Change http.kafka.oneway example use sasl ssl (#154)

aklivity · Feb 5, 2025 · 04003bb · 04003bb
1 parent 6c556be
commit 04003bb
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 16 deletions.
diff --git a/http.kafka.oneway/README.md b/http.kafka.oneway/README.md
@@ -1,6 +1,6 @@
 # http.kafka.oneway
 
-Listens on http port `7114` or https port `7114` and will produce messages to the `events` topic in Kafka, synchronously.
+Listens on http port `7114` or https port `7114` and will produce messages to the `events` topic in Kafka, synchronously. Zilla connects to Kafka using SASL-SCRAM over an SSL encrypted connection.
 
 ## Requirements
 

diff --git a/http.kafka.oneway/compose.yaml b/http.kafka.oneway/compose.yaml
@@ -11,14 +11,17 @@ services:
       retries: 5
       test: ["CMD", "bash", "-c", "echo -n '' > /dev/tcp/127.0.0.1/7114"]
     environment:
-      KAFKA_BOOTSTRAP_SERVER: kafka:29092
+      KAFKA_BOOTSTRAP_SERVER: kafka:9092
+      KEYSTORE_PASSWORD: generated
+      SASL_USERNAME: alice
+      SASL_PASSWORD: alice-secret
     volumes:
       - ./zilla.yaml:/etc/zilla/zilla.yaml
+      - ./truststore:/etc/zilla/tls
     command: start -v -e
 
   kafka:
     image: bitnami/kafka:3.5
-    restart: unless-stopped
     ports:
       - 9092:9092
     healthcheck:
@@ -27,19 +30,33 @@ services:
       timeout: 60s
       retries: 60
     environment:
-      ALLOW_PLAINTEXT_LISTENER: "yes"
-      KAFKA_CFG_NODE_ID: "1"
-      KAFKA_CFG_BROKER_ID: "1"
-      KAFKA_CFG_GROUP_INITIAL_REBALANCE_DELAY_MS: "0"
-      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: "[email protected]:9093"
-      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: "CLIENT:PLAINTEXT,INTERNAL:PLAINTEXT,CONTROLLER:PLAINTEXT"
-      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: "CONTROLLER"
-      KAFKA_CFG_LOG_DIRS: "/tmp/logs"
-      KAFKA_CFG_PROCESS_ROLES: "broker,controller"
-      KAFKA_CFG_LISTENERS: "CLIENT://:9092,INTERNAL://:29092,CONTROLLER://:9093"
-      KAFKA_CFG_INTER_BROKER_LISTENER_NAME: "INTERNAL"
-      KAFKA_CFG_ADVERTISED_LISTENERS: "CLIENT://localhost:9092,INTERNAL://kafka:29092"
-      KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "true"
+      - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true
+      # KRaft
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      # Listeners
+      - KAFKA_CFG_LISTENERS=SASL_SSL://:9092,INTERNAL://:29092,CONTROLLER://:9093
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:SASL_PLAINTEXT,SASL_SSL:SASL_SSL,INTERNAL:PLAINTEXT
+      - KAFKA_CFG_ADVERTISED_LISTENERS=SASL_SSL://kafka:9092,INTERNAL://kafka:29092
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=SASL_SSL
+      - KAFKA_CLIENT_LISTENER_NAME=SASL_SSL
+      # SASL
+      - KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL=PLAIN
+      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
+      - KAFKA_CONTROLLER_USER=controller_user
+      - KAFKA_CONTROLLER_PASSWORD=controller_password
+      - KAFKA_INTER_BROKER_USER=interbroker_user
+      - KAFKA_INTER_BROKER_PASSWORD=interbroker_password
+      - KAFKA_CLIENT_USERS=user
+      - KAFKA_CLIENT_PASSWORDS=password
+      # SSL
+      - KAFKA_TLS_TYPE=JKS
+      - KAFKA_CERTIFICATE_PASSWORD=generated
+    volumes:
+      - './keystore/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro'
+      - './truststore/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro'
 
   kafka-init:
     image: bitnami/kafka:3.5
@@ -59,6 +76,13 @@ services:
         /opt/bitnami/kafka/bin/kafka-topics.sh --bootstrap-server kafka:29092 --create --if-not-exists --topic events
         echo -e "Successfully created the following topics:";
         /opt/bitnami/kafka/bin/kafka-topics.sh --bootstrap-server kafka:29092 --list;
+        echo -e "Creating user";
+        /opt/bitnami/kafka/bin/kafka-configs.sh \
+        --bootstrap-server kafka:29092 \
+        --alter \
+        --add-config 'SCRAM-SHA-512=[iterations=4096,password=alice-secret]' \
+        --entity-type users \
+        --entity-name alice;
 
