Strimzi - 使用带有 Sarama 的 TLS 的 SCRAM-SHA-512 身份验证连接到外部 OpenShift 路由侦听器
Strimzi - Connecting to External OpenShift Route Listener with SCRAM-SHA-512 Authentication with TLS with Sarama
我有一个带有以下 yaml 的 Strimzi 集群设置。
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: kafka
spec:
kafka:
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: external
port: 9094
type: route
authentication:
type: scram-sha-512
tls: true
pods 运行良好,我用 SCRAM-512 创建了一个 KafkaUser CR,如下所示 -
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: scram-user
labels:
strimzi.io/cluster: kafka
spec:
authentication:
type: scram-sha-512
我已经从机密中正确提取了 SCRAM 密码,并从 cluster-ca-cert 机密中获取了 ca.crt 文件。我正在尝试遵循此示例中的 Go Sarama 代码 - https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/main.go
我也从 OpenShift 路由中正确获取了 bootstrap 服务器地址,但我似乎无法连接。
go run sarama.go scram_client.go -brokers bootstrap-address:443 -username scram-user -passwd esoy2WksWRBp -topic test-topic -algorithm sha512 -tls true -ca /path/ca.crt
我尝试了上述命令的一些变体,添加了 -certificate 或 -key 标志,并且 none 似乎有效。我的监听器设置有误吗?
编辑 - 忘记包括并提及它,但这是我从 Go Sarama 代码中得到的错误。
[Sarama] 2021/08/18 09:22:36 Failed to send SASL handshake kafka-broker:443: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 Closed connection to broker kafka-broker:443
[Sarama] 2021/08/18 09:22:36 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 client/metadata no available broker to send metadata request to
[Sarama] 2021/08/18 09:22:36 client/brokers resurrecting 1 dead seed brokers
[Sarama] 2021/08/18 09:22:36 Closing Client
[Producer] 2021/08/18 09:22:36 failed to create producer: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
exit status 1
所以它看起来是一个证书问题,但我似乎已经按照正确的说明获得了证书。我的 Kafka 经纪人刚刚命名为 kafka,所以秘密刚刚命名为 kafka-cluster-ca-cert。 ca.crt 文件是我提供给 Sarama 代码的路径。
oc get secret kafka-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
如果重要,请描述秘密 -
╰─ oc describe secret kafka-cluster-ca-cert
Name: kafka-cluster-ca-cert
Namespace: strimzi
Labels: app.kubernetes.io/instance=kafka
app.kubernetes.io/managed-by=strimzi-cluster-operator
app.kubernetes.io/name=strimzi
app.kubernetes.io/part-of=strimzi-kafka
strimzi.io/cluster=kafka
strimzi.io/kind=Kafka
strimzi.io/name=strimzi
Annotations: strimzi.io/ca-cert-generation: 0
Type: Opaque
Data
====
ca.crt: 1854 bytes
ca.p12: 1687 bytes
ca.password: 12 bytes
原来问题主要是命令行的问题。当我应该只使用 -certificate 标志时,我一直尝试使用 -ca 标志。我还需要添加 -verify 选项标志。所以允许我生成的命令使用以下 -
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
消费命令也是如此
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -mode consume -logmsg -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
我猜得到的教训 - 了解 CA、证书和密钥之间的区别。
我有一个带有以下 yaml 的 Strimzi 集群设置。
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: kafka
spec:
kafka:
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: external
port: 9094
type: route
authentication:
type: scram-sha-512
tls: true
pods 运行良好,我用 SCRAM-512 创建了一个 KafkaUser CR,如下所示 -
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: scram-user
labels:
strimzi.io/cluster: kafka
spec:
authentication:
type: scram-sha-512
我已经从机密中正确提取了 SCRAM 密码,并从 cluster-ca-cert 机密中获取了 ca.crt 文件。我正在尝试遵循此示例中的 Go Sarama 代码 - https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/main.go
我也从 OpenShift 路由中正确获取了 bootstrap 服务器地址,但我似乎无法连接。
go run sarama.go scram_client.go -brokers bootstrap-address:443 -username scram-user -passwd esoy2WksWRBp -topic test-topic -algorithm sha512 -tls true -ca /path/ca.crt
我尝试了上述命令的一些变体,添加了 -certificate 或 -key 标志,并且 none 似乎有效。我的监听器设置有误吗?
编辑 - 忘记包括并提及它,但这是我从 Go Sarama 代码中得到的错误。
[Sarama] 2021/08/18 09:22:36 Failed to send SASL handshake kafka-broker:443: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 Closed connection to broker kafka-broker:443
[Sarama] 2021/08/18 09:22:36 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 client/metadata no available broker to send metadata request to
[Sarama] 2021/08/18 09:22:36 client/brokers resurrecting 1 dead seed brokers
[Sarama] 2021/08/18 09:22:36 Closing Client
[Producer] 2021/08/18 09:22:36 failed to create producer: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
exit status 1
所以它看起来是一个证书问题,但我似乎已经按照正确的说明获得了证书。我的 Kafka 经纪人刚刚命名为 kafka,所以秘密刚刚命名为 kafka-cluster-ca-cert。 ca.crt 文件是我提供给 Sarama 代码的路径。
oc get secret kafka-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
如果重要,请描述秘密 -
╰─ oc describe secret kafka-cluster-ca-cert
Name: kafka-cluster-ca-cert
Namespace: strimzi
Labels: app.kubernetes.io/instance=kafka
app.kubernetes.io/managed-by=strimzi-cluster-operator
app.kubernetes.io/name=strimzi
app.kubernetes.io/part-of=strimzi-kafka
strimzi.io/cluster=kafka
strimzi.io/kind=Kafka
strimzi.io/name=strimzi
Annotations: strimzi.io/ca-cert-generation: 0
Type: Opaque
Data
====
ca.crt: 1854 bytes
ca.p12: 1687 bytes
ca.password: 12 bytes
原来问题主要是命令行的问题。当我应该只使用 -certificate 标志时,我一直尝试使用 -ca 标志。我还需要添加 -verify 选项标志。所以允许我生成的命令使用以下 -
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
消费命令也是如此
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -mode consume -logmsg -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
我猜得到的教训 - 了解 CA、证书和密钥之间的区别。