#Client File Configuration

To ensure secure communication, please complete the configuration related to encrypted transmission on the Kafka client.

#Required File Preview

Prepare the files according to the authentication type of the Kafka instance. Each file corresponds one-to-one with the Kafka instance. If there are multiple instances, separate configurations for each file are required, and the related files can be placed in different paths. For scenarios involving access within the cluster, the client path is exemplified as /home/kafka.

#I. Configure CA Certificate

1. Generate the CA certificate.

   $ kubectl -n {Kafka instance namespace} get secret {Kafka instance name}-cluster-ca-cert -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12

2. Generate the password for the CA certificate. Please record this password.

   $ kubectl -n {Kafka instance namespace} get secret {Kafka instance name}-cluster-ca-cert -o jsonpath='{.data.ca\.password}' | base64 -d

#II. User Certificate

1. Generate the user certificate.

   $ kubectl -n {Kafka instance namespace} get secret {Kafka user name} -o jsonpath='{.data.user\.p12}' | base64 -d > user.p12

2. Generate the password for the user certificate. Please record this password.

   $ kubectl -n {Kafka instance namespace} get secret {Kafka user name} -o jsonpath='{.data.user\.password}' | base64 -d

#III. Configure Client Configuration Files

#client-ssl.properties (Without Authentication)

$ cat << EOF > client-ssl.properties
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=/home/kafka/ca.p12
ssl.truststore.password={CA certificate password}
EOF

#client.properties (For SCRAM-SHA-512 Authentication)

Prerequisite: On the User Management tab, click on the secret dictionary and record the value of the password field.

$ cat << EOF > client.properties
security.protocol=SASL_SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=/home/kafka/ca.p12
ssl.truststore.password={CA certificate password}

sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
    username="{Kafka user name}" \
    password="{Kafka user password}";

EOF

#client-ssl.properties (For TLS Authentication)

$ cat << EOF > client-ssl.properties
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location={client path}/ca.p12
ssl.truststore.password={CA certificate password}

ssl.keystore.type=PKCS12
ssl.keystore.location=/home/kafka/user.p12
ssl.keystore.password={user certificate password}
EOF

#IV. Copy Files to Client

Tip: Please refer to the table in the required file preview to determine the necessary files for your method of access.

Intra-cluster Access

Ensure that the required files are placed in the paths mentioned in the client configuration files.

$ kubectl cp ./{required file name} {Kafka client namespace}/{Kafka client Pod name}:/home/kafka/ -c kafka

External Access

Ensure that the required files are placed in the paths mentioned in the client configuration files.