Alauda Streaming Service for Kafka

Client File Configuration

To ensure secure communication, please complete the configuration related to encrypted transmission on the Kafka client.

Notes

The following operations should be performed on the control node within the cluster.

TOC

Required File Preview

Prepare the files according to the authentication type of the Kafka instance. Each file corresponds one-to-one with the Kafka instance. If there are multiple instances, separate configurations for each file are required, and the related files can be placed in different paths. For scenarios involving access within the cluster, the client path is exemplified as /home/kafka.

Encryption MethodAuthentication MethodRequired Files
Intra-cluster: TLS
External: TLS		SCRAM-SHA-512 or noneCA certificate: ca.p12
Client configuration file: client-ssl.properties
Intra-cluster: TLS
External: TLS		TLSCA certificate: ca.p12
User certificate: user.p12
Client configuration file: client-ssl.properties

I. Configure CA Certificate

  1. Generate the CA certificate.

    $ kubectl -n {Kafka instance namespace} get secret {Kafka instance name}-cluster-ca-cert -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12

  2. Generate the password for the CA certificate. Please record this password.

    $ kubectl -n {Kafka instance namespace} get secret {Kafka instance name}-cluster-ca-cert -o jsonpath='{.data.ca\.password}' | base64 -d

II. User Certificate

  1. Generate the user certificate.

    $ kubectl -n {Kafka instance namespace} get secret {Kafka user name} -o jsonpath='{.data.user\.p12}' | base64 -d > user.p12

  2. Generate the password for the user certificate. Please record this password.

    $ kubectl -n {Kafka instance namespace} get secret {Kafka user name} -o jsonpath='{.data.user\.password}' | base64 -d

III. Configure Client Configuration Files

client-ssl.properties (Without Authentication)

$ cat << EOF > client-ssl.properties
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=/home/kafka/ca.p12
ssl.truststore.password={CA certificate password}
EOF

client.properties (For SCRAM-SHA-512 Authentication)

Prerequisite: On the User Management tab, click on the secret dictionary and record the value of the password field.

$ cat << EOF > client.properties
security.protocol=SASL_SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=/home/kafka/ca.p12
ssl.truststore.password={CA certificate password}

sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
    username="{Kafka user name}" \
    password="{Kafka user password}";

EOF

client-ssl.properties (For TLS Authentication)

$ cat << EOF > client-ssl.properties
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location={client path}/ca.p12
ssl.truststore.password={CA certificate password}

ssl.keystore.type=PKCS12
ssl.keystore.location=/home/kafka/user.p12
ssl.keystore.password={user certificate password}
EOF
TIP

To enable external access, include ssl.endpoint.identification.algorithm= in the configuration file.

IV. Copy Files to Client

Tip: Please refer to the table in the required file preview to determine the necessary files for your method of access.

Intra-cluster Access

Ensure that the required files are placed in the paths mentioned in the client configuration files.

$ kubectl cp ./{required file name} {Kafka client namespace}/{Kafka client Pod name}:/home/kafka/ -c kafka

External Access

Ensure that the required files are placed in the paths mentioned in the client configuration files.