ingress kafka-cluster-kafka-bootstrap replace external cert #5571

chanvoyage · 2021-09-16T11:08:41Z

chanvoyage
Sep 16, 2021

hello everyone

i have already deploy kafka cluster successfully , Currently i use configuration like picture

my ingress config "ssl-passthrough: true" to use cert in secret on k8s but i want to use own cert in ingress . i don know How to config Please give me advice concerning what to do.

2 . I doubt if I can use own cert and it is possible to re deploy kafka each of component such as kafka connector kafka bridge

Answered by scholzj

Sep 16, 2021

You cannot use ssl-passthrough and ingress certificate at the same time. TLS passthrough means that the connection will be taken as it is and passed to the broker without decrypting it. So it will use the broker certificate. If you disable TLS passthrough and temrinate the TLS connection in the Ingress, you can use your Ingress certificate, but Nginx will figure out that there is not HTTP inside and not route the connection.

So if you want to use your own certificate, you have to configure it in the broker - for example as the listener certificate.

View full answer

scholzj · 2021-09-16T12:11:10Z

scholzj
Sep 16, 2021
Maintainer

You cannot use ssl-passthrough and ingress certificate at the same time. TLS passthrough means that the connection will be taken as it is and passed to the broker without decrypting it. So it will use the broker certificate. If you disable TLS passthrough and temrinate the TLS connection in the Ingress, you can use your Ingress certificate, but Nginx will figure out that there is not HTTP inside and not route the connection.

So if you want to use your own certificate, you have to configure it in the broker - for example as the listener certificate.

4 replies

chanvoyage Sep 20, 2021
Author

because of kafka uses protocol over tpc like document below . Am i correct in thinking that ?

So if you want to use your own certificate, you have to configure it in the broker - for example as the listener certificate.

Ans: If i will configuration external cert like picture , It will be working ?

scholzj Sep 20, 2021
Maintainer

Yes, you can use this to configure your own certificate for the Ingress listener.

chanvoyage Sep 20, 2021
Author

after apply new configuration own ca , i test showcerts and found Verify return code: 21 (unable to verify the first certificate)

========tls.crt ==========

[root@jumphost cert]# cat tls.crt
-----BEGIN CERTIFICATE-----
MIIFozCCBIugAwIBAgITSAAAABEtV+ufgsuZTAAAAAAAETANBgkqhkiG9w0BAQsF
ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZ3aW50
ZWwxGjAYBgNVBAMTEXdpbnRlbC1TQy1DQTAxLUNBMB4XDTIxMDkyMDA3NDUwOFoX
DTIzMDgwMjIyNDMwNlowgaIxCzAJBgNVBAYTAlRIMRAwDgYDVQQIEwdCQU5HS09L
MRAwDgYDVQQHEwdCQU5HS09LMQ8wDQYDVQQKEwZXSU5URUwxDzANBgNVBAsTBldJ
TlRFTDEmMCQGA1UEAxMda2Fma2EtYm9vdHN0cmFwLmNoYWl5YXBvbi5jb20xJTAj
BgkqhkiG9w0BCQEWFmNoYW52b2F5Z2VAaG90bWFpbC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC0MWYHRCuoX7SN7A8/9+ct2JlFHNE9p1DFAW1A
rxayR7ZPT97XDT/tlgeIE15WlRY8riu7WWP38L1ElCGiGA6xhi8Aj9tauHXnVGYP
SQcfl0ZlS8V712weiDcRZzzb2kylajx8vF49npyqADCbseMP+PZcEbqQyzbzPgGi
cSMtzkVPx4EmTnjopqqYp7dubRxBnAm9W1vX2US6/Mx22C01gdAVHR/6fvNBme0U
ydXDEdg4HcBzFOlexF0VEmAG05VenQzWIUXbv21MlgcmM6zWftfnRizMp9v2JYT5
eJECE06KkP+b6B1oOYRK8VDF57fhSUGDIe/SMZtyA3UnthKlAgMBAAGjggImMIIC
IjAdBgNVHQ4EFgQUbbTO2Hrq9Vh2dbC0AKdCqOvrAkswHwYDVR0jBBgwFoAUQCDW
KuMaTUKTbTLlvxeI/S0BAoMwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6
Ly8vQ049d2ludGVsLVNDLUNBMDEtQ0EsQ049c2MtY2EwMSxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz13aW50ZWwsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i
YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHEBggrBgEFBQcB
AQSBtzCBtDCBsQYIKwYBBQUHMAKGgaRsZGFwOi8vL0NOPXdpbnRlbC1TQy1DQTAx
LUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl
cyxDTj1Db25maWd1cmF0aW9uLERDPXdpbnRlbCxEQz1sb2NhbD9jQUNlcnRpZmlj
YXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkr
BgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDAT
BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAILdj2RnaxWvG
pEyPtzlgIGMJWBowlGKUGPJ00Mu23TCpfwX2DCX9vsgB0BxOsWxytF9QJTd+eftI
7v5G2GETFrvVNd65BCcs5YTatoje2drvs6mCSwEMdXCALGp4E7mxsdVgl10KSi7a
wyH0GSHHLTZb2pzdNhPRmHEtt2yZi96AmQ4LvSgmuUh8+M2lfRhhfZcv2MO4NIEZ
LGU8yaw5kQyK+CthEiOlGijb50XPT+4wOghVQ4hp9ipHC8kQgvIEOoIjAAjRFFAN
jua2MQH5/VX8Q0o/OSZ0jKCdAxMaS7g1f0mw1f1kDvtyaEFRMPPtLZpwLMaCgZUx
qv4E4Crmdw==
-----END CERTIFICATE-----

