search

Apicurio / apicurio-registry-operator

The Kubernetes Operator for Apicurio Registry.
Apache License 2.0
43 stars 38 forks source link

Setting up Registry with TLS Connection to Kafka #248

Closed meretri closed 5 months ago

meretri commented 6 months ago

Hi :)

I am trying to setup the registry on Kubernets using the Registry Operator. I have sucessfully deployed the operator but I can not start the Registry. Here is the config of my Kafka Cluster:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: cdc-cluster
  namespace: debezium
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    version: 3.7.0
    metadataVersion: 3.7-IV4
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true

I also have a User for the Registry:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: schema-registry-user
  labels:
    strimzi.io/cluster: cdc-cluster
  namespace: debezium
spec:
  authentication:
    type: tls

I have the following secrets:

NAME                                      TYPE     DATA   AGE
cdc-cluster-clients-ca                    Opaque   1      2d19h
cdc-cluster-clients-ca-cert               Opaque   3      2d19h
cdc-cluster-cluster-ca                    Opaque   1      2d21h
cdc-cluster-cluster-ca-cert               Opaque   3      2d20h
cdc-cluster-cluster-operator-certs        Opaque   4      2d19h
cdc-cluster-entity-topic-operator-certs   Opaque   4      2d19h
cdc-cluster-entity-user-operator-certs    Opaque   4      2d19h
cdc-cluster-kafka-brokers                 Opaque   24     2d19h
schema-registry-user                      Opaque   5      138m

I installed the apicurio cluster operator with the install.yaml. My registry config looks like this:

apiVersion: registry.apicur.io/v1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry-kafkasql-tls
  namespace: debezium
spec:
  configuration:
    persistence: "kafkasql"
    kafkasql:
      bootstrapServers: "cdc-cluster-kafka-bootstrap.debezium.svc:9093"
      security:
        tls:
          keystoreSecretName: schema-registry-user
          truststoreSecretName: cdc-cluster-cluster-ca-cert

But when I deploy the registry I get the following error:

2024-05-03 10:14:52 WARN <> [org.apache.kafka.clients.NetworkClient] (kafka-admin-client-thread | adminclient-1) [AdminClient clientId=adminclient-1] Connection to node -1 (cdc-cluster-kafka-bootstrap.debezium.svc/10.0.246.94:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
2024-05-03 10:14:53 WARN <> [org.apache.kafka.common.network.Selector] (kafka-admin-client-thread | adminclient-1) [AdminClient clientId=adminclient-1] Unexpected error from cdc-cluster-kafka-bootstrap.debezium.svc/10.0.246.94 (channelId=-1); closing connection: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:101)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:309)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:255)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
        at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523)
        at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373)
        at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:571)
        at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1413)
        at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1344)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:98)
        ... 25 more

I have set everything up according to this documenation: https://www.apicur.io/registry/docs/apicurio-registry-operator/1.2.0-dev-v2.x/assembly-registry-storage.html#registry-persistence-kafkasql-tls

Can anyone help me on this?

meretri commented 5 months ago

I think I just messed up the certificates...