osowski · June 3, 2021 18:10
diff --git a/confluent-external-config.properties b/confluent-external-config.properties
 bootstrap.servers=kafka.{kubernetes-cluster-fully-qualified-domain-name}:443
 sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
 security.protocol=SASL_SSL
 sasl.mechanism=PLAIN
 ssl.truststore.location={/provided/to/you/by/the/kafka/administrator}
 ssl.truststore.password={__provided_to_you_by_the_kafka_administrator__}
diff --git a/confluent-internal-config.properties b/confluent-internal-config.properties
 bootstrap.servers=kafka.{namespace}.svc.cluster.local:9071
 sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
 security.protocol=SASL_PLAINTEXT
 sasl.mechanism=PLAIN
diff --git a/ibm-external-config.properties b/ibm-external-config.properties
 bootstrap.servers=broker-0-{cluster-id}.kafka.{service-name}.eventstreams.cloud.ibm.com:9093,…,broker-5-{cluster-id}.kafka.{service-name}.eventstreams.cloud.ibm.com:9093
 sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
 security.protocol=SASL_SSL
 sasl.mechanism=PLAIN
diff --git a/kafka-cluster-listeners-patch.yaml b/kafka-cluster-listeners-patch.yaml
 listeners:
  - name: plain
    port: 9092
    type: internal
    tls: false
  - name: tls
    port: 9093
    type: internal
    tls: true
  - name: external
    port: 9094
    type: route
    tls: true
    authentication:
      type: scram-sha-512
diff --git a/kafka-quickstart-scenario-01.sh b/kafka-quickstart-scenario-01.sh
 curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
 tar xvf kafka.tgz
 cd kafka_2.13–2.6.1
diff --git a/kafka-quickstart-scenario-02.sh b/kafka-quickstart-scenario-02.sh
 oc project kafka-security
diff --git a/kafka-quickstart-scenario-03.sh b/kafka-quickstart-scenario-03.sh
 export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
 export CONFIG_FILE=local-config.properties
 rm -f ${CONFIG_FILE}
diff --git a/kafka-quickstart-scenario-04.sh b/kafka-quickstart-scenario-04.sh
 echo "sasl.jaas.config=$(oc get secret my-user -o json | jq -r '.data["sasl.jaas.config"]' | base64 -d -)" >> ${CONFIG_FILE}
 echo "sasl.mechanism=SCRAM-SHA-512" >> ${CONFIG_FILE}
 echo "security.protocol=SASL_SSL" >> ${CONFIG_FILE}
diff --git a/kafka-quickstart-scenario-05.sh b/kafka-quickstart-scenario-05.sh
 oc extract secret/my-cluster-cluster-ca-cert --confirm --keys=ca.crt
 keytool -keystore cluster-ca.jks -import -file ca.crt \
        -storepass my-cluster-password -noprompt
 rm -f ca.crt
diff --git a/kafka-quickstart-scenario-06.sh b/kafka-quickstart-scenario-06.sh
 echo "ssl.truststore.location=$(pwd)/cluster-ca.jks" >> ${CONFIG_FILE}
 echo "ssl.truststore.password=my-cluster-password" >> ${CONFIG_FILE}
diff --git a/kafka-quickstart-scenario-07.sh b/kafka-quickstart-scenario-07.sh
 bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
 --command-config ${CONFIG_FILE} --list
diff --git a/kafka-quickstart-scenario-08.sh b/kafka-quickstart-scenario-08.sh
 bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
  --producer.config ${CONFIG_FILE} --topic my-topic
diff --git a/kafka-quickstart-scenario-09.sh b/kafka-quickstart-scenario-09.sh
 bin/kafka-console-consumer.sh --bootstrap-server ${BOOTSTRAP} \
  --consumer.config ${CONFIG_FILE} --topic my-topic --from-beginning
diff --git a/kafka-quickstart-scenario-all.sh b/kafka-quickstart-scenario-all.sh
 curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
 tar xvf kafka.tgz
 cd kafka_2.13–2.6.1

 oc project kafka-security

 export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
 export CONFIG_FILE=local-config.properties

