[eclipse#222] Use TLS for connecting to Kafka.

New certificates are created for the example Kafka broker. The broker is configured to expect TLS encrypted connections from clients. The truststore is added to all services and adapters that need to connect to Kafka. This is currently a "jks" file because in Kafka the support for the "pem" format was added in version 2.7 and Hono currently uses the Kafka clients in version 2.6. Signed-off-by: Abel Buechner-Mihaljevic <[email protected]>
bosch-io · Jun 4, 2021 · 8513546 · 8513546
1 parent 4c1e384
commit 8513546
Show file tree

Hide file tree

Showing 18 changed files with 93 additions and 9 deletions.
diff --git a/charts/hono/example/ca_opts b/charts/hono/example/ca_opts
@@ -146,3 +146,10 @@ subjectKeyIdentifier = hash
 keyUsage             = keyAgreement,keyEncipherment,digitalSignature
 extendedKeyUsage     = serverAuth, clientAuth
 subjectAltName       = DNS.1:localhost
+
+[ req_ext_kafka ]
+
+subjectKeyIdentifier = hash
+keyUsage             = keyAgreement,keyEncipherment,digitalSignature
+extendedKeyUsage     = serverAuth, clientAuth
+subjectAltName       = DNS.1:*.hono-kafka-headless,DNS.2:*.hono-kafka-headless.hono,DNS.3:localhost
diff --git a/charts/hono/example/certs/kafka-cert.pem b/charts/hono/example/certs/kafka-cert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIICPTCCAeOgAwIBAgIUB2vxWI9wj32OHLaABVV+iuVkdRwwCgYIKoZIzj0EAwIw
+UDELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz
+ZSBJb1QxDTALBgNVBAsMBEhvbm8xCzAJBgNVBAMMAmNhMB4XDTIxMDYwMjE1MjUw
+N1oXDTIyMDYwMjE1MjUwN1owUzELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3
+YTEUMBIGA1UECgwLRWNsaXBzZSBJb1QxDTALBgNVBAsMBEhvbm8xDjAMBgNVBAMM
+BWthZmthMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHfvUCACcO9wS9c/57EfA
+i34dNdNTUPwAib143fEUiaC9wPCp6EPzIjFHx78n8DgY7iXc+rZE1BXqAbqVO/n0
+3KOBlzCBlDAdBgNVHQ4EFgQUErFQDWfU3iYKEYv8ws7Ka6N7AvAwCwYDVR0PBAQD
+AgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBHBgNVHREEQDA+ghUq
+Lmhvbm8ta2Fma2EtaGVhZGxlc3OCGiouaG9uby1rYWZrYS1oZWFkbGVzcy5ob25v
+gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSAAwRQIhANeuZW+OCsrM23R2p2g5iH7/
+SyoSVU8d6DkcVpawSxgtAiAPWibmpN0qWTrf3s4N1zoaYC6EB7LY6D1cstaQ+/Lf
+rA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB4zCCAYmgAwIBAgIUDvfsevHpF7ObReAAmGXXHHsAXDswCgYIKoZIzj0EAwIw
+UjELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz
+ZSBJb1QxDTALBgNVBAsMBEhvbm8xDTALBgNVBAMMBHJvb3QwHhcNMjEwMTI2MTMx
+MzI1WhcNMjIwMTI2MTMxMzI1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UEBwwGT3R0
+YXdhMRQwEgYDVQQKDAtFY2xpcHNlIElvVDENMAsGA1UECwwESG9ubzELMAkGA1UE
+AwwCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQrWtTxDTpqzkLfkZWT+RMp
+w3y6/Mbmrj3S4DTfEv9bsuwUvZwcF7yy5X5YWFq+WOESLBh3nykxxg0MBRHdN0fx
+oz8wPTAdBgNVHQ4EFgQUBxIgSnCFs43mB6a9umhpKCA2I30wDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgRau0yW4JCG+2e3w5
+KFWzCYV20/DNJ2Lj5ospGvNhl9sCIQCYde5228wNvKT3Qw6vk70HiS5r/mhFNJaZ
+aPyf7W2E4g==
+-----END CERTIFICATE-----
diff --git a/charts/hono/example/certs/kafka-key.pem b/charts/hono/example/certs/kafka-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg0xs9OqU6CWzt1swR
+qsf9pHWPducg3NGNAYG23hxHNkehRANCAAQd+9QIAJw73BL1z/nsR8CLfh0101NQ
+/ACJvXjd8RSJoL3A8KnoQ/MiMUfHvyfwOBjuJdz6tkTUFeoBupU7+fTc
+-----END PRIVATE KEY-----
diff --git a/charts/hono/example/certs/kafkaKeyStore.jks b/charts/hono/example/certs/kafkaKeyStore.jks
diff --git a/charts/hono/example/create_certs.sh b/charts/hono/example/create_certs.sh
@@ -41,6 +41,9 @@ AMQP_ADAPTER_KEY_STORE=amqpKeyStore.p12
 AMQP_ADAPTER_KEY_STORE_PWD=amqpkeys
 EXAMPLE_GATEWAY_KEY_STORE=exampleGatewayKeyStore.p12
 EXAMPLE_GATEWAY_KEY_STORE_PWD=examplegatewaykeys
+KAFKA_KEY_STORE=kafkaKeyStore.jks
+# the bitnami Kafka chart expects truststore and keystore to have the same password
+KAFKA_KEY_STORE_PWD=honotrust
 # set to either EC or RSA
 KEY_ALG=EC
 
