diff --git a/charts/hono/example/ca_opts b/charts/hono/example/ca_opts index 3f8f0ed9..6d5c72dd 100644 --- a/charts/hono/example/ca_opts +++ b/charts/hono/example/ca_opts @@ -146,3 +146,10 @@ subjectKeyIdentifier = hash keyUsage = keyAgreement,keyEncipherment,digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS.1:localhost + +[ req_ext_kafka ] + +subjectKeyIdentifier = hash +keyUsage = keyAgreement,keyEncipherment,digitalSignature +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = DNS.1:*.eclipse-hono-kafka-headless,DNS.2:*.eclipse-hono-kafka-headless.hono,DNS.3:*.eclipse-hono-kafka-headless.hono.svc.cluster.local,DNS.4:localhost diff --git a/charts/hono/example/certs/kafka-cert.pem b/charts/hono/example/certs/kafka-cert.pem new file mode 100644 index 00000000..aa95ba14 --- /dev/null +++ b/charts/hono/example/certs/kafka-cert.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIChjCCAiygAwIBAgIUOrdAF96Bl8S68x9iLGpXTUkHZX4wCgYIKoZIzj0EAwIw +UDELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xCzAJBgNVBAMMAmNhMB4XDTIxMDUyNTEzMDEx +OFoXDTIyMDUyNTEzMDExOFowUzELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3 +YTEUMBIGA1UECgwLRWNsaXBzZSBJb1QxDTALBgNVBAsMBEhvbm8xDjAMBgNVBAMM +BWthZmthMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmHhNNE8pFkV/vHK8u3ep +NYCxstGys1V4qK131+Tq8qQQciyB4BlSd5lhHCTvZKlPAgfD3JO1ajoJFKEc3kQ7 +2qOB4DCB3TAdBgNVHQ4EFgQUS9iuPOvkVh59tk6I8GMd7zu8WY0wCwYDVR0PBAQD +AgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0RBIGHMIGE +gh0qLmVjbGlwc2UtaG9uby1rYWZrYS1oZWFkbGVzc4IiKi5lY2xpcHNlLWhvbm8t +a2Fma2EtaGVhZGxlc3MuaG9ub4I0Ki5lY2xpcHNlLWhvbm8ta2Fma2EtaGVhZGxl +c3MuaG9uby5zdmMuY2x1c3Rlci5sb2NhbIIJbG9jYWxob3N0MAoGCCqGSM49BAMC +A0gAMEUCIQCCiDTpdsyVTlO+Q+qTkM2LJMDUKInomACBKCPjmdOwHgIgYIVRAxNx +y7cRBvzrjKtzHn+MQGTNacmqS+ALGj2+hNk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB4zCCAYmgAwIBAgIUDvfsevHpF7ObReAAmGXXHHsAXDswCgYIKoZIzj0EAwIw +UjELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xDTALBgNVBAMMBHJvb3QwHhcNMjEwMTI2MTMx +MzI1WhcNMjIwMTI2MTMxMzI1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UEBwwGT3R0 +YXdhMRQwEgYDVQQKDAtFY2xpcHNlIElvVDENMAsGA1UECwwESG9ubzELMAkGA1UE +AwwCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQrWtTxDTpqzkLfkZWT+RMp +w3y6/Mbmrj3S4DTfEv9bsuwUvZwcF7yy5X5YWFq+WOESLBh3nykxxg0MBRHdN0fx +oz8wPTAdBgNVHQ4EFgQUBxIgSnCFs43mB6a9umhpKCA2I30wDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgRau0yW4JCG+2e3w5 +KFWzCYV20/DNJ2Lj5ospGvNhl9sCIQCYde5228wNvKT3Qw6vk70HiS5r/mhFNJaZ +aPyf7W2E4g== +-----END CERTIFICATE----- diff --git a/charts/hono/example/certs/kafka-key.pem b/charts/hono/example/certs/kafka-key.pem new file mode 100644 index 00000000..bcdfe842 --- /dev/null +++ b/charts/hono/example/certs/kafka-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgDl9XTUixhhdRyYXM +T+3yickHXeaQwTkCDn3KeaSJI2qhRANCAASYeE00TykWRX+8cry7d6k1gLGy0bKz +VXiorXfX5OrypBByLIHgGVJ3mWEcJO9kqU8CB8Pck7VqOgkUoRzeRDva +-----END PRIVATE KEY----- diff --git a/charts/hono/example/certs/kafkaKeyStore.jks b/charts/hono/example/certs/kafkaKeyStore.jks new file mode 100644 index 00000000..da5b7ab3 Binary files /dev/null and b/charts/hono/example/certs/kafkaKeyStore.jks differ diff --git a/charts/hono/example/create_certs.sh b/charts/hono/example/create_certs.sh index d8eda3fa..9ab2f741 100755 --- a/charts/hono/example/create_certs.sh +++ b/charts/hono/example/create_certs.sh @@ -41,6 +41,9 @@ AMQP_ADAPTER_KEY_STORE=amqpKeyStore.p12 AMQP_ADAPTER_KEY_STORE_PWD=amqpkeys EXAMPLE_GATEWAY_KEY_STORE=exampleGatewayKeyStore.p12 EXAMPLE_GATEWAY_KEY_STORE_PWD=examplegatewaykeys +KAFKA_KEY_STORE=kafkaKeyStore.jks +# the bitnami Kafka chart expects truststore and keystore to have the same name +KAFKA_KEY_STORE_PWD=honotrust # set to either EC or RSA KEY_ALG=EC @@ -141,5 +144,6 @@ create_cert artemis $ARTEMIS_KEY_STORE $ARTEMIS_KEY_STORE_PWD create_cert coap-adapter $COAP_ADAPTER_KEY_STORE $COAP_ADAPTER_KEY_STORE_PWD create_cert amqp-adapter $AMQP_ADAPTER_KEY_STORE $AMQP_ADAPTER_KEY_STORE_PWD create_cert example-gateway $EXAMPLE_GATEWAY_KEY_STORE $EXAMPLE_GATEWAY_KEY_STORE_PWD +create_cert kafka $KAFKA_KEY_STORE $KAFKA_KEY_STORE_PWD create_client_cert 4711 diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl index 0e0aff55..a8d2c36e 100644 --- a/charts/hono/templates/_helpers.tpl +++ b/charts/hono/templates/_helpers.tpl @@ -226,9 +226,11 @@ kafka: {{- if .dot.Values.kafkaMessagingClusterExample.enabled }} commonClientConfig: bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }} - security.protocol: SASL_PLAINTEXT + security.protocol: SASL_SSL sasl.mechanism: SCRAM-SHA-512 sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";" + ssl.truststore.location: /etc/hono/truststore.jks + ssl.truststore.password: honotrust {{- else if not .