connect-cluster
spec:
class: com.solace.connector.kafka.connect.source.SolaceSourceConnector
tasksMax: 1
config:
value.converter: org.apache.kafka.connect.converters.ByteArrayConverter
key.converter: org.apache.kafka.connect.storage.StringConverter
kafka.topic: solace-test
sol.host: tcps://msdkjskdjsdfrdfjdffdhxu3n.messaging.solace.cloud:55443
sol.username: my-solace-cloud-username
sol.password: password
sol.vpn_name: solaceservice
sol.topics: try-me
sol.message_processor_class: com.solace.connector.kafka.connect.source.msgprocessors.SolSampleSimpleMessageProcessor
sol.ssl_trust_store: /tmp/kafka/cluster.truststore.p12
sol.ssl_trust_store_password: HARDCODED_RANDOM_PASSWORD
现在我们正在进入其中一个连接集群 pod,从 /tmp/strimzi-connect.properties 文件中获取密码,然后在 sol.ssl_trust_store_password 字段中使用密码。
我的问题:
有什么方法可以参数化密码吗?使用密码的任何封装方式(这样我们就不需要进入 pod 来知道密码 - 期望是,kafkaconnector 资源将从 /tmp/strimzi-connect.properties 文件中获取密码,它在哪个 pod 运行)
我已经从 Jakub Scholz 的 Slack 频道得到了答案。
The tls configuration you are using and the truststore are supposed to
be used for communication between Connect and Kafka, not for the
connectors. I think you have two options how to provide a truststore
for the connector
- You can use the same truststore as you are using now, but load the password using the FileConfigProvider - I think that should load the
right password on each connect node
- You can just create your own secret with the truststore for the connector and load it into connect using this:
https://strimzi.io/docs/operators/latest/full/using.html#assembly-kafka-connect-external-configuration-deployment-configuration-kafka-connect
我是这样实现的:
- 创建自定义密钥库以及我的证书:
keytool -import -file RootCA.crt -alias root -keystore myTrustStore
- 正在使用信任库创建 Kubernetes 机密:
kubectl create secret generic my-trust-store --from-file=myTrustStore
- 正在将秘密加载到连接资源文件中:
spec:
...
externalConfiguration:
volumes:
- name: my-trust-store
secret:
secretName: my-trust-store
- 连接集群 pod 启动后,证书将在 /opt/kafka/external-configuration/my-trust-store/
可用
我们有一个包含 3 个节点的连接集群。我们的连接集群信任库中需要几个证书。我们已经通过以下方式安装了这些证书。
...
spec:
tls:
trustedCertificates:
- certificate: ca.crt
secretName: my-cluster-cluster-ca-cert
- secretName: root-cer
certificate: RootCA.crt
- certificate: IntermediateCA.crt
secretName: inter-cer
- secretName: solace-broker-secret
certificate: secure-solace-broker.crt
...
如您所知,在三个连接集群启动后,证书已安装到以下信任库 /tmp/kafka/cluster.truststore.p12。此外,我们可以在以下文件中找到随机信任库密码:/tmp/strimzi-connect.properties.
我们在 KafkaConnector 资源文件中指向 truststore 路径和 truststore 密码。
apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaConnector
metadata:
name: solace-source-connector
labels:
strimzi.io/cluster: my-connect-cluster
spec:
class: com.solace.connector.kafka.connect.source.SolaceSourceConnector
tasksMax: 1
config:
value.converter: org.apache.kafka.connect.converters.ByteArrayConverter
key.converter: org.apache.kafka.connect.storage.StringConverter
kafka.topic: solace-test
sol.host: tcps://msdkjskdjsdfrdfjdffdhxu3n.messaging.solace.cloud:55443
sol.username: my-solace-cloud-username
sol.password: password
sol.vpn_name: solaceservice
sol.topics: try-me
sol.message_processor_class: com.solace.connector.kafka.connect.source.msgprocessors.SolSampleSimpleMessageProcessor
sol.ssl_trust_store: /tmp/kafka/cluster.truststore.p12
sol.ssl_trust_store_password: HARDCODED_RANDOM_PASSWORD
现在我们正在进入其中一个连接集群 pod,从 /tmp/strimzi-connect.properties 文件中获取密码,然后在 sol.ssl_trust_store_password 字段中使用密码。
我的问题:
有什么方法可以参数化密码吗?使用密码的任何封装方式(这样我们就不需要进入 pod 来知道密码 - 期望是,kafkaconnector 资源将从 /tmp/strimzi-connect.properties 文件中获取密码,它在哪个 pod 运行)
我已经从 Jakub Scholz 的 Slack 频道得到了答案。
The tls configuration you are using and the truststore are supposed to be used for communication between Connect and Kafka, not for the connectors. I think you have two options how to provide a truststore for the connector
- You can use the same truststore as you are using now, but load the password using the FileConfigProvider - I think that should load the right password on each connect node
- You can just create your own secret with the truststore for the connector and load it into connect using this: https://strimzi.io/docs/operators/latest/full/using.html#assembly-kafka-connect-external-configuration-deployment-configuration-kafka-connect
我是这样实现的:
- 创建自定义密钥库以及我的证书:
keytool -import -file RootCA.crt -alias root -keystore myTrustStore
- 正在使用信任库创建 Kubernetes 机密:
kubectl create secret generic my-trust-store --from-file=myTrustStore
- 正在将秘密加载到连接资源文件中:
spec:
...
externalConfiguration:
volumes:
- name: my-trust-store
secret:
secretName: my-trust-store
- 连接集群 pod 启动后,证书将在 /opt/kafka/external-configuration/my-trust-store/ 可用