From 851354690586e79940e1fbce96d6982161a465a0 Mon Sep 17 00:00:00 2001 From: Abel Buechner-Mihaljevic Date: Tue, 1 Jun 2021 11:57:46 +0200 Subject: [PATCH] [#222] Use TLS for connecting to Kafka. New certificates are created for the example Kafka broker. The broker is configured to expect TLS encrypted connections from clients. The truststore is added to all services and adapters that need to connect to Kafka. This is currently a "jks" file because in Kafka the support for the "pem" format was added in version 2.7 and Hono currently uses the Kafka clients in version 2.6. Signed-off-by: Abel Buechner-Mihaljevic --- charts/hono/example/ca_opts | 7 +++++ charts/hono/example/certs/kafka-cert.pem | 28 ++++++++++++++++++ charts/hono/example/certs/kafka-key.pem | 5 ++++ charts/hono/example/certs/kafkaKeyStore.jks | Bin 0 -> 1622 bytes charts/hono/example/create_certs.sh | 4 +++ charts/hono/templates/_helpers.tpl | 5 +++- .../hono-adapter-amqp-vertx-secret.yaml | 5 ++-- .../hono-adapter-coap-vertx-secret.yaml | 3 +- .../hono-adapter-http-vertx-secret.yaml | 3 +- .../hono-adapter-kura-secret.yaml | 3 +- .../hono-adapter-lora-vertx-secret.yaml | 3 +- .../hono-adapter-mqtt-vertx-secret.yaml | 3 +- .../hono-service-command-router-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + charts/hono/templates/kafka/kafka-secret.yaml | 23 ++++++++++++++ charts/hono/values.yaml | 6 +++- 18 files changed, 93 insertions(+), 9 deletions(-) create mode 100644 charts/hono/example/certs/kafka-cert.pem create mode 100644 charts/hono/example/certs/kafka-key.pem create mode 100644 charts/hono/example/certs/kafkaKeyStore.jks create mode 100644 charts/hono/templates/kafka/kafka-secret.yaml diff --git a/charts/hono/example/ca_opts b/charts/hono/example/ca_opts index 3f8f0ed9..2ee56ce6 100644 --- a/charts/hono/example/ca_opts +++ b/charts/hono/example/ca_opts @@ -146,3 +146,10 @@ subjectKeyIdentifier = hash keyUsage = keyAgreement,keyEncipherment,digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS.1:localhost + +[ req_ext_kafka ] + +subjectKeyIdentifier = hash +keyUsage = keyAgreement,keyEncipherment,digitalSignature +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = DNS.1:*.hono-kafka-headless,DNS.2:*.hono-kafka-headless.hono,DNS.3:localhost diff --git a/charts/hono/example/certs/kafka-cert.pem b/charts/hono/example/certs/kafka-cert.pem new file mode 100644 index 00000000..92a33e3a --- /dev/null +++ b/charts/hono/example/certs/kafka-cert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIICPTCCAeOgAwIBAgIUB2vxWI9wj32OHLaABVV+iuVkdRwwCgYIKoZIzj0EAwIw +UDELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xCzAJBgNVBAMMAmNhMB4XDTIxMDYwMjE1MjUw +N1oXDTIyMDYwMjE1MjUwN1owUzELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3 +YTEUMBIGA1UECgwLRWNsaXBzZSBJb1QxDTALBgNVBAsMBEhvbm8xDjAMBgNVBAMM +BWthZmthMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHfvUCACcO9wS9c/57EfA +i34dNdNTUPwAib143fEUiaC9wPCp6EPzIjFHx78n8DgY7iXc+rZE1BXqAbqVO/n0 +3KOBlzCBlDAdBgNVHQ4EFgQUErFQDWfU3iYKEYv8ws7Ka6N7AvAwCwYDVR0PBAQD +AgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBHBgNVHREEQDA+ghUq +Lmhvbm8ta2Fma2EtaGVhZGxlc3OCGiouaG9uby1rYWZrYS1oZWFkbGVzcy5ob25v +gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSAAwRQIhANeuZW+OCsrM23R2p2g5iH7/ +SyoSVU8d6DkcVpawSxgtAiAPWibmpN0qWTrf3s4N1zoaYC6EB7LY6D1cstaQ+/Lf +rA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB4zCCAYmgAwIBAgIUDvfsevHpF7ObReAAmGXXHHsAXDswCgYIKoZIzj0EAwIw +UjELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xDTALBgNVBAMMBHJvb3QwHhcNMjEwMTI2MTMx +MzI1WhcNMjIwMTI2MTMxMzI1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UEBwwGT3R0 +YXdhMRQwEgYDVQQKDAtFY2xpcHNlIElvVDENMAsGA1UECwwESG9ubzELMAkGA1UE +AwwCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQrWtTxDTpqzkLfkZWT+RMp +w3y6/Mbmrj3S4DTfEv9bsuwUvZwcF7yy5X5YWFq+WOESLBh3nykxxg0MBRHdN0fx +oz8wPTAdBgNVHQ4EFgQUBxIgSnCFs43mB6a9umhpKCA2I30wDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgRau0yW4JCG+2e3w5 +KFWzCYV20/DNJ2Lj5ospGvNhl9sCIQCYde5228wNvKT3Qw6vk70HiS5r/mhFNJaZ +aPyf7W2E4g== +-----END CERTIFICATE----- diff --git a/charts/hono/example/certs/kafka-key.pem b/charts/hono/example/certs/kafka-key.pem new file mode 100644 index 00000000..37112f58 --- /dev/null +++ b/charts/hono/example/certs/kafka-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg0xs9OqU6CWzt1swR +qsf9pHWPducg3NGNAYG23hxHNkehRANCAAQd+9QIAJw73BL1z/nsR8CLfh0101NQ +/ACJvXjd8RSJoL3A8KnoQ/MiMUfHvyfwOBjuJdz6tkTUFeoBupU7+fTc +-----END PRIVATE KEY----- diff --git a/charts/hono/example/certs/kafkaKeyStore.jks b/charts/hono/example/certs/kafkaKeyStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..f3fabeee62b2c4302bb292e9c8093e17b78695c4 GIT binary patch literal 1622 zcmV-c2C4Zlf(B9o0Ru3C1{ekjDuzgg_YDCD0ic2g2?T-$1u%jJ0Wg9D_XY_nhDe6@ z4FLxRpn?SGFoFc+0s#Opf&|?L2`Yw2hW8Bt2LUh~1_~;MNQUkZoVj zVk(0hS6pjXC>Se0vy8#s8;aRz_K++|1`RM8ba7-w7e-us@An>a$!T%vOg@(y{-*jC zYR6SO#gIN2OKk6YoNC{}2{UI7QvKE$gfGhD$Qe-Awlh6z->;PeD*^uIb<*zVx8r&F zAD9BK2+sR&q6?NV)ec}?-b|%^Y3IghDiJXZB(ac2?H8f3a*B;x0SH#@%aFC|aMQA* zsxWJ|J}+(x<)=zXfcU-q1{>tkLx#i!G|&q8nf(Gw(haq1dAEzFaylv>89W!z&&Yv) zt>#T=7 zSQ*x&TQ~4cR3%y?lq$lnSICn!eA^4HYpFhk(!1ZOf8UchSZilHbAH-i4dvHQD(X@? zARuU|8Dy`+d0=2rKj@ZHLj9IGiS0KA@uF%ZX&)Tf(?2hqNueR1GiMoyb^Y-LSEcg9 z#>#8^nt3i*1`S_s<{hdyWJC_ly5&SsaqU9yMkvdgg(s>ON?Bb2m@IHA(B7U&)IZ~{ z8T`HSnL3D6^MEzotsbM7vusaCiz{Y$;$JALQ7I_wf&=n-0NHTAN~Ctyqgm!fW<}V@ zE8_|1A5T==(@~JQ)uxoexh)E?HZPx{NC1bL2-my-{`}pt(E9H-S%a4fcUQo_NMCST zF=sg4Zg}5&q>o*vCYiuxnCFMHFp039a(ZMKS$K#BUw3bI~ zl)t9HOsl@#%6go{G2#Pf19f{|+%@B!P&W!!-n~L)3p0y@;&u=_7nL|W3sn2XTY8>W zZqaM-yN7)c+wGx=HUn#~5^u{zB`dtba&GolV+7YjMLZOX>Q`f>FEK7){S*ZQIKZE7 z2E*z+x^uOz9Ue-kV16R#>Af~dh|@8F2+jsy|ALt+n)Ktc9?xWt$7A>SL@ zX@4zdlmb$iBaRKgh zm;luroTU+CWrG3?`M`||J&K+W-1G1~s7(Z9{;_1&o~e5uC3-c;>m3f3n*Mt3e>{agCwvaq%9Fe>-};1MHL?TI%TR z_Vmtn@OF7Gnfb}2%_1@LH2SO&u-wZlnrppKW$60;;rS|O&LNQUovgjRFD)0O8i>_W%F@ literal 0 HcmV?d00001 diff --git a/charts/hono/example/create_certs.sh b/charts/hono/example/create_certs.sh index d8eda3fa..19c56e4a 100755 --- a/charts/hono/example/create_certs.sh +++ b/charts/hono/example/create_certs.sh @@ -41,6 +41,9 @@ AMQP_ADAPTER_KEY_STORE=amqpKeyStore.p12 AMQP_ADAPTER_KEY_STORE_PWD=amqpkeys EXAMPLE_GATEWAY_KEY_STORE=exampleGatewayKeyStore.p12 EXAMPLE_GATEWAY_KEY_STORE_PWD=examplegatewaykeys +KAFKA_KEY_STORE=kafkaKeyStore.jks +# the bitnami Kafka chart expects truststore and keystore to have the same password +KAFKA_KEY_STORE_PWD=honotrust # set to either EC or RSA KEY_ALG=EC @@ -141,5 +144,6 @@ create_cert artemis $ARTEMIS_KEY_STORE $ARTEMIS_KEY_STORE_PWD create_cert coap-adapter $COAP_ADAPTER_KEY_STORE $COAP_ADAPTER_KEY_STORE_PWD create_cert amqp-adapter $AMQP_ADAPTER_KEY_STORE $AMQP_ADAPTER_KEY_STORE_PWD create_cert example-gateway $EXAMPLE_GATEWAY_KEY_STORE $EXAMPLE_GATEWAY_KEY_STORE_PWD +create_cert kafka $KAFKA_KEY_STORE $KAFKA_KEY_STORE_PWD create_client_cert 4711 diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl index 5d9ecfdc..8b77aa82 100644 --- a/charts/hono/templates/_helpers.tpl +++ b/charts/hono/templates/_helpers.tpl @@ -227,9 +227,12 @@ kafka: {{- if .dot.Values.kafkaMessagingClusterExample.enabled }} commonClientConfig: bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }} - security.protocol: SASL_PLAINTEXT + security.protocol: SASL_SSL sasl.mechanism: SCRAM-SHA-512 sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";" + ssl.truststore.location: /etc/hono/truststore.jks + ssl.truststore.password: {{ .dot.Values.kafka.auth.tls.password }} + ssl.endpoint.identification.algorithm: "" # Disables hostname verification. Don't do this in productive setups! {{- else if not .dot.Values.adapters.kafkaMessagingSpec }} {{- required ".Values.adapters.kafkaMessagingSpec MUST be provided if example Kafka cluster is disabled" nil }} {{- else if not (index .