From ae5db526c0403ae866253c310df93eb312bdd425 Mon Sep 17 00:00:00 2001 From: Abel Buechner-Mihaljevic Date: Tue, 18 May 2021 16:14:09 +0200 Subject: [PATCH 1/3] [#222] Support Kafka based messaging in Hono. This adds the support for the Kafka based messaging to the Hono chart. The property `messagingNetworkType` is used to select which type of configuration is added to the adapters and services (either `amqp` or `kafka`). The property `kafkaMessagingClusterExample.enabled` indicates whether the example Kafka cluster should be deployed and used. Signed-off-by: Abel Buechner-Mihaljevic --- charts/hono/Chart.yaml | 2 +- charts/hono/README.md | 62 +++++++++++++++ charts/hono/profileKafkaMessaging.yaml | 19 +++++ charts/hono/requirements.yaml | 6 +- charts/hono/templates/_helpers.tpl | 68 +++++++++++++++- .../hono-service-command-router-secret.yaml | 8 +- .../hono-service-device-registry-secret.yaml | 2 +- .../hono-service-device-registry-secret.yaml | 2 +- .../hono-service-device-registry-secret.yaml | 2 +- charts/hono/values.yaml | 79 ++++++++++++++++++- 10 files changed, 239 insertions(+), 11 deletions(-) create mode 100644 charts/hono/profileKafkaMessaging.yaml diff --git a/charts/hono/Chart.yaml b/charts/hono/Chart.yaml index c7306cab..09e55953 100755 --- a/charts/hono/Chart.yaml +++ b/charts/hono/Chart.yaml @@ -15,7 +15,7 @@ name: hono description: | Eclipse Hono™ provides remote service interfaces for connecting large numbers of IoT devices to a back end and interacting with them in a uniform way regardless of the device communication protocol. -version: 1.8.3 +version: 1.8.4 # Version of Hono being deployed by the chart appVersion: 1.8.0 keywords: diff --git a/charts/hono/README.md b/charts/hono/README.md index f1c0e857..cc49b85e 100644 --- a/charts/hono/README.md +++ b/charts/hono/README.md @@ -529,3 +529,65 @@ helm install --dependency-update -n hono --set honoImagesType=quarkus-native ecl ``` of Quarkus based services images. + + +## Using Kafka based Messaging + +The chart can be configured to use Kafka as the messaging network instead of an AMQP 1.0 messaging network. +The property `messagingNetworkType` is used to select the type of the messaging network. + +The following command provides a quickstart for Kafka based messaging (ensure `minikube tunnel` is running when using Minikube): + +```bash +helm install --dependency-update -n hono --set messagingNetworkType=kafka --set kafkaMessagingClusterExample.enabled=true --set amqpMessagingNetworkExample.enabled=false eclipse-hono eclipse-iot/hono +``` + +It enables the deployment of an example Kafka cluster, disables the deployment of the AMQP 1.0 messaging network +and configures adapters and services to use Kafka based messaging. + +### Using a production grade Kafka cluster + +If Kafka based messaging is enabled by setting `messagingNetworkType` to `kafka`, the Kafka clients need to +be configured with connection information for a Kafka cluster. The Helm chart can deploy an example Kafka cluster. +This is enabled by setting `kafkaMessagingClusterExample.enabled` to `true`. With this setting the chart +deploys a Kafka cluster consisting of a single broker and a single Zookeeper instance and configures the +protocol adapters to connect to the example cluster. + +In a production environment, though, usage of the example Kafka cluster is strongly discouraged as it does not provide +any redundancy. + +The Helm chart can be configured to use an existing Kafka cluster instead of the example deployment. +In order to do so, the protocol adapters need to be configured with information about the bootstrap server addresses +and configuration properties. + +The easiest way to set these properties is by means of putting them into a YAML file with content like this: + +```yaml +# configure protocol adapters for Kafka messaging +messagingNetworkType: kafka + +# do not deploy example AMQP Messaging Network +amqpMessagingNetworkExample: + enabled: false + +# do not deploy example Kafka cluster +kafkaMessagingClusterExample: + enabled: false + +adapters: + # provide connection params + kafkaMessagingSpec: + commonClientConfig: + bootstrap.servers: