Uploaded image for project: 'Subscription Watch'
  1. Subscription Watch
  2. SWATCH-2088

Kafka connection should succeed when using the system truststore

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 2024-02-05 - API
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      2. Support for using the “default CA cert trust store” (approved via ADR-020). In other words, your app should properly connect to kafka using SSL even if Clowder DOES NOT present a ‘cacert’ in the cdappconfig.

      Why?: AWS signs its Kafka cluster certs using widely trusted CA’s, so there is no need for us to store a custom CA cert bundle and provide it to apps. By using a default CA trust list, the cloud provider hosting Kafka can freely make changes to their certificate chain without us needing to update the certs in storage on our side. Some teams have been using the presence of a cacert as a “switch” in their code that determines whether SSL should be “on” or “off”. This needs to be changed.

      This is a requirement that came in from Brandon Squizzato for the AWS MSK (Kafka) migration. Right now if we provide a Clower JSON file with SSL configuration, but no truststore, the connection fails with

      Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.errors.InvalidConfigurationException: SSL trust store certs can be specified only for PEM
, but trust store type is .                                                                                                                                         
        at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)                                                                
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)                                                                         
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81)                                                            
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:117)
        at org.apache.kafka.clients.ClientUtils.createNetworkClient(ClientUtils.java:217)
        ... 34 common frames omitted

      Done criteria:

      {
"kafka": {
 "brokers": [
   {
     "hostname": "localhost",
     "port": 9094,
     "authtype": "sasl",
     "sasl": {
         "username": "admin",
         "password": "dummy",
         "securityProtocol":"SASL_SSL",
         "saslMechanism":"PLAIN"
     }
   }
 ],
 "topics": []
},
"metricsPath": "/metrics",
"metricsPort": 9000,
"privatePort": 10000,
"publicPort": 8000,
"webPort": 8000
}

      and a run of the application pointed to this JSON should successfully connect to Kafka for both the Spring app and the Quarkus apps.

              awood1@redhat.com Alex Wood
              awood1@redhat.com Alex Wood
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: