search

danielqsj / kafka_exporter

Kafka exporter for Prometheus
Apache License 2.0
2.23k stars 618 forks source link

SSL kafka exporter #51

Open 1kaushik1 opened 6 years ago

1kaushik1 commented 6 years ago

Hello, Can the same exporter be used for SSL kafka with listeners on 9093?

1kaushik1 commented 6 years ago

@danielqsj

wulfuric commented 6 years ago

Hey, we got this working with ssl, I'll include the steps we took here.

First off, I'm running on openshift origin, so we updated the Dockerfile to contain the line ENTRYPOINT [ "sh", "-c", "/bin/kafka_exporter ${BOOTSTRAP_SERVERS} ${CERT_ARGS}" ]

Where ${CERT_ARGS} is --tls.enabled --no-sasl.handshake --tls.ca-file=/etc/secrets/root/${ROOT_CA} --tls.cert-file /etc/secrets/cert/${CERT_FILE} --tls.key-file /etc/secrets/key/${KEY_FILE}

We're reading in those files from openshift secrets, and mounting them.

Some other info I had typed up in my notes

If you have a .jks, steps to get it into the proper format.

keytool -importkeystore -srckeystore kafka-exporter.jks -destkeystore kafka-exporter.p12 -deststoretype PKCS12

openssl pkcs12 -in kafka-exporter.p12 -nokeys -out kafka-exporter-cert.pem

openssl pkcs12 -in kafka-exporter.p12 -nodes -nocerts -out kafka-exporter-key.pem

The cert must have the following ACL's

Describe on topic=*

kafka-acls --authorizer-properties zookeeper.connect=server_name:2181 --add --allow-principal="User:CN=kafka-exporter,OU=,O=Inc.,L=,ST=,C=" --topic=* --operation describe

And describe on cluster

kafka-acls --authorizer-properties zookeeper.connect=server_name:2181 --add --allow-principal="User:CN=kafka-exporter,OU=,O=Inc.,L=,ST=,C=" --cluster --operation describe

Hope this helps!

njmaojing commented 6 years ago

@wulfuric hey,after read your solution, i still cant solve it, my java client use twojks:client.keystore.jks,client.trust.jks,iwonder how to use these two files in your project,tks

njmaojing commented 6 years ago

Hello, Can the same exporter be used for SSL kafka with listeners on 9093?

hey,have you solved?

wulfuric commented 6 years ago

That is what my instructions address, exporting the client.keystore.jks to the right format.

Then, instead of the truststore you'll pass in your root CA.

For more information, read - https://stackoverflow.com/questions/46210329/how-to-use-confluent-kafka-with-the-key-store-file and https://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format