Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL env variable are ignored for controller in KRaft isolated mode #350

Open
vszyndler opened this issue Aug 28, 2024 · 1 comment
Open

SSL env variable are ignored for controller in KRaft isolated mode #350

vszyndler opened this issue Aug 28, 2024 · 1 comment

Comments

@vszyndler
Copy link

Hi !

I'm using confluentinc/cp-kafka image in KRaft isolated mode.
I use SASL_SSL authentication for broker-to-controller and client-to-broker authentication.

I tried to use the following env variable to configure SSL on the KRaft controller side, but they are ignored because there is no listener called SSL nor SASL_SSL in the controller advertised listeners.
KAFKA_SSL_KEYSTORE_FILENAME
KAFKA_SSL_KEYSTORE_CREDENTIALS
KAFKA_SSL_KEY_CREDENTIALS
KAFKA_SSL_TRUSTSTORE_FILENAME
KAFKA_SSL_TRUSTSTORE_CREDENTIALS

The issue comes from the following lines :

kafka-images/server/include/etc/confluent/docker/configure

Lines 87 to 90 in d503508

# Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]
then
echo "SSL is enabled."

Instead, I have to use the following env variable, which is an issue since it prevents me to use docker secrets to store the passwords.
KAFKA_SSL_KEYSTORE_LOCATION
KAFKA_SSL_KEYSTORE_PASSWORD
KAFKA_SSL_KEY_PASSWORD
KAFKA_SSL_TRUSTSTORE_LOCATION
KAFKA_SSL_TRUSTSTORE_PASSWORD

On the broker side, I can use the KAFKA_SSL_KEYSTORE_FILENAME and KAFKA_SSL_KEYSTORE_CREDENTIALS but the truststore variable are also ignored because I have configured KAFKA_SSL_CLIENT_AUTH to none (since I use SASL_SSL authentication).

This time , the issue comes from the following line :

kafka-images/server/include/etc/confluent/docker/configure

Line 108 in d503508

if [[ -n "${KAFKA_SSL_CLIENT_AUTH-}" ]] && ( [[ $KAFKA_SSL_CLIENT_AUTH == *"required"* ]] || [[ $KAFKA_SSL_CLIENT_AUTH == *"requested"* ]] )

I've seen that other similar issues have already been reported : #58 or #89.

When can we expect a fix for these issues?
@whit0694
Copy link

Thanks for adding this issue. I just hit this same thing and came to the same conclusion/workaround.

When running a controller-only Kraft container this line will remove any kafka_advertised_listeners env var

https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L21

But the part of the configure script that sets the necessary SSL env vars requires kafka_advertised_listeners be present

https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L87

I think #352 could help, since it would give the script another way of configuring those necessary SSL env vars.

But, honestly, I keep getting tripped up by the magic logic that happens in this configure file. I'm wondering if there's a better approach?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vszyndler @whit0694