 rm -f ${CONFIG_FILE}

 echo "sasl.jaas.config=$(oc get secret my-user -o json | jq -r '.data["sasl.jaas.config"]' | base64 -d -)" >> ${CONFIG_FILE}
 echo "sasl.mechanism=SCRAM-SHA-512" >> ${CONFIG_FILE}
 echo "security.protocol=SASL_SSL" >> ${CONFIG_FILE}

 oc extract secret/my-cluster-cluster-ca-cert --confirm --keys=ca.crt
 keytool -keystore cluster-ca.jks -import -file ca.crt \
        -storepass my-cluster-password -noprompt
 rm -f ca.crt

 echo "ssl.truststore.location=$(pwd)/cluster-ca.jks" >> ${CONFIG_FILE}
 echo "ssl.truststore.password=my-cluster-password" >> ${CONFIG_FILE}

 bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
 --command-config ${CONFIG_FILE} --list
diff --git a/keytool.sh b/keytool.sh
 keytool -exportcert -keypass {truststore-password} \ 
        -keystore {provided-kafka-truststore.jks}  \ 
        -rfc -file {desired-kafka-cert-output.pem}
diff --git a/strimzi-external-config.properties b/strimzi-external-config.properties
 bootstrap.servers={kafka-cluster-name}-kafka-bootstrap-{namespace}.{kubernetes-cluster-fully-qualified-domain-name}:443
 security.protocol=SASL_SSL
 sasl.mechanism=SCRAM-SHA-512
 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="{USERNAME}" password="{PASSWORD}";
 ssl.truststore.location={/provided/to/you/by/the/kafka/administrator}
 ssl.truststore.password={__provided_to_you_by_the_kafka_administrator__}
diff --git a/strimzi-internal-config.properties b/strimzi-internal-config.properties
 bootstrap.servers={kafka-cluster-name}-kafka-bootstrap.{namespace}.svc.cluster.local:9093
 security.protocol = SASL_PLAINTEXT
 sasl.mechanism = SCRAM-SHA-512
 sasl.jaas.config = org.apache.kafka.common.security.scram.ScramLoginModule required username="{USERNAME}" password="{PASSWORD}";
	bootstrap.servers=kafka.{kubernetes-cluster-fully-qualified-domain-name}:443
	sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
	security.protocol=SASL_SSL
	sasl.mechanism=PLAIN
	ssl.truststore.location={/provided/to/you/by/the/kafka/administrator}
	ssl.truststore.password={__provided_to_you_by_the_kafka_administrator__}
	bootstrap.servers=kafka.{namespace}.svc.cluster.local:9071
	sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
	security.protocol=SASL_PLAINTEXT
	sasl.mechanism=PLAIN
	bootstrap.servers=broker-0-{cluster-id}.kafka.{service-name}.eventstreams.cloud.ibm.com:9093,…,broker-5-{cluster-id}.kafka.{service-name}.eventstreams.cloud.ibm.com:9093
	sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{USERNAME}" password="{PASSWORD}";
	security.protocol=SASL_SSL
	sasl.mechanism=PLAIN
	listeners:
	- name: plain
	port: 9092
	type: internal
	tls: false
	- name: tls
	port: 9093
	type: internal
	tls: true
	- name: external
	port: 9094
	type: route
	tls: true
	authentication:
	type: scram-sha-512
	curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
	tar xvf kafka.tgz
	cd kafka_2.13–2.6.1
	export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
	export CONFIG_FILE=local-config.properties
	rm -f ${CONFIG_FILE}
	echo "sasl.jaas.config=$(oc get secret my-user -o json \| jq -r '.data["sasl.jaas.config"]' \| base64 -d -)" >> ${CONFIG_FILE}
	echo "sasl.mechanism=SCRAM-SHA-512" >> ${CONFIG_FILE}
	echo "security.protocol=SASL_SSL" >> ${CONFIG_FILE}
	oc extract secret/my-cluster-cluster-ca-cert --confirm --keys=ca.crt
	keytool -keystore cluster-ca.jks -import -file ca.crt \
	-storepass my-cluster-password -noprompt
	rm -f ca.crt
	echo "ssl.truststore.location=$(pwd)/cluster-ca.jks" >> ${CONFIG_FILE}
	echo "ssl.truststore.password=my-cluster-password" >> ${CONFIG_FILE}
	bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
	--command-config ${CONFIG_FILE} --list