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig.bootstrap.servers }} {{- required ".Values.adapters.kafkaMessagingSpec.commonClientConfig.bootstrap.servers MUST be set if example Kafka cluster is disabled" nil }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml index ea224cf2..57b250ff 100644 --- a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.amqp.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/amqp-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/amqp-adapter.credentials" | b64enc }} -{{- end }} \ No newline at end of file + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml index 9581f621..59c5f14b 100644 --- a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.coap.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -38,4 +38,5 @@ data: cert.pem: {{ .Files.Get "example/certs/coap-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/coap-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml index 491e4ef1..136f1eee 100644 --- a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.http.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/http-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/http-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml index 94bafceb..cb44c340 100644 --- a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml +++ b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.kura.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/kura-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/kura-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml index 1ce76850..93edc302 100644 --- a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.lora.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/lora-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/lora-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml index 15cb997e..f7d52acc 100644 --- a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.mqtt.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -45,4 +45,5 @@ data: cert.pem: {{ .Files.Get "example/certs/mqtt-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/mqtt-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml index 161a00ae..fc0f743e 100644 --- a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml +++ b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml @@ -102,4 +102,5 @@ data: trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/command-router.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml index eabb0119..87576ac8 100644 --- a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml index 4e282690..9ef5ed1f 100644 --- a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml @@ -73,4 +73,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml index 9b05e54c..371aba97 100644 --- a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/kafka/kafka-secret.yaml b/charts/hono/templates/kafka/kafka-secret.yaml new file mode 100644 index 00000000..8b46539f --- /dev/null +++ b/charts/hono/templates/kafka/kafka-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.kafkaMessagingClusterExample.enabled }} +# +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +# +apiVersion: v1 +kind: Secret +metadata: + {{- $args := dict "dot" . "component" "kafka" "name" "kafka-jks" }} + {{- include "hono.metadata" $args | nindent 2 }} +type: Opaque +data: + "kafka.truststore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} + "kafka-0.keystore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml index 9e740af4..b1756f09 100755 --- a/charts/hono/values.yaml +++ b/charts/hono/values.yaml @@ -1778,7 +1778,7 @@ kafka: service: port: 9092 auth: - clientProtocol: sasl + clientProtocol: sasl_tls sasl: jaas: clientUsers: @@ -1787,3 +1787,7 @@ kafka: - "hono-secret" zookeeperUser: zookeeperUser zookeeperPassword: zookeeperPassword + tls: + type: jks + existingSecret: "{{ .Release.Name }}-kafka-jks" + password: honotrust