========tls.key ==========

[root@jumphost cert]# cat tls.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0MWYHRCuoX7SN
7A8/9+ct2JlFHNE9p1DFAW1ArxayR7ZPT97XDT/tlgeIE15WlRY8riu7WWP38L1E
lCGiGA6xhi8Aj9tauHXnVGYPSQcfl0ZlS8V712weiDcRZzzb2kylajx8vF49npyq
ADCbseMP+PZcEbqQyzbzPgGicSMtzkVPx4EmTnjopqqYp7dubRxBnAm9W1vX2US6
/Mx22C01gdAVHR/6fvNBme0UydXDEdg4HcBzFOlexF0VEmAG05VenQzWIUXbv21M
lgcmM6zWftfnRizMp9v2JYT5eJECE06KkP+b6B1oOYRK8VDF57fhSUGDIe/SMZty
A3UnthKlAgMBAAECggEAKM1mxQ5ytFW3lMt3SIziFEePrU6xMrzIVVPVYWhEQ2pp
pdv4IcomR65JVk7Mdd6cgnEOBgZf1Kz2rqi8VPANo7U2v3HTwd8zE4bQ9XUb39Np
ZVabCUfme6NslMxDw6TS5kIAIF6nGFzqLLSOTTMir2M4pfB9xnu9nabUx+vGg4Bo
W3LpAoJHvpA0hJj9nQG34CXggaNk+dmWiEXWJQjyAlhmPWU9rEb+taTddmQTpyn3
1dycnKtC8A9wve76y57N0bqYWc5X4rFLaAYhoXppTijLxi1p46NsmtkoiFOiyxJA
9j9YqeRdh0IsknIFT16YYYaIt3ek1F6oI3ZILX+XoQKBgQDiLCie6z6zKsKKbD+4
fKsuPI0yDJeLcPIqaB1TSDvd0A6TfQKf7nb0fnbuuDgQ6XElz8PZ91mzPWEJ21MX
V/9LPteU2Rex8qD26eOd/hSmF0W5y8CsFBCOZOafSkbzQD8bh47REg/m044+2J1y
i+J+8fevzViVVdKdrvDFMTq87wKBgQDL9OsfsAiOqb5CUOH0Wj047Kt3pag8pU5T
AwfMWYvEF5LUcCjwFMh2DpBg114eor4b/BQG5HrFC/TE2WybKlEFhrdbNRcSuD6m
htPq43Z5SBaVOU9nT1bZrDIBHy6qD9pXBcNoercaFtAwzdl2JYc6UBRBkD4rfqgx
wORki/IRqwKBgAx8Z5muXv3BJJBDvZjPuRuKWDklHNCj4ZqZuNS6LiPmsodN5XEy
1vpUaPhwzxeP66EswSEtWJRelRbYNtQZFYzv4TLkcTxvqpc2/kvglP8+VakWKILX
cLqLs3ejwBr5twIsD6RXHO2fTEEH8Fk8g7qCXSwlZ/iGjmQKHlykhRudAoGBALk6
alrx5SOjdv4FNOBVH+rVzfewg/Tn8BUl2Gw3Gt7wxdGXNyaqyU+mdGruzTSnel4x
9gI4eGMCM76e86qLqN+K9HSp55WBrKxSIJ3fDFajKJdHYBykCm1PnG42YoviL9n+
ivQVFrtj4pmgKZHKDWDhHzRYCo43zgq5cvL5wdNXAoGBAJm1gEUlR2z/WgcWi2aQ
ZXEnQ3n0RXsJYwiJAkwBM6H/NTAF0cgkt5pEdFYA9IcbfrNOg4wVEA8Z09jILxu5
dHr0pj6VC2djF8pAD7yq//GR9cgtUag7jDJ2fNRkIG+1xaybngZ/C13VrFJOAqvQ
OhYCptzuMF0nMvC8ek7P1GnM
-----END PRIVATE KEY-----

showcert.txt

scholzj Sep 20, 2021
Maintainer

Well, that is expected as long as you are not using a certificate signed by a trusted public CA which yours doesn't see to be on a first look. Also, you have configured TLS client authentication => so you will need to provide a user certificate for authentication.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

ingress kafka-cluster-kafka-bootstrap replace external cert #5571

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strimzi

ingress kafka-cluster-kafka-bootstrap replace external cert #5571

Uh oh!

Uh oh!

chanvoyage Sep 16, 2021

Replies: 1 comment · 4 replies

Uh oh!

scholzj Sep 16, 2021 Maintainer

Uh oh!

chanvoyage Sep 20, 2021 Author

Uh oh!

scholzj Sep 20, 2021 Maintainer

Uh oh!

Uh oh!

chanvoyage Sep 20, 2021 Author

Uh oh!

scholzj Sep 20, 2021 Maintainer

chanvoyage
Sep 16, 2021

Replies: 1 comment 4 replies

scholzj
Sep 16, 2021
Maintainer

chanvoyage Sep 20, 2021
Author

scholzj Sep 20, 2021
Maintainer

chanvoyage Sep 20, 2021
Author

scholzj Sep 20, 2021
Maintainer