containers [bitnami/schema-registry] Cannot connect using ssl

[bitnami/schema-registry] Cannot connect using ssl

Open buuhvprojects opened this issue 1 year ago • 1 comments

Name and Version

bitnami/schema-registry:7.4

What architecture are you using?

None

What steps will reproduce the bug?

Docker-compose configuration

zookeeper:
    image: bitnami/zookeeper:3.7.0
    container_name: zookeeper
    env_file:
      - .env
    environment:
      - ZOO_ENABLE_AUTH=yes
      - ZOO_SERVER_USERS=${KAFKA_USERNAME}
      - ZOO_SERVER_PASSWORDS=${KAFKA_PASSWORD}
      - ZOO_CLIENT_USER=${KAFKA_USERNAME}
      - ZOO_CLIENT_PASSWORD=${KAFKA_PASSWORD}
    ports:
      - "2181:2181"
    networks:
      - kafkanet
    volumes:
      - zookeeper_data:/bitnami/zookeeper

  schema-registry:
    image: bitnami/schema-registry:7.4
    ports:
      - '8081:8081'
      - '8082:8082'
    env_file:
      - .env
    networks:
      - kafkanet
    environment:
      - SCHEMA_REGISTRY_KAFKA_BROKERS=PLAINTEXT://${KAFKA_HOST_0}:29092,PLAINTEXT://${KAFKA_HOST_1}:29093
      - SCHEMA_REGISTRY_HOST_NAME=schema-registry
      - SCHEMA_REGISTRY_LISTENERS=http://0.0.0.0:8081,https://0.0.0.0:8082
      - SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_CLIENT_AUTHENTICATION=REQUESTED
      - SCHEMA_REGISTRY_ADVERTISED_HOSTNAME=schema-registry
      - SCHEMA_REGISTRY_KAFKA_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_KAFKA_KEY_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_KEY_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=none
    volumes:
      - ./certs/kafka.client.keystore.jks:/opt/bitnami/schema-registry/certs/ssl.keystore.jks
      - ./certs/kafka.client.truststore.jks:/opt/bitnami/schema-registry/certs/ssl.truststore.jks

  kafka-0:
    image: bitnami/kafka:2.8.1
    container_name: kafka-0
    depends_on:
      - zookeeper
    env_file:
      - .env
    networks:
      - kafkanet
    ports:
      - "29092:29092"
    environment:
      # Zookeeper credentials
      - KAFKA_ZOOKEEPER_PROTOCOL=SASL
      - KAFKA_ZOOKEEPER_USER=${KAFKA_USERNAME}
      - KAFKA_ZOOKEEPER_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_ZOOKEEPER_CONNECT=${ZOOKEEPER_HOST}:2181
      - KAFKA_CFG_BROKER_ID=0
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SSL,EXTERNAL:SSL
      - KAFKA_CFG_LISTENERS=INTERNAL://kafka-0:9092,EXTERNAL://0.0.0.0:29092
      - KAFKA_CFG_ADVERTISED_LISTENERS=INTERNAL://kafka-0:9092,EXTERNAL://${KAFKA_HOST}:29092
      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=INTERNAL
      - KAFKA_CFG_SSL_KEYSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.keystore.jks
      - KAFKA_CFG_SSL_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SSL_TRUSTSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.truststore.jks
      - KAFKA_CFG_SSL_TRUSTSTORE_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SSL_KEY_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
      - KAFKA_CFG_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="${KAFKA_USERNAME}" password="${KAFKA_PASSWORD}";
      - KAFKA_CFG_SECURITY_PROTOCOL=SSL
      - ALLOW_PLAINTEXT_LISTENER=yes
      - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=false
      - KAFKA_CFG_LOG_RETENTION_MS=${KAFKA_CFG_LOG_RETENTION_MS}
      - KAFKA_CFG_MAX_REQUEST_SIZE=${KAFKA_CFG_MAX_REQUEST_SIZE}
      - KAFKA_CFG_MESSAGE_MAX_BYTES=${KAFKA_CFG_MESSAGE_MAX_BYTES}
      - KAFKA_CFG_MIN_INSYNC_REPLICAS=2
      - KAFKA_CFG_UNCLEAN_LEADER_ELECTION_ENABLE=false
      - KAFKA_CFG_DEFAULT_REPLICATION_FACTOR=3
      - KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR=3
      - KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR=3
      - KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR=2

    volumes:
      - ./certs/ca-cert.pem:/opt/bitnami/kafka/config/certs/ca-cert.pem
      - ./certs/ca-cert.srl:/opt/bitnami/kafka/config/certs/ca-cert.srl
      - ./certs/ca-key.pem:/opt/bitnami/kafka/config/certs/ca-key.pem
      - ./certs/client.crt.pem:/opt/bitnami/kafka/config/certs/client.crt.pem
      - ./certs/client.csr.pem:/opt/bitnami/kafka/config/certs/client.csr.pem
      - ./certs/client.properties:/opt/bitnami/kafka/config/certs/client.properties
      - ./certs/kafka-0.crt.pem:/opt/bitnami/kafka/config/certs/kafka-0.crt.pem
      - ./certs/kafka-0.csr.pem:/opt/bitnami/kafka/config/certs/kafka-0.csr.pem
      - ./certs/kafka-0.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks
      - ./certs/kafka-0.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks
      - kafka_data_0:/bitnami/kafka

What is the expected behavior?

No response

What do you see instead?

I use images from bitnami My zookeeper is configured with user and pass My cluster has 2 nodes, broker0 and broker1, both with a certificate for auth in kafka

My kafka ui also from provectuslabs/kafka-ui can connect to the broker using the keystore and truststore.

However, the schema-registry does not connect. I noticed that the schema registry readme is also wrong because the correct path to the volume is /opt/bitnami/schema-registry/certs/ssl.keystore.jks:ro and not /opt/bitnami/schema-registry/certs/keystore.jks:ro

Additional information

No response

Aug 25 '24 04:08 buuhvprojects

containers containers copied to clipboard

[bitnami/schema-registry] Cannot connect using ssl

Name and Version

What architecture are you using?

What steps will reproduce the bug?

What is the expected behavior?

What do you see instead?

Additional information

containers
containers copied to clipboard