我正在尝试使用Route 53DNSCNAME记录连接到MSK集群,该记录指向Amazon提供的DNS记录。
AWSMSKDNS:b-1.msksandbox.nrfnuy.c42.kafka.us-east-1.amazonaws.com
DNS我需要使用:b-1.msk.sandbox.internal.company.com
我得到的错误:
Error while executing topic command : SSL handshake failed
ERROR org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching b-1.msk.sandbox.internal.company.com found.
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching b-1.msk.sandbox.internal.company.com found.
当我看服务器证书时,它说
Server certificate
subject=CN = *.msksandbox.nrfnuy.c42.kafka.us-east-1.amazonaws.com
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
我想知道是否有可能让Route 53和MSK一起工作(我正在使用IAM身份验证)
我搜索并寻找一种能够使用虚荣DNS名称而不是AWS生成的MSK代理DNS名称来引导Kafka客户端的方法。
我和我的团队在拼凑了不同来源的信息后,终于想出了一个解决方案。这是我们的解决方案。
对于每个MSK经纪人:
MSK经纪人IP地址是他们DNS的记录
这是地形配置。我希望它有帮助:
locals {
msk_scram_addrs = split(",", aws_msk_cluster.myclust.bootstrap_brokers_sasl_scram)
msk_scram_hosts = toset([for x in local.msk_scram_addrs : split(":", x)[0]])
# b-1, b-2, b-3, ...
broker_short_names = toset([
for a in data.dns_a_record_set.myclust_scram_brokers :
split(".", a.host)[0]
])
}
data "dns_a_record_set" "myclust_scram_brokers" {
for_each = local.msk_scram_hosts
host = each.value
depends_on = [
aws_msk_cluster.myclust
]
}
resource "aws_lb" "msk_broker" {
for_each = local.broker_short_names
name = each.value
tags = [...]
internal = false
subnets = local.aws_vpc_public_subnets
load_balancer_type = "network"
idle_timeout = 3600
timeouts {
create = "20m"
}
}
resource "aws_lb_target_group" "msk_broker_scram_public" {
for_each = local.broker_short_names
name = each.value
tags = [...]
# https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
protocol = "TLS"
vpc_id = local.aws_vpc_id
target_type = "ip" // Targets Kafka broker by IP address.
port = 9196
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_lb.msk_broker
]
}
resource "aws_lb_target_group_attachment" "msk_broker_scram_public" {
for_each = {
for a in data.dns_a_record_set.myclust_scram_brokers : split(".", a.host)[0] => a.addrs[0]
}
target_group_arn = aws_lb_target_group.msk_broker_scram_public[each.key].arn
target_id = each.value // This is the Kafka broker IP address.
}
resource "aws_lb_listener" "msk_bootstrap_public" {
for_each = local.broker_short_names
# https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
protocol = "TLS"
port = 9196
certificate_arn = module.msk_lb_cert[each.value].acm_cert.arn
load_balancer_arn = aws_lb.msk_broker[each.value].arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.msk_broker_scram_public[each.value].arn
}
lifecycle {
create_before_destroy = true
}
}
module "msk_lb_cert" {
source = "../certificates"
for_each = local.broker_short_names
org_public_zone_id = local.org_zone_id
io_public_zone_id = data.aws_route53_zone.io_public.zone_id
org_domain_name = "${each.value}.${local.params.msk_org_domain}"
vanity_domain_names = [
"${each.value}.${local.params.msk_vanity_domain}"
]
resource_health_check = false
resource_domain_name = aws_lb.msk_broker[each.value].dns_name
resource_zone_id = aws_lb.msk_broker[each.value].zone_id
providers = {
aws.org_zone = aws.org
aws.io_zone = aws.io
}
}
您可以使用NLB实现此功能。然后您将证书附加到NLB。您的证书将在NLB终止。NLB和MSK之间的连接将使用MSK证书。
目前不支持自定义域名。
为了使用R53和证书实现自定义域名,您需要在NLB终止证书,然后目标组将创建到代理的………IP地址的连接,因为在目标组中,您只能指定IP,而不是代理的域名。NLB和代理之间的SSL连接将失败,因为代理的IP地址不会添加到部署在代理端的证书中,因此NLB不会信任该连接。
唯一可行的方法是在NLB和MSK之间使用PLAINTEXT连接(端口9092)。但这不安全,不推荐这种方法。