Closed oana-s closed 3 years ago
I'm not sure I would expect curl to work. Kafka does not do HTTP protocol (you can use the HTTP Bridge for that - https://strimzi.io/docs/operators/latest/full/deploying.html#kafka-bridge-str), but you cannot talk HTTP to Kafka directly. There is also no Host header, the TLs passthrough needs to work on TLS-SNI. So in theory, you should be able to do something like curl -v https://my-cluster-kafka-0
and it should get to the broker. But because of the HTTP, it will never get any nice response.
Better way how to just test the setup is to do openssl s_client -connect my-cluster-kafka-0:443 -servername my-cluster-kafka-0 -showcerts
=> if it gives you the certificates from the broker, then the ingress setup is ok and you can connect with Kafka clients.
I have been able to retrieve the certificates using
kubectl get secret my-cluster-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
which I am using, unsuccessfully, along with the following config on client side:
BootstrapServers = "20.76.0.53:443",
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslMechanism = SaslMechanism.ScramSha512,
SaslUsername = user,
SaslPassword = pwd,
SslCaLocation = "ca.crt"
To be mentioned, that before changing to Ingress, I was using LoadBalancer as external listeners and the whole flow was functional. As mentioned, on client side, I get some Confluent .NET generic error and, weird enough, I cannot see anything in the broker nor in the nginx logs, as the request wouldn't even reach it.
I'm not sure that is relevant but when i try to describe the ingress, I get
osamf@SPS-NB244:~/allfiles$ kubectl describe ingress.extensions/my-cluster-kafka-bootstrap
Name: my-cluster-kafka-bootstrap
Namespace: default
Address: 10.240.0.4
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
SNI routes my-cluster-kafka-external-bootstrap
Rules:
Host Path Backends
---- ---- --------
my-cluster-kafka-external-bootstrap
/ my-cluster-kafka-external-bootstrap:9094 (10.244.0.16:9094)
Annotations: ingress.kubernetes.io/ssl-passthrough: true
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: true
Events: <none>
When I query the services kubectl get svc
i get
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 4h55m
my-cluster-kafka-0 ClusterIP 10.0.218.224 <none> 9094/TCP 4h2m
my-cluster-kafka-bootstrap ClusterIP 10.0.93.18 <none> 9091/TCP,9092/TCP 4h2m
my-cluster-kafka-brokers ClusterIP None <none> 9091/TCP,9092/TCP 4h2m
my-cluster-kafka-external-bootstrap ClusterIP 10.0.255.22 <none> 9094/TCP 4h2m
my-cluster-zookeeper-client ClusterIP 10.0.215.162 <none> 2181/TCP 4h4m
my-cluster-zookeeper-nodes ClusterIP None <none> 2181/TCP,2888/TCP,3888/TCP 4h4m
nginx-nginx-ingress-controller LoadBalancer 10.0.21.148 20.76.0.53 80:31180/TCP,443:32575/TCP 4h5m
nginx-nginx-ingress-default-backend ClusterIP 10.0.141.215 <none> 80/TCP 4h5m
So, the way the Ingress works:
host
field which you configured defines the DNS name under which the Ingress will be accessible by the clients. So on the machine where you run the clients, when you do nslookup my-cluster-kafka-external-bootstrap
or nslookup my-cluster-kafka-0
it has to point to the address of the Nginx Loadbalancer (20.76.0.53).20.76.0.53:443
as the bootstrap address. It has to be my-cluster-kafka-external-bootstrap:443
. When the client connects to the Ingress controller and in the SSL handshake requests my-cluster-kafka-external-bootstrap
, it whill thanks to the TLS-SNI mechanisms know that this connection should be routed to the brokers.So have to doublecheck these two steps ... make sure the routing works (I'm not sure what environment do you use. But for example the basic mechanism working on any Linux or MacOS machine would be to add these to /etc/hosts
. Or if you have some DNS server, you could of course use that as well). And once the routing works, configure the right address in the client.
Perfect! thank you very much for your guidance!
For some reason, the routing only worked with my-cluster-kafka-0
... maybe I missed something.
Nevertheless, thank you again!
I will close the ticket now!
This is my Kafka cluster config
I create the NGINX controller using this
helm install nginx stable/nginx-ingress --set rbac.create=true --set controller.service.type=LoadBalancer --set controller.extraArgs.annotations-prefix=nginx.ingress.kubernetes.io --set controller.extraArgs.enable-ssl-passthrough=""
When I try to curl i get the following error:
curl -k -s https://20.76.0.53:443 -H "Host: my-cluster-kafka-0" -v
Logs from broker:
Logs from NGINX
Can you please help me out what i am doing wrong? thank you!