我用follow yaml设置了一个Strimzi集群。
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: kafka
spec:
kafka:
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: external
port: 9094
type: route
authentication:
type: scram-sha-512
tls: true
豆荚运行良好,我使用SCRAM-512创建了一个KafkaUserCR,如下所示-
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: scram-user
labels:
strimzi.io/cluster: kafka
spec:
authentication:
type: scram-sha-512
我已经正确地从秘密中提取了SCRAM密码,并从集群证书秘密中获取了ca. crt文件。我正在尝试遵循这个示例中的Go Sarama代码-https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/main.go
我也从OpenShift路由中正确获取了引导服务器地址,但我似乎无法连接。
go run sarama.go scram_client.go -brokers bootstrap-address:443 -username scram-user -passwd esoy2WksWRBp -topic test-topic -algorithm sha512 -tls true -ca /path/ca.crt
我已经尝试了上述命令的一些变体,添加了 -certificate 或 -key 标志,但似乎都不起作用。我的侦听器设置有误吗?
编辑-忘记包括和提到它,但这是我从Go Sarama代码中得到的错误。
[Sarama] 2021/08/18 09:22:36 Failed to send SASL handshake kafka-broker:443: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 Closed connection to broker kafka-broker:443
[Sarama] 2021/08/18 09:22:36 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 client/metadata no available broker to send metadata request to
[Sarama] 2021/08/18 09:22:36 client/brokers resurrecting 1 dead seed brokers
[Sarama] 2021/08/18 09:22:36 Closing Client
[Producer] 2021/08/18 09:22:36 failed to create producer: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
exit status 1
因此,这看起来是一个证书问题,但我似乎遵循了正确的说明来获得证书。我的Kafka经纪人刚刚命名为Kafka,所以这个秘密刚刚命名为Kafka-cluster-ca-cert。<code>ca.crt</code>文件是我提供给Sarama代码的路径。
oc get secret kafka-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
如果重要的话,描述一下秘密——
╰─ oc describe secret kafka-cluster-ca-cert
Name: kafka-cluster-ca-cert
Namespace: strimzi
Labels: app.kubernetes.io/instance=kafka
app.kubernetes.io/managed-by=strimzi-cluster-operator
app.kubernetes.io/name=strimzi
app.kubernetes.io/part-of=strimzi-kafka
strimzi.io/cluster=kafka
strimzi.io/kind=Kafka
strimzi.io/name=strimzi
Annotations: strimzi.io/ca-cert-generation: 0
Type: Opaque
Data
====
ca.crt: 1854 bytes
ca.p12: 1687 bytes
ca.password: 12 bytes
因此,问题主要是命令行问题。我一直在尝试使用-ca标志,而我本应该只使用-certificate标记。我还需要添加-verify选项标志。因此,允许我生成的命令使用了以下内容-
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
同样,消费的命令
go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443 -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -mode consume -logmsg -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true
我猜吸取的教训 - 了解 CA、证书和密钥之间的差异。