broker0.my-custom-kafka.org:9092,broker1.my-custom-kafka.org:9092 +``` + +*adapters.kafkaMessagingSpec* needs to contain configuration properties as described in Hono's +[Kafka client admin guide](https://www.eclipse.org/hono/docs/admin-guide/hono-kafka-client-configuration/). +Make sure to adapt/add properties as required by the Kafka cluster. + +Assuming that the file is named `customKafkaCluster.yaml`, the values can then be passed in to the Helm `install` +command as follows: + +```bash +helm install --dependency-update -n hono -f /path/to/customKafkaCluster.yaml eclipse-hono eclipse-iot/hono +``` diff --git a/charts/hono/profileKafkaMessaging.yaml b/charts/hono/profileKafkaMessaging.yaml new file mode 100644 index 00000000..77fb689a --- /dev/null +++ b/charts/hono/profileKafkaMessaging.yaml @@ -0,0 +1,19 @@ +# +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +# +messagingNetworkType: kafka + +kafkaMessagingClusterExample: + enabled: true + +amqpMessagingNetworkExample: + enabled: false diff --git a/charts/hono/requirements.yaml b/charts/hono/requirements.yaml index 3d8048f2..46751665 100644 --- a/charts/hono/requirements.yaml +++ b/charts/hono/requirements.yaml @@ -1,5 +1,5 @@ # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -23,3 +23,7 @@ dependencies: repository: "https://charts.bitnami.com/bitnami" version: ~7.14.7 condition: mongodb.createInstance + - name: kafka + repository: "https://charts.bitnami.com/bitnami" + version: ~12.17.6 + condition: kafkaMessagingClusterExample.enabled diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl index 9af99119..81ff4f56 100644 --- a/charts/hono/templates/_helpers.tpl +++ b/charts/hono/templates/_helpers.tpl @@ -171,6 +171,25 @@ healthCheck: {{- end }} +{{/* +Configuration for the messaging network clients. +It configures for either AMQP based or Kafka based messaging. +The scope passed in is expected to be a dict with keys +- (mandatory) "dot": the root scope (".") and +- (mandatory) "component": the name of the component +*/}} +{{- define "hono.messagingNetworkClientConfig" -}} +{{- $args := dict "dot" .dot "component" .component -}} +{{- if eq .dot.Values.messagingNetworkType "amqp" -}} + {{- include "hono.amqpMessagingNetworkClientConfig" $args }} +{{- else if eq .dot.Values.messagingNetworkType "kafka" -}} + {{- include "hono.kafkaMessagingConfig" $args }} +{{- else }} + {{- required "Property messagingNetworkType MUST be either 'amqp' or 'kafka'" nil }} +{{- end -}} +{{- end }} + + {{/* Configuration for the AMQP messaging network clients. The scope passed in is expected to be a dict with keys @@ -194,6 +213,50 @@ messaging: {{- end }} +{{/* +Add configuration properties for Kafka based messaging to YAML file. + +The scope passed in is expected to be a dict with keys +- (mandatory) "dot": the root scope (".") and +- (mandatory) "component": the name of the component +*/}} +{{- define "hono.kafkaMessagingConfig" -}} +{{- include "hono.kafkaConfigCheck" (dict "dot" .dot) }} +kafka: + defaultClientIdPrefix: {{ .component }} +{{- if .dot.Values.kafkaMessagingClusterExample.enabled }} + commonClientConfig: + bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }} +{{- else if not .dot.Values.adapters.kafkaMessagingSpec }} + {{- required ".Values.adapters.kafkaMessagingSpec MUST be provided if example Kafka cluster is disabled" nil }} +{{- else if not (index .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig "bootstrap.servers") }} + {{- required ".Values.adapters.kafkaMessagingSpec.commonClientConfig MUST contain 'bootstrap.servers' if example Kafka cluster is disabled" nil }} +{{- end }} +{{- if .dot.Values.adapters.kafkaMessagingSpec }} + {{- .dot.Values.adapters.kafkaMessagingSpec | toYaml | nindent 2 }} +{{- end }} +{{- end }} + + +{{/* +Check configuration for consistency in case of Kafka based messaging. + +The scope passed in is expected to be a dict with keys +- (mandatory) "dot": the root scope (".") +*/}} +{{- define "hono.kafkaConfigCheck" -}} + {{- if and (eq .dot.Values.messagingNetworkType "kafka") .dot.Values.kafkaMessagingClusterExample.enabled }} + {{- if .dot.Values.useLoadBalancer }} + {{- if not (eq .dot.Values.kafka.externalAccess.service.type "LoadBalancer") }} + {{- required ".Values.kafka.externalAccess.service.type MUST be 'LoadBalancer' if .Values.useLoadBalancer is true" nil }} + {{- end }} + {{- else if not (eq .dot.Values.kafka.externalAccess.service.type "NodePort") }} + {{- required ".Values.kafka.externalAccess.service.type MUST be 'NodePort' if .Values.useLoadBalancer is false" nil }} + {{- end }} + {{- end }} +{{- end }} + + {{/* Configuration for the clients accessing the example Device Registry. The scope passed in is expected to be a dict with keys @@ -218,7 +281,8 @@ The scope passed in is expected to be a dict with keys */}} {{- define "hono.serviceClientConfig" -}} {{- $adapter := default "adapter" .component -}} -{{- include "hono.amqpMessagingNetworkClientConfig" ( dict "dot" .dot "component" $adapter ) }} +{{- include "hono.messagingNetworkClientConfig" ( dict "dot" .dot "component" $adapter ) }} +{{- if eq .dot.Values.messagingNetworkType "amqp" }} command: {{- if .dot.Values.amqpMessagingNetworkExample.enabled }} name: Hono {{ $adapter }} @@ -232,6 +296,8 @@ command: {{- else }} {{- required ".Values.adapters.commandAndControlSpec MUST be set if example AMQP Messaging Network is disabled" .dot.Values.adapters.commandAndControlSpec | toYaml | nindent 2 }} {{- end }} +{{/* commands with Kafka use the config from hono.messagingNetworkClientConfig */}} +{{- end }} tenant: {{- if .dot.Values.adapters.tenantSpec }} {{- .dot.Values.adapters.tenantSpec | toYaml | nindent 2 }} diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml index 01a40317..161a00ae 100644 --- a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml +++ b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml @@ -71,6 +71,7 @@ stringData: tenant: {{- required ".Values.adapters.tenantSpec MUST be set if example Device Registry is disabled" .Values.adapters.tenantSpec | toYaml | nindent 8 }} {{- end }} + {{- if eq .Values.messagingNetworkType "amqp" }} command: {{- if .Values.amqpMessagingNetworkExample.enabled }} name: {{ printf "Hono %s" $args.component | quote }} @@ -82,7 +83,12 @@ stringData: trustStorePath: {{ .Values.adapters.commandAndControlSpec.trustStorePath }} hostnameVerificationRequired: {{ .Values.adapters.commandAndControlSpec.hostnameVerificationRequired }} {{- else }} - {{- required ".Values.adapters.commandAndControlSpec MUST be set if example AQMP Messaging Network is disabled" .Values.adapters.commandAndControlSpec | toYaml | nindent 8 }} + {{- required ".Values.adapters.commandAndControlSpec MUST be set if example AMQP Messaging Network is disabled" .Values.adapters.commandAndControlSpec | toYaml | nindent 8 }} + {{- end }} + {{- else if eq .Values.messagingNetworkType "kafka" }} + {{- include "hono.kafkaMessagingConfig" $args | nindent 6 }} + {{- else }} + {{- required "Values.messagingNetworkType MUST be either 'amqp' or 'kafka'" nil }} {{- end }} {{- include "hono.healthServerConfig" .Values.commandRouterService.hono.healthCheck | nindent 6 }} {{- include "hono.quarkusConfig" $args | indent 4 }} diff --git a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml index c1f3b6d5..eabb0119 100644 --- a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml @@ -67,7 +67,7 @@ stringData: svc: filename: "/var/lib/hono/device-registry/tenants.json" saveToFile: true - {{- include "hono.amqpMessagingNetworkClientConfig" $args | nindent 6 }} + {{- include "hono.messagingNetworkClientConfig" $args | nindent 6 }} {{- include "hono.healthServerConfig" .Values.deviceRegistryExample.hono.healthCheck | nindent 6 }} data: key.pem: {{ .Files.Get "example/certs/device-registry-key.pem" | b64enc }} diff --git a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml index 9e24d7f0..4e282690 100644 --- a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml @@ -66,7 +66,7 @@ stringData: {{- if .Values.deviceRegistryExample.jdbcBasedDeviceRegistry.tenant.jdbc }} {{- .Values.deviceRegistryExample.jdbcBasedDeviceRegistry.tenant.jdbc | toYaml | nindent 10 }} {{- end }} - {{- include "hono.amqpMessagingNetworkClientConfig" $args | nindent 6 }} + {{- include "hono.messagingNetworkClientConfig" $args | nindent 6 }} {{- include "hono.healthServerConfig" .Values.deviceRegistryExample.hono.healthCheck | nindent 6 }} data: key.pem: {{ .Files.Get "example/certs/device-registry-key.pem" | b64enc }} diff --git a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml index 74fc8832..9b05e54c 100644 --- a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml @@ -67,7 +67,7 @@ stringData: username: {{ .Values.mongodb.mongodbUsername | quote }} password: {{ .Values.mongodb.mongodbPassword | quote }} {{- end }} - {{- include "hono.amqpMessagingNetworkClientConfig" $args | nindent 6 }} + {{- include "hono.messagingNetworkClientConfig" $args | nindent 6 }} {{- include "hono.healthServerConfig" .Values.deviceRegistryExample.hono.healthCheck | nindent 6 }} data: key.pem: {{ .Files.Get "example/certs/device-registry-key.pem" | b64enc }} diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml index 6786ef79..b09fdc05 100755 --- a/charts/hono/values.yaml +++ b/charts/hono/values.yaml @@ -39,6 +39,8 @@ livenessProbeInitialDelaySeconds: 300 # component level. readinessProbeInitialDelaySeconds: 20 +# amqpMessagingNetworkExample contains properties for configuring an example AMQP network +# to be used for messaging if "messagingNetworkType" is set to "amqp" amqpMessagingNetworkExample: # enabled indicates whether the example AMQP Messaging Network # consisting of a single Dispatch Router and Broker should be @@ -336,6 +338,14 @@ useLoadBalancer: true # Device Connection service towards the new Command Router service. useCommandRouter: true +# messagingNetworkType indicates which type of messaging should be used. +# The following types are defined: +# - amqp: AMQP 1.0 based messaging. Also refer to the +# sections "amqpMessagingNetworkExample" and "adapters.amqpMessagingNetworkSpec". +# - kafka: Apache Kafka based messaging. Also refer to the +# sections "kafkaMessagingClusterExample" and "adapters.kafkaMessagingSpec" +messagingNetworkType: amqp + # Configuration properties for protocol adapters. adapters: @@ -366,11 +376,12 @@ adapters: # amqpMessagingNetworkSpec contains Hono client properties used by all protocol # adapters for connecting to the AMQP Messaging Network to forward downstream messages to. - # This property MUST be set if "amqpMessagingNetworkExample.enabled" is set to false. + # This property MUST be set if "messagingNetworkType" is "amqp" and + # "amqpMessagingNetworkExample.enabled" is set to false. # Please refer to https://www.eclipse.org/hono/docs/admin-guide/hono-client-configuration/ # for a description of supported properties. # However, if "amqpMessagingNetworkExample.enabled" is set to true, only - # "keyPath", "keyPath", "trustStorePath", "hostnameVerificationRequired" can be set. + # "keyPath", "certPath", "trustStorePath", "hostnameVerificationRequired" can be set. amqpMessagingNetworkSpec: keyPath: /etc/hono/key.pem certPath: /etc/hono/cert.pem @@ -383,17 +394,34 @@ adapters: # commandAndControlSpec contains Hono client properties used by all protocol # adapters for connecting to the AMQP Messaging Network which is used by applications # to send commands to devices. - # This property MUST be set if "amqpMessagingNetworkExample.enabled" is set to false. + # This property MUST be set if "messagingNetworkType" is "amqp" and + # "amqpMessagingNetworkExample.enabled" is set to false. # Please refer to https://www.eclipse.org/hono/docs/admin-guide/hono-client-configuration/ # for a description of supported properties. # However, if "amqpMessagingNetworkExample.enabled" is set to true, only - # "keyPath", "keyPath", "trustStorePath", "hostnameVerificationRequired" can be set. + # "keyPath", "certPath", "trustStorePath", "hostnameVerificationRequired" can be set. commandAndControlSpec: keyPath: /etc/hono/key.pem certPath: /etc/hono/cert.pem trustStorePath: /etc/hono/trusted-certs.pem hostnameVerificationRequired: false + # kafkaMessagingSpec contains the configuration used by all protocol + # adapters for connecting to the Kafka cluster to be uses for messaging. + # This property MUST be set if "messagingNetworkType" is "kafka" and + # "kafkaMessagingClusterExample.enabled" is set to false. + # Please refer to https://www.eclipse.org/hono/docs/admin-guide/hono-kafka-client-configuration/ + # for a description of supported properties. + kafkaMessagingSpec: +# commonClientConfig: +# "bootstrap.servers": "broker0.my-custom-kafka.org:9092,broker1.my-custom-kafka.org:9092" +# producerConfig: +# "compression.type": none +# consumerConfig: +# "compression.type": none +# adminClientConfig: +# "compression.type": none + # tenantSpec contains Hono client properties used by all protocol adapters for # connecting to the Tenant service. # This property MUST be set if "deviceRegistryExample.enabled" is set to false. @@ -1757,3 +1785,46 @@ grafana: rbac: namespaced: true + +# kafkaMessagingClusterExample contains properties for configuring an example Kafka cluster +# to be used for messaging if "messagingNetworkType" is set to "kafka" +kafkaMessagingClusterExample: + # enabled indicates whether the example Kafka cluster consisting of a single broker + # and one Zookeeper instance should be deployed. This minimal deployment is not suitable + # for production purposes. To use an already existing Kafka cluster instead, + # set this property to false and configure "adapters.kafkaMessagingSpec". + enabled: false + +# configuration of the example Kafka cluster to be deployed if "kafkaMessagingClusterExample.enabled" is "true" +kafka: + replicaCount: 1 + # Set to false for productive setups. Topic management then needs to be provided externally. + autoCreateTopicsEnable: true + # The data is stored in Persistent Volumes. For more information regarding persistence and + # potential problems with permissions refer to: https://github.com/bitnami/charts/tree/master/bitnami/kafka#persistence + persistence: + size: 1Gi + zookeeper: + persistence: + size: 1Gi + # Expose the Kafka service to be accessed from outside the cluster (LoadBalancer service). + # Alternatively use NodePort configuration, for more information refer to + # https://github.com/bitnami/charts/tree/master/bitnami/kafka#accessing-kafka-brokers-from-outside-the-cluster + externalAccess: + enabled: true + service: + type: LoadBalancer + port: 9094 + loadBalancerIPs: [] + autoDiscovery: + enabled: true + serviceAccount: + create: true + rbac: + # Note that this could require creating RBAC rules, for more information refer to + # https://github.com/bitnami/charts/tree/master/bitnami/kafka#accessing-kafka-brokers-from-outside-the-cluster + create: true + # the name of the template (maintains the release name) + nameOverride: kafka + service: + port: 9092 From 6b291368cc5a8fbbe6ca8fc57e5cdff9ba22f28a Mon Sep 17 00:00:00 2001 From: Abel Buechner-Mihaljevic Date: Tue, 1 Jun 2021 11:54:44 +0200 Subject: [PATCH 2/3] [#222] Add authentication for Kafka clients. Signed-off-by: Abel Buechner-Mihaljevic --- charts/hono/templates/_helpers.tpl | 3 +++ charts/hono/values.yaml | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl index 81ff4f56..5d9ecfdc 100644 --- a/charts/hono/templates/_helpers.tpl +++ b/charts/hono/templates/_helpers.tpl @@ -227,6 +227,9 @@ kafka: {{- if .dot.Values.kafkaMessagingClusterExample.enabled }} commonClientConfig: bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: SCRAM-SHA-512 + sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";" {{- else if not .dot.Values.adapters.kafkaMessagingSpec }} {{- required ".Values.adapters.kafkaMessagingSpec MUST be provided if example Kafka cluster is disabled" nil }} {{- else if not (index .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig "bootstrap.servers") }} diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml index b09fdc05..87f8ab0f 100755 --- a/charts/hono/values.yaml +++ b/charts/hono/values.yaml @@ -1807,6 +1807,12 @@ kafka: zookeeper: persistence: size: 1Gi + auth: + enabled: true + clientUser: zookeeperUser + clientPassword: zookeeperPassword + serverUsers: zookeeperUser + serverPasswords: zookeeperPassword # Expose the Kafka service to be accessed from outside the cluster (LoadBalancer service). # Alternatively use NodePort configuration, for more information refer to # https://github.com/bitnami/charts/tree/master/bitnami/kafka#accessing-kafka-brokers-from-outside-the-cluster @@ -1828,3 +1834,13 @@ kafka: nameOverride: kafka service: port: 9092 + auth: + clientProtocol: sasl + sasl: + jaas: + clientUsers: + - "hono" + clientPasswords: + - "hono-secret" + zookeeperUser: zookeeperUser + zookeeperPassword: zookeeperPassword From acb227f2a7ad9d5fcbc4701922afe4749d8a445c Mon Sep 17 00:00:00 2001 From: Abel Buechner-Mihaljevic Date: Tue, 1 Jun 2021 11:57:46 +0200 Subject: [PATCH 3/3] [#222] Use TLS for connecting to Kafka. New certificates are created for the example Kafka broker. The broker is configured to expect TLS encrypted connections from clients. The truststore is added to all services and adapters that need to connect to Kafka. This is currently a "jks" file because in Kafka the support for the "pem" format was added in version 2.7 and Hono currently uses the Kafka clients in version 2.6. Signed-off-by: Abel Buechner-Mihaljevic --- charts/hono/example/ca_opts | 7 +++++ charts/hono/example/certs/kafka-cert.pem | 28 ++++++++++++++++++ charts/hono/example/certs/kafka-key.pem | 5 ++++ charts/hono/example/certs/kafkaKeyStore.jks | Bin 0 -> 1622 bytes charts/hono/example/create_certs.sh | 4 +++ charts/hono/templates/_helpers.tpl | 5 +++- .../hono-adapter-amqp-vertx-secret.yaml | 5 ++-- .../hono-adapter-coap-vertx-secret.yaml | 3 +- .../hono-adapter-http-vertx-secret.yaml | 3 +- .../hono-adapter-kura-secret.yaml | 3 +- .../hono-adapter-lora-vertx-secret.yaml | 3 +- .../hono-adapter-mqtt-vertx-secret.yaml | 3 +- .../hono-service-command-router-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + .../hono-service-device-registry-secret.yaml | 1 + charts/hono/templates/kafka/kafka-secret.yaml | 23 ++++++++++++++ charts/hono/values.yaml | 6 +++- 18 files changed, 93 insertions(+), 9 deletions(-) create mode 100644 charts/hono/example/certs/kafka-cert.pem create mode 100644 charts/hono/example/certs/kafka-key.pem create mode 100644 charts/hono/example/certs/kafkaKeyStore.jks create mode 100644 charts/hono/templates/kafka/kafka-secret.yaml diff --git a/charts/hono/example/ca_opts b/charts/hono/example/ca_opts index 3f8f0ed9..2ee56ce6 100644 --- a/charts/hono/example/ca_opts +++ b/charts/hono/example/ca_opts @@ -146,3 +146,10 @@ subjectKeyIdentifier = hash keyUsage = keyAgreement,keyEncipherment,digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS.1:localhost + +[ req_ext_kafka ] + +subjectKeyIdentifier = hash +keyUsage = keyAgreement,keyEncipherment,digitalSignature +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = DNS.1:*.hono-kafka-headless,DNS.2:*.hono-kafka-headless.hono,DNS.3:localhost diff --git a/charts/hono/example/certs/kafka-cert.pem b/charts/hono/example/certs/kafka-cert.pem new file mode 100644 index 00000000..92a33e3a --- /dev/null +++ b/charts/hono/example/certs/kafka-cert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIICPTCCAeOgAwIBAgIUB2vxWI9wj32OHLaABVV+iuVkdRwwCgYIKoZIzj0EAwIw +UDELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xCzAJBgNVBAMMAmNhMB4XDTIxMDYwMjE1MjUw +N1oXDTIyMDYwMjE1MjUwN1owUzELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3 +YTEUMBIGA1UECgwLRWNsaXBzZSBJb1QxDTALBgNVBAsMBEhvbm8xDjAMBgNVBAMM +BWthZmthMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHfvUCACcO9wS9c/57EfA +i34dNdNTUPwAib143fEUiaC9wPCp6EPzIjFHx78n8DgY7iXc+rZE1BXqAbqVO/n0 +3KOBlzCBlDAdBgNVHQ4EFgQUErFQDWfU3iYKEYv8ws7Ka6N7AvAwCwYDVR0PBAQD +AgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBHBgNVHREEQDA+ghUq +Lmhvbm8ta2Fma2EtaGVhZGxlc3OCGiouaG9uby1rYWZrYS1oZWFkbGVzcy5ob25v +gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSAAwRQIhANeuZW+OCsrM23R2p2g5iH7/ +SyoSVU8d6DkcVpawSxgtAiAPWibmpN0qWTrf3s4N1zoaYC6EB7LY6D1cstaQ+/Lf +rA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB4zCCAYmgAwIBAgIUDvfsevHpF7ObReAAmGXXHHsAXDswCgYIKoZIzj0EAwIw +UjELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz +ZSBJb1QxDTALBgNVBAsMBEhvbm8xDTALBgNVBAMMBHJvb3QwHhcNMjEwMTI2MTMx +MzI1WhcNMjIwMTI2MTMxMzI1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UEBwwGT3R0 +YXdhMRQwEgYDVQQKDAtFY2xpcHNlIElvVDENMAsGA1UECwwESG9ubzELMAkGA1UE +AwwCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQrWtTxDTpqzkLfkZWT+RMp +w3y6/Mbmrj3S4DTfEv9bsuwUvZwcF7yy5X5YWFq+WOESLBh3nykxxg0MBRHdN0fx +oz8wPTAdBgNVHQ4EFgQUBxIgSnCFs43mB6a9umhpKCA2I30wDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgRau0yW4JCG+2e3w5 +KFWzCYV20/DNJ2Lj5ospGvNhl9sCIQCYde5228wNvKT3Qw6vk70HiS5r/mhFNJaZ +aPyf7W2E4g== +-----END CERTIFICATE----- diff --git a/charts/hono/example/certs/kafka-key.pem b/charts/hono/example/certs/kafka-key.pem new file mode 100644 index 00000000..37112f58 --- /dev/null +++ b/charts/hono/example/certs/kafka-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg0xs9OqU6CWzt1swR +qsf9pHWPducg3NGNAYG23hxHNkehRANCAAQd+9QIAJw73BL1z/nsR8CLfh0101NQ +/ACJvXjd8RSJoL3A8KnoQ/MiMUfHvyfwOBjuJdz6tkTUFeoBupU7+fTc +-----END PRIVATE KEY----- diff --git a/charts/hono/example/certs/kafkaKeyStore.jks b/charts/hono/example/certs/kafkaKeyStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..f3fabeee62b2c4302bb292e9c8093e17b78695c4 GIT binary patch literal 1622 zcmV-c2C4Zlf(B9o0Ru3C1{ekjDuzgg_YDCD0ic2g2?T-$1u%jJ0Wg9D_XY_nhDe6@ z4FLxRpn?SGFoFc+0s#Opf&|?L2`Yw2hW8Bt2LUh~1_~;MNQUkZoVj zVk(0hS6pjXC>Se0vy8#s8;aRz_K++|1`RM8ba7-w7e-us@An>a$!T%vOg@(y{-*jC zYR6SO#gIN2OKk6YoNC{}2{UI7QvKE$gfGhD$Qe-Awlh6z->;PeD*^uIb<*zVx8r&F zAD9BK2+sR&q6?NV)ec}?-b|%^Y3IghDiJXZB(ac2?H8f3a*B;x0SH#@%aFC|aMQA* zsxWJ|J}+(x<)=zXfcU-q1{>tkLx#i!G|&q8nf(Gw(haq1dAEzFaylv>89W!z&&Yv) zt>#T=7 zSQ*x&TQ~4cR3%y?lq$lnSICn!eA^4HYpFhk(!1ZOf8UchSZilHbAH-i4dvHQD(X@? zARuU|8Dy`+d0=2rKj@ZHLj9IGiS0KA@uF%ZX&)Tf(?2hqNueR1GiMoyb^Y-LSEcg9 z#>#8^nt3i*1`S_s<{hdyWJC_ly5&SsaqU9yMkvdgg(s>ON?Bb2m@IHA(B7U&)IZ~{ z8T`HSnL3D6^MEzotsbM7vusaCiz{Y$;$JALQ7I_wf&=n-0NHTAN~Ctyqgm!fW<}V@ zE8_|1A5T==(@~JQ)uxoexh)E?HZPx{NC1bL2-my-{`}pt(E9H-S%a4fcUQo_NMCST zF=sg4Zg}5&q>o*vCYiuxnCFMHFp039a(ZMKS$K#BUw3bI~ zl)t9HOsl@#%6go{G2#Pf19f{|+%@B!P&W!!-n~L)3p0y@;&u=_7nL|W3sn2XTY8>W zZqaM-yN7)c+wGx=HUn#~5^u{zB`dtba&GolV+7YjMLZOX>Q`f>FEK7){S*ZQIKZE7 z2E*z+x^uOz9Ue-kV16R#>Af~dh|@8F2+jsy|ALt+n)Ktc9?xWt$7A>SL@ zX@4zdlmb$iBaRKgh zm;luroTU+CWrG3?`M`||J&K+W-1G1~s7(Z9{;_1&o~e5uC3-c;>m3f3n*Mt3e>{agCwvaq%9Fe>-};1MHL?TI%TR z_Vmtn@OF7Gnfb}2%_1@LH2SO&u-wZlnrppKW$60;;rS|O&LNQUovgjRFD)0O8i>_W%F@ literal 0 HcmV?d00001 diff --git a/charts/hono/example/create_certs.sh b/charts/hono/example/create_certs.sh index d8eda3fa..19c56e4a 100755 --- a/charts/hono/example/create_certs.sh +++ b/charts/hono/example/create_certs.sh @@ -41,6 +41,9 @@ AMQP_ADAPTER_KEY_STORE=amqpKeyStore.p12 AMQP_ADAPTER_KEY_STORE_PWD=amqpkeys EXAMPLE_GATEWAY_KEY_STORE=exampleGatewayKeyStore.p12 EXAMPLE_GATEWAY_KEY_STORE_PWD=examplegatewaykeys +KAFKA_KEY_STORE=kafkaKeyStore.jks +# the bitnami Kafka chart expects truststore and keystore to have the same password +KAFKA_KEY_STORE_PWD=honotrust # set to either EC or RSA KEY_ALG=EC @@ -141,5 +144,6 @@ create_cert artemis $ARTEMIS_KEY_STORE $ARTEMIS_KEY_STORE_PWD create_cert coap-adapter $COAP_ADAPTER_KEY_STORE $COAP_ADAPTER_KEY_STORE_PWD create_cert amqp-adapter $AMQP_ADAPTER_KEY_STORE $AMQP_ADAPTER_KEY_STORE_PWD create_cert example-gateway $EXAMPLE_GATEWAY_KEY_STORE $EXAMPLE_GATEWAY_KEY_STORE_PWD +create_cert kafka $KAFKA_KEY_STORE $KAFKA_KEY_STORE_PWD create_client_cert 4711 diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl index 5d9ecfdc..8b77aa82 100644 --- a/charts/hono/templates/_helpers.tpl +++ b/charts/hono/templates/_helpers.tpl @@ -227,9 +227,12 @@ kafka: {{- if .dot.Values.kafkaMessagingClusterExample.enabled }} commonClientConfig: bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }} - security.protocol: SASL_PLAINTEXT + security.protocol: SASL_SSL sasl.mechanism: SCRAM-SHA-512 sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";" + ssl.truststore.location: /etc/hono/truststore.jks + ssl.truststore.password: {{ .dot.Values.kafka.auth.tls.password }} + ssl.endpoint.identification.algorithm: "" # Disables hostname verification. Don't do this in productive setups! {{- else if not .dot.Values.adapters.kafkaMessagingSpec }} {{- required ".Values.adapters.kafkaMessagingSpec MUST be provided if example Kafka cluster is disabled" nil }} {{- else if not (index .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig "bootstrap.servers") }} diff --git a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml index ea224cf2..57b250ff 100644 --- a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.amqp.