   kafka-ui:
     image: ghcr.io/kafbat/kafka-ui:v1.0.0

diff --git a/http.kafka.oneway/keystore/kafka.keystore.jks b/http.kafka.oneway/keystore/kafka.keystore.jks
diff --git a/http.kafka.oneway/truststore/ca-key b/http.kafka.oneway/truststore/ca-key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIq+9AoKSC4JsCAggA
+MB0GCWCGSAFlAwQBKgQQsEKnkyEdHetOeaX5A2hKOgSCBNANwAkRPiVacrOXYSM2
+deNviB42hUrfc3xh3b/rmg6iJZFQN+YkehC8QzwDw5ySAl/l5gc8zOlIa2SZI7xW
+/YQR5WHA26gF9DDhFL1FY7iU/SJ9rmtREBLVhYla56uziW3FAzlOV7OYF6Zw6Ox/
+YWTDOOgvki+sRJ7IXTKqZSOeb0CJlNqxpJTCSxC8XePvH3C8cFsUo3P2hZ5M+q9d
+B40ovIJULpDL1dqcw5pKOo/o/eUfjvlUpGGscCSFlazwVvnsnoMRtAxPTQysv0D7
+nuJW44iiO9XOX20voxFwC8svxvT0lKxjwIrsUMVx3nMb1rNsbbnd3oUefj0xJU70
+3zdlI2NdRNlmMXGzxXFgr0BH6F3VL4xajA7LlXE41Aoo6JtttmVl8B5YX9WE/1Dx
+PG3aLNwdm+Yoc8H6WZpFhpmz0jTbMoUPS55Swe05qg0S+R4MS/lrj5bv3ETSOPUn
+BNMvQpRlMphcHowoG3jqPlUR1XFkmSCybGkSaWmm1nDuLbDXgFpw4nQrtVeMxwfM
+wvRc8mLcDFpZNPn61/aCgbkPP7O7vtMPnb4oowapCD5A6tSah5g7QyPBVMfUC6j/
+/DP/eUnsug/HZOOOlhayQQsAYkz+pjs4DJTIvhPVzQLqHyA1bgnl2faYk976cy/w
+RL4RY5Z5JI7VmZulMadtXuCOd1DjdjRPcs57QbkiLmPLZy4GfVGSyz3yS003LcfP
+YsEHPiIdEBXDpA0w2MkNRVtzTBxHApfqWHRCnAh9a/rFW/69upmAQ221PmPNlNJR
+cEbTgAEXCIfEvYqz24s/qDnsTvonazY3nFKGdZLOT5c0cfs9S/QJ7tIb893sG67O
+5IXRnpc9kDXhosegtUrj5SA8fDAym9gaSQ9aBzbezJ8Mi6V/Ixc+NN9I4rp0DlIH
+mS2QnrUg0NZouX37CjiX4MZr4Pkc1pvf2Mso+hbrleeLgmpE7gBuYJ1PxDPP9/y+
+zlEV/g9wWHSz3vUwzb7JptAofUofGiX1S7jqeQ8+bK6xtxOAqtlOqHEXmODZzRKG
+7Vgepr51/FcK26mnLBXnEmr6D9MCqUhBo3I7lrvlaA6qCvJ0wbjxbGI3/zKkmzFo
+nLGdynOBdKTAvtD4r2PcGfRn8Xyn5hjXeG6+acfsTK5bve1IaogmpoYRJ8YcJExA
+ndo0jtU+Tfq7Gj8HYOzlMih1i7sSfZTRmQDjJlaYoSmAmmnbiuWnjrStR10L+Wmg
+ZBZQqEahsKYh6veY1ROeLtfGWU1reZ6bJb53vpvJyXfINv+paNMjjntuPbrYREXc
+bNgMzzH1zybb6NN3DrKNicTi7srXmat4e8Sk+G5G0RD0T4pZYdQfT/LIIhFYWUhT
+L2VqfWQQq8oMycoJNnOFMR7ctYOW1m+X1vPPGFrA2yC9FFLzdpzdhp/UtBqVNdBl
+zUAxjz4IPDqVeIORFak9c/wlkJlLqKupg1Gc9ALhf71+u+bY66foJ+jL44fGmqWH
+PLWGRRC1l9XxVfjfErBVQwQfTP5rIc/dNDXa41Qu0aZnt2ZEVYou1mMoNBPLw7YD
+VvpQYeYkIx8ijPjcCTEppwRb/TgAwlKJfw0Pd305c/sS/x8P95skZ2zbD/eNcvbG
+5uJd/tNHPYG3ESJZc+JBri40AQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/http.kafka.oneway/truststore/kafka.truststore.jks b/http.kafka.oneway/truststore/kafka.truststore.jks
diff --git a/http.kafka.oneway/zilla.yaml b/http.kafka.oneway/zilla.yaml
@@ -1,5 +1,13 @@
 ---
 name: example
+vaults:
+  your_clients:
+    type: filesystem
+    options:
+      trust:
+        store: tls/kafka.truststore.jks
+        type: jks
+        password: ${{env.KEYSTORE_PASSWORD}}
 bindings:
   north_tcp_server:
     type: tcp
@@ -44,6 +52,22 @@ bindings:
     options:
       servers:
         - ${{env.KAFKA_BOOTSTRAP_SERVER}}
+      sasl:
+        mechanism: scram-sha-512
+        username: ${{env.SASL_USERNAME}}
+        password: ${{env.SASL_PASSWORD}}
+    exit: south_tls_client
+  south_tls_client:
+    type: tls
+    kind: client
+    vault: your_clients
+    options:
+      trust:
+        - kafka
+      sni:
+        - kafka
+      alpn:
+        - h2
     exit: south_tcp_client
   south_tcp_client:
     type: tcp