mTLS using ingress tries to use broker

[supermom5280]

Using Strimzi 36.1 & Kubernetes; I have configured the ingress using nginx for external client. All worked well. I have enabled the use of my own certificates on the listener and the clients handshakes and connects putting the message on the topic just fine. I have enabled mTLS using the Strimzi generated certificate following Section 9.3 of the documentation. using -Djavax.net.debug=all when running the client all SSL handshake seems to work without error. When the client attempts to send the message to the topic a java error of UnknownHostException: -kafka-1.ingress.com: Name or service not found. I am not sure why it is suddenly trying to go directly to the broker. The initial command to run the client uses brokerConnection as -kafka-bootstrap.ingress.com:443

[scholzj]

This is how the Kafka protocol works. the clients always require a direct connection to the individual brokers to produce / consume messages from the partition replicas that have a leader on the given broker. Some more details are in this blog post series: https://strimzi.io/blog/2019/04/17/accessing-kafka-part-1/. In your case it seems the DNS for the per-broker Ingress resources is not configured properly and you would need to fix it.

[scholzj]

I do not have an answer to that. Was it a producer / consumer what worked? Management tools such as listing topics might not always need to connect to the brokers directly. But in general, I'm afraid that all I can say is that consumers / producers will always need direct access - mTLS or not. The UnknownHostException error suggests DNS issue when resolving the address. So that is beyond what Strimzi controls anyway. If it worked before, maybe it is some issue with DNS?

[supermom5280]

OK, thank you. Just as an FYI it is a producer.

[supermom5280]

After checking a few things it appeared kafka-0 was in the /etc/hosts along with the bootstrap server ... added the remaining brokers and things are now working. Thanks for clarifying

[scholzj]

Ok. It might be that when you run the producer before, it was sending the messages only to the kafka-0 broker and therefore it worked. This could happen - for example, the message key might define to which partition it is sent and all messages with the same key would go to the same broker etc.