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/amqp-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/amqp-adapter.credentials" | b64enc }} -{{- end }} \ No newline at end of file + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml index 20427a12..95b57a5e 100644 --- a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.coap.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/coap-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/coap-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml index 491e4ef1..136f1eee 100644 --- a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.http.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,4 +41,5 @@ data: cert.pem: {{ .Files.Get "example/certs/http-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/http-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml index 94bafceb..cb44c340 100644 --- a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml +++ b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.kura.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/kura-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/kura-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml index 1ce76850..93edc302 100644 --- a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.lora.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,4 +40,5 @@ data: cert.pem: {{ .Files.Get "example/certs/lora-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/lora-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml index 15cb997e..f7d52acc 100644 --- a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml +++ b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml @@ -1,6 +1,6 @@ {{- if .Values.adapters.mqtt.enabled }} # -# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation +# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -45,4 +45,5 @@ data: cert.pem: {{ .Files.Get "example/certs/mqtt-adapter-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/mqtt-adapter.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml index 161a00ae..fc0f743e 100644 --- a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml +++ b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml @@ -102,4 +102,5 @@ data: trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} adapter.credentials: {{ .Files.Get "example/command-router.credentials" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml index eabb0119..87576ac8 100644 --- a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml index 4e282690..9ef5ed1f 100644 --- a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml @@ -73,4 +73,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml index 9b05e54c..371aba97 100644 --- a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml +++ b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml @@ -74,4 +74,5 @@ data: cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }} trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }} auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }} + truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} {{- end }} diff --git a/charts/hono/templates/kafka/kafka-secret.yaml b/charts/hono/templates/kafka/kafka-secret.yaml new file mode 100644 index 00000000..8b46539f --- /dev/null +++ b/charts/hono/templates/kafka/kafka-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.kafkaMessagingClusterExample.enabled }} +# +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +# +apiVersion: v1 +kind: Secret +metadata: + {{- $args := dict "dot" . "component" "kafka" "name" "kafka-jks" }} + {{- include "hono.metadata" $args | nindent 2 }} +type: Opaque +data: + "kafka.truststore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} + "kafka-0.keystore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }} +{{- end }} diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml index 87f8ab0f..162369bc 100755 --- a/charts/hono/values.yaml +++ b/charts/hono/values.yaml @@ -1835,7 +1835,7 @@ kafka: service: port: 9092 auth: - clientProtocol: sasl + clientProtocol: sasl_tls sasl: jaas: clientUsers: @@ -1844,3 +1844,7 @@ kafka: - "hono-secret" zookeeperUser: zookeeperUser zookeeperPassword: zookeeperPassword + tls: + type: jks + existingSecret: "{{ .Release.Name }}-kafka-jks" + password: honotrust