search

bitnami / containers

Bitnami container images
https://bitnami.com
Other
3.26k stars 4.75k forks source link

[bitnami/schema-registry] Cannot connect using ssl #71306

Open buuhvprojects opened 2 weeks ago

buuhvprojects commented 2 weeks ago

Name and Version

bitnami/schema-registry:7.4

What architecture are you using?

None

What steps will reproduce the bug?

Docker-compose configuration

zookeeper:
    image: bitnami/zookeeper:3.7.0
    container_name: zookeeper
    env_file:
      - .env
    environment:
      - ZOO_ENABLE_AUTH=yes
      - ZOO_SERVER_USERS=${KAFKA_USERNAME}
      - ZOO_SERVER_PASSWORDS=${KAFKA_PASSWORD}
      - ZOO_CLIENT_USER=${KAFKA_USERNAME}
      - ZOO_CLIENT_PASSWORD=${KAFKA_PASSWORD}
    ports:
      - "2181:2181"
    networks:
      - kafkanet
    volumes:
      - zookeeper_data:/bitnami/zookeeper

  schema-registry:
    image: bitnami/schema-registry:7.4
    ports:
      - '8081:8081'
      - '8082:8082'
    env_file:
      - .env
    networks:
      - kafkanet
    environment:
      - SCHEMA_REGISTRY_KAFKA_BROKERS=PLAINTEXT://${KAFKA_HOST_0}:29092,PLAINTEXT://${KAFKA_HOST_1}:29093
      - SCHEMA_REGISTRY_HOST_NAME=schema-registry
      - SCHEMA_REGISTRY_LISTENERS=http://0.0.0.0:8081,https://0.0.0.0:8082
      - SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_CLIENT_AUTHENTICATION=REQUESTED
      - SCHEMA_REGISTRY_ADVERTISED_HOSTNAME=schema-registry
      - SCHEMA_REGISTRY_KAFKA_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_KAFKA_KEY_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_KEY_PASSWORD=${KAFKA_PASSWORD}
      - SCHEMA_REGISTRY_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=none
    volumes:
      - ./certs/kafka.client.keystore.jks:/opt/bitnami/schema-registry/certs/ssl.keystore.jks
      - ./certs/kafka.client.truststore.jks:/opt/bitnami/schema-registry/certs/ssl.truststore.jks

  kafka-0:
    image: bitnami/kafka:2.8.1
    container_name: kafka-0
    depends_on:
      - zookeeper
    env_file:
      - .env
    networks:
      - kafkanet
    ports:
      - "29092:29092"
    environment:
      # Zookeeper credentials
      - KAFKA_ZOOKEEPER_PROTOCOL=SASL
      - KAFKA_ZOOKEEPER_USER=${KAFKA_USERNAME}
      - KAFKA_ZOOKEEPER_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_ZOOKEEPER_CONNECT=${ZOOKEEPER_HOST}:2181
      - KAFKA_CFG_BROKER_ID=0
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SSL,EXTERNAL:SSL
      - KAFKA_CFG_LISTENERS=INTERNAL://kafka-0:9092,EXTERNAL://0.0.0.0:29092
      - KAFKA_CFG_ADVERTISED_LISTENERS=INTERNAL://kafka-0:9092,EXTERNAL://${KAFKA_HOST}:29092
      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=INTERNAL
      - KAFKA_CFG_SSL_KEYSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.keystore.jks
      - KAFKA_CFG_SSL_KEYSTORE_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SSL_TRUSTSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.truststore.jks
      - KAFKA_CFG_SSL_TRUSTSTORE_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SSL_KEY_PASSWORD=${KAFKA_PASSWORD}
      - KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
      - KAFKA_CFG_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="${KAFKA_USERNAME}" password="${KAFKA_PASSWORD}";
      - KAFKA_CFG_SECURITY_PROTOCOL=SSL
      - ALLOW_PLAINTEXT_LISTENER=yes
      - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=false
      - KAFKA_CFG_LOG_RETENTION_MS=${KAFKA_CFG_LOG_RETENTION_MS}
      - KAFKA_CFG_MAX_REQUEST_SIZE=${KAFKA_CFG_MAX_REQUEST_SIZE}
      - KAFKA_CFG_MESSAGE_MAX_BYTES=${KAFKA_CFG_MESSAGE_MAX_BYTES}
      - KAFKA_CFG_MIN_INSYNC_REPLICAS=2
      - KAFKA_CFG_UNCLEAN_LEADER_ELECTION_ENABLE=false
      - KAFKA_CFG_DEFAULT_REPLICATION_FACTOR=3
      - KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR=3
      - KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR=3
      - KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR=2

    volumes:
      - ./certs/ca-cert.pem:/opt/bitnami/kafka/config/certs/ca-cert.pem
      - ./certs/ca-cert.srl:/opt/bitnami/kafka/config/certs/ca-cert.srl
      - ./certs/ca-key.pem:/opt/bitnami/kafka/config/certs/ca-key.pem
      - ./certs/client.crt.pem:/opt/bitnami/kafka/config/certs/client.crt.pem
      - ./certs/client.csr.pem:/opt/bitnami/kafka/config/certs/client.csr.pem
      - ./certs/client.properties:/opt/bitnami/kafka/config/certs/client.properties
      - ./certs/kafka-0.crt.pem:/opt/bitnami/kafka/config/certs/kafka-0.crt.pem
      - ./certs/kafka-0.csr.pem:/opt/bitnami/kafka/config/certs/kafka-0.csr.pem
      - ./certs/kafka-0.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks
      - ./certs/kafka-0.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks
      - kafka_data_0:/bitnami/kafka

What is the expected behavior?

No response

What do you see instead?

I use images from bitnami My zookeeper is configured with user and pass My cluster has 2 nodes, broker0 and broker1, both with a certificate for auth in kafka

My kafka ui also from provectuslabs/kafka-ui can connect to the broker using the keystore and truststore.

However, the schema-registry does not connect. I noticed that the schema registry readme is also wrong because the correct path to the volume is /opt/bitnami/schema-registry/certs/ssl.keystore.jks:ro and not /opt/bitnami/schema-registry/certs/keystore.jks:ro

Additional information

No response

javsalgar commented 2 weeks ago

Hi!

Could you share the logs of the nodes? Which is the error that appears?

github-actions[bot] commented 3 days ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.