python 合流 kafka 客户端 - 无法使用 SSL 访问 GKE 上的 Kafka

问题描述 投票:0回答:1

我有一个简单的 python Kafka 生产者,我正在尝试访问 GKE 上的 Strimzi Kafka 集群,但出现以下错误:

cimpl.KafkaException: KafkaError{code=_INVALID_ARG,val=-186,str="Failed to create producer: ssl.key.location failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}

这是 Kafka 生产者代码:

from confluent_kafka import Producer

kafkaBrokers='<host>:<port>'
caRootLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cacerts.pem'
certLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cert.pem'
keyLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/key.pem'
password='<password>'

conf = {'bootstrap.servers': kafkaBrokers,
        'security.protocol': 'SSL',
        'ssl.ca.location':caRootLocation,
        'ssl.certificate.location': certLocation,
        'ssl.key.location':keyLocation,
        'ssl.key.password' : password
}
topic = 'my-topic1'

producer = Producer(conf)

for n in range(100):
        producer.produce(topic, key=str(n), value="val -> "+str(n))

producer.flush()

要获取 pem 文件(来自秘密 - PKCS 文件),以下是使用的命令

kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12 
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.password}' | base64 -d > ca.password


kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.p12}' | base64 -d > user2.p12
kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.password}' | base64 -d > user2.password

- to get the user private key i.e. key.pem
openssl pkcs12 -in user2.p12 -nodes -nocerts -out key.pem -passin pass:<passwd>

# CARoot - extract cacerts.cer
openssl pkcs12 -in ca.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.cer
# convert to pem format
openssl x509 -in cacerts.cer -out cacerts.pem

# get the ca.crt from the secret
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
# convert to pem
openssl x509 -in ca.crt -out cert.pem

有什么想法可以解决这个问题吗?

请注意 - 我可以使用 SSL 上的命令行 Kafka 生产者/消费者来访问 Kafka 集群

ssl apache-kafka openssl ssl-certificate strimzi
1个回答
0
投票

此问题已修复,请参阅以下预期配置:

 'ssl.ca.location' -> CARoot (certifying authority, used to sign all the user certs)
 'ssl.certificate.location' -> User Cert (used by Kubernetes to authenticate to API server) 
 'ssl.key.location' -> User private key

上述错误是由于使用了不正确的用户证书,它应该与用户私钥匹配

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.