strimzi-kafka-oauth icon indicating copy to clipboard operation
strimzi-kafka-oauth copied to clipboard

Published 20 hours ago verified publisher icon strimzi

export certificate and package it in client truststore

Open surfdog opened this issue 4 years ago • 5 comments

Hello,

I am working through the steps in this blog post: Kafka authentication using OAuth 2.0

When I get to the step to export the client cert and package it in client truststore, it fails with error:

Invalid character in input stream.

The command follows:

kubectl get secret my-cluster-cluster-ca-cert -n kafka -o yaml \ | grep ca.crt | awk '{print $2}' | base64 --decode > kafka.crt

#inspect the certificate #openssl x509 -text -noout -in kafka.crt

Thank you.

surfdog avatar Nov 03 '20 00:11 surfdog

I was able to manipulate/break down the command to get a valid cert established, so consider this issue just an opportunity to correct the blog entry, if desired.

surfdog avatar Nov 03 '20 02:11 surfdog

TBH, I'm not sure I follow. Did this command failed for you?

kubectl get secret my-cluster-cluster-ca-cert -n kafka -o yaml \
  | grep ca.crt | awk '{print $2}' | base64 --decode > kafka.crt

or which one? If this one failed for you, what was the one which worked for you?

CC @mstruk

scholzj avatar Nov 03 '20 09:11 scholzj

Sounds like the input to base64 contained a character outside base64 valid ascii range, possibly a newline char?

mstruk avatar Nov 03 '20 10:11 mstruk

kubectl get secret my-cluster-cluster-ca-cert -n kafka -o yaml | grep ca.crt

Returns:

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMVENDQWhXZ0F3SUJBZ0lKQUs4VHRDTE15b0ZPTUEwR0NTcUdTSWIzRFFFQkN3VUFNQzB4RXpBUkJnTlYKQkFvTUNtbHZMbk4wY21sdGVta3hGakFVQmdOVkJBTU1EV05zZFhOMFpYSXRZMkVnZGpBd0hoY05NakF4TVRBeQpNak0xTVRNM1doY05NakV4TVRBeU1qTTFNVE0zV2pBdE1STXdFUVlEVlFRS0RBcHBieTV6ZEhKcGJYcHBNUll3CkZBWURWUVFEREExamJIVnpkR1Z5TFdOaElIWXdNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUIKQ2dLQ0FRRUE5dkE2aVFKdEtPRm5jc0E5TmdrcVBuS2M2ZHdrT1ZiU1BjVXA5cWk3Qk1TcnM5R2RHc0diYXc5agpnTUNlME5abC8zWjVmaXpNOWIweC9TUDMrVnlPZks3anZ3T2VKQVhmdm55Qkw0eXI4N296REZwMktnMjg1QWI1CjUyRjh6QWx3UGt6YjNqSFhqZEw1bHVoZGdoWkNHb05zVDNhNFpjcUU3Z3RsbE5sQVUwVWRXQzM3WkRkaEdXTkMKZm51RWxCelpMRzdLRDA2dnpXNk9XV0tRTWd0OS9IcGdoWU02dWp1ZGlLcTVrVkFyWXFiaWNLbzFocVVBN3VVTQpreHY5SVoyYVBPWlVtL0JReFNJL2NtNUFJWkY4a1RpRWFkQUdreG44N0ZMQU03elowalNRYk5ocnFKSXpTc2JOCnJ5MW1VTXI5TWltc0ZsMGpjSmlsbGczajg2UTJjUUlEQVFBQm8xQXdUakFkQmdOVkhRNEVGZ1FVamkwTHk1dlUKdVlzMzhScTlKNTF6OFBubHlBMHdId1lEVlIwakJCZ3dGb0FVamkwTHk1dlV1WXMzOFJxOUo1MXo4UG5seUEwdwpEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUgveHlYM2JYcmJTZVVBMXE4c3lXCnI2eFRDSmt3aUJnWEY4eVlreGJIZDBOK002c1ZtRzNrVUdLcHVlWlZrbWhuR2VyaEJydk14S242d0lMcWNWMDQKcGFQRWZCa2R1Ymh1ZnpMamRxbXZDa0xpOVlBMEp6OWpBRlRPUzJ0SHRIbDBGQ2c3RDFubWI0bW5scCtkZW5hNQpHZ01ya1N4NThPbkNvaVpUUkpwcXk0UDA1ODhFMzFFVXVWWC9JcUJZWlNOeUo1dzl2NlJyaDF5Rm9jZjVoYUo5CjBJUEtKbXBNb2tad1hFVG9NSUVUWk44MWNLdEVMbk9ySlhUa3VUMmNqdGdXOHFldEtnaGx3aHB3dDRrUlZkSUMKUFhDTzNkMlJVb2hST0tqRHZwUTlXR3pKbkdod2Y4YzZEaC9iTUVsbllWc2tSNk4xZk9jd0hpaWp4RU9Yd3VXKwp4dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K f:ca.crt: {}

That last bit was the problem. _ f:ca.crt: {}_

surfdog avatar Nov 03 '20 15:11 surfdog

Ahh, that is the the server side apply 🙄

I guess this might work better:

kubectl get secret my-cluster-cluster-ca-cert -o jsonpath='{.data.ca\.crt}'

@mstruk Up to you if you want to update the blog post

scholzj avatar Nov 03 '20 19:11 scholzj