kcat icon indicating copy to clipboard operation
kcat copied to clipboard

Published 20 hours ago verified publisher icon edenhill

Using docker and passing a truststore/keystore in the container

Open Tzaphkiel opened this issue 4 years ago • 4 comments

I would like to use a locally stored keystore/truststore and pass it to the docker container so I can then run kafkacat with the enterprise SSL CA chain for example.

docker run --rm --network=host edenhill/kafkacat:1.5.0 kafkacat \
  -b "mybrokers:ports, ..." \
  -X security.protocol=SSL \
  -v -L -d broker,metadata,topic

like it is possible for kafdrop: https://github.com/obsidiandynamics/kafdrop#using-docker

Is this possible? I've searched a while the doc and issues but could not find it...

Tzaphkiel avatar Jul 02 '20 10:07 Tzaphkiel

Truststores and Keystores are Java concepts, while kafkacat uses OpenSSL which expects PEM files, etc.

Use keytool to extract certs from your trust and keystores and pass them as -X ssl.certificate.location=.. etc. https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka

edenhill avatar Jul 02 '20 10:07 edenhill

You are right about JAVA, My mistake. I'm however confused by the passing of a certificate to kafkacat: does that include own CAs' certificates as well or just client certificate used for authentication to the brokers? Also, I should be able to use a .jks store (openssl) and pass it, or (https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka#configure-broker)?

Tzaphkiel avatar Jul 02 '20 10:07 Tzaphkiel

See https://github.com/edenhill/librdkafka/blob/master/INTRODUCTION.md#ssl

ssl.ca.location is used by the client to verify the broker's certificate ssl.certificate.location is the client's public key ssl.key.location is the client's private key

None or not all of these needs to be used, based on your broker config.

Den tors 2 juli 2020 kl 12:35 skrev Sébastien [email protected]:

You are right about JAVA, My mistake. I'm however confused by the passing of a certificate to kafkacat, does that incluse own CAs' certificates as well or just client certificate used for authentication to the brokers?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/edenhill/kafkacat/issues/253#issuecomment-652928454, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAFPST56T7KHVR6PNNOZLRZRPGXANCNFSM4OOXZELA .

edenhill avatar Jul 02 '20 10:07 edenhill

Your links to the librdkafka for SSL would be a nice addition to the main README.md since I also made the same mistake trying to use my truststore information to connect via kafkacat.

dgersh avatar Jul 02 '20 11:07 dgersh