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig "bootstrap.servers") }} diff --git a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml index ea224cf2..57b250ff 100644 --- a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.amqp.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/amqp-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/amqp-adapter.credentials" | b64enc }} -{{- end }} \ No newline at end of file + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml index 20427a12..95b57a5e 100644 --- a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.coap.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/coap-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/coap-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml index 491e4ef1..136f1eee 100644 --- a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.http.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/http-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/http-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml index 94bafceb..cb44c340 100644 --- a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml +++ b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.kura.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/kura-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/kura-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml index 1ce76850..93edc302 100644 --- a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.lora.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/lora-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/lora-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml index 15cb997e..f7d52acc 100644 --- a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.mqtt.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -45,4 +45,5 @@ data: cert.pem: {{ .Files.Get "example/certs/mqtt-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/mqtt-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml index 161a00ae..fc0f743e 100644 --- a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml +++ b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml @@ -102,4 +102,5 @@ data: trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/command-router.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml index eabb0119..87576ac8 100644 --- a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml index 4e282690..9ef5ed1f 100644 --- a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml @@ -73,4 +73,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml index 9b05e54c..371aba97 100644 --- a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/kafka/kafka-secret.yaml b/charts/hono/templates/kafka/kafka-secret.yaml new file mode 100644 index 00000000..8b46539f --- /dev/null +++ b/charts/hono/templates/kafka/kafka-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.kafkaMessagingClusterExample.enabled }} +# +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +# +apiVersion: v1 +kind: Secret +metadata: + {{- $args := dict "dot" . "component" "kafka" "name" "kafka-jks" }} + {{- include "hono.metadata" $args | nindent 2 }} +type: Opaque +data: + "kafka.truststore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} + "kafka-0.keystore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml index 87f8ab0f..162369bc 100755 --- a/charts/hono/values.yaml +++ b/charts/hono/values.yaml @@ -1835,7 +1835,7 @@ kafka: service: port: 9092 auth: - clientProtocol: sasl + clientProtocol: sasl_tls sasl: jaas: clientUsers: @@ -1844,3 +1844,7 @@ kafka: - "hono-secret" zookeeperUser: zookeeperUser zookeeperPassword: zookeeperPassword + tls: + type: jks + existingSecret: "{{ .Release.Name }}-kafka-jks" + password: honotrust