@@ -141,5 +144,6 @@ create_cert artemis $ARTEMIS_KEY_STORE $ARTEMIS_KEY_STORE_PWD
 create_cert coap-adapter $COAP_ADAPTER_KEY_STORE $COAP_ADAPTER_KEY_STORE_PWD
 create_cert amqp-adapter $AMQP_ADAPTER_KEY_STORE $AMQP_ADAPTER_KEY_STORE_PWD
 create_cert example-gateway $EXAMPLE_GATEWAY_KEY_STORE $EXAMPLE_GATEWAY_KEY_STORE_PWD
+create_cert kafka $KAFKA_KEY_STORE $KAFKA_KEY_STORE_PWD
 
 create_client_cert 4711
diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl
@@ -227,9 +227,12 @@ kafka:
 {{- if .dot.Values.kafkaMessagingClusterExample.enabled }}
   commonClientConfig:
     bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }}
-    security.protocol: SASL_PLAINTEXT
+    security.protocol: SASL_SSL
     sasl.mechanism: SCRAM-SHA-512
     sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";"
+    ssl.truststore.location: /etc/hono/truststore.jks
+    ssl.truststore.password: {{ .dot.Values.kafka.auth.tls.password }}
+    ssl.endpoint.identification.algorithm: "" # Disables hostname verification. Don't do this in productive setups!
 {{- else if not .dot.Values.adapters.kafkaMessagingSpec }}
   {{- required ".Values.adapters.kafkaMessagingSpec MUST be provided if example Kafka cluster is disabled" nil }}
 {{- else if not (index .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig "bootstrap.servers") }}

diff --git a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.amqp.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -41,4 +41,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/amqp-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/amqp-adapter.credentials" | b64enc }}
-{{- end }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
+{{- end }}
diff --git a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.coap.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,4 +40,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/coap-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/coap-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.http.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -41,4 +41,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/http-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/http-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.kura.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,4 +40,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/kura-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/kura-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.lora.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,4 +40,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/lora-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/lora-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.mqtt.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -45,4 +45,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/mqtt-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/mqtt-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml
@@ -102,4 +102,5 @@ data:
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/command-router.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/...hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/...hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml
@@ -74,4 +74,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/...hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/...hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml
@@ -73,4 +73,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/...o/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/...o/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml
@@ -74,4 +74,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/kafka/kafka-secret.yaml b/charts/hono/templates/kafka/kafka-secret.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.kafkaMessagingClusterExample.enabled }}
+#
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- $args := dict "dot" . "component" "kafka" "name" "kafka-jks" }}
+  {{- include "hono.metadata" $args | nindent 2 }}
+type: Opaque
+data:
+  "kafka.truststore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }}
+  "kafka-0.keystore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }}
+{{- end }}
diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml
@@ -1835,7 +1835,7 @@ kafka:
   service:
     port: 9092
   auth:
-    clientProtocol: sasl
+    clientProtocol: sasl_tls
     sasl:
       jaas:
         clientUsers:
@@ -1844,3 +1844,7 @@ kafka:
           - "hono-secret"
         zookeeperUser: zookeeperUser
         zookeeperPassword: zookeeperPassword
+    tls:
+      type: jks
+      existingSecret: "{{ .Release.Name }}-kafka-jks"
+      password: honotrust