Comments (8)
The certificate is a self-signed one created by strimzi. Without insecureSkipTlsVerify: true
kwol won't start since the certificate it is not signed by a trusted CA.
Here the error:
│ kowl {"level":"debug","ts":"2020-12-17T09:25:59.813Z","msg":"client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority","source":"sarama"} │
from charts.
I haven't seen that error yet. What TLS protocols are allowed on the server side? Maybe any helpful log messages on the server side?
Regarding insecureSkipTlsVerify
this only means that the certificate will be checked for validity. If issued correctly and used with the right DNS you don't need to enable this for self signed certificates. You can configure which CAs you trust by passing a CA file into Kowl.
from charts.
@weeco this is the log I got server side:
│ 2020-12-17 09:27:36,654 INFO [SocketServer brokerId=0] Failed authentication with /10.0.1.43 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(INTERNAL-9093)-SSL-3]
from charts.
I haven't seen that error yet. What TLS protocols are allowed on the server side? Maybe any helpful log messages on the server side?
Regarding
insecureSkipTlsVerify
this only means that the certificate will be checked for validity. If issued correctly and used with the right DNS you don't need to enable this for self signed certificates. You can configure which CAs you trust by passing a CA file into Kowl.
I am using an internal listener, not an exposed one.
listeners: │
│ - authentication: │
│ type: tls │
│ name: internal │
│ port: 9093 │
│ tls: true │
│ type: internal
from charts.
@weeco this is what is allowed server side:
https://strimzi.io/docs/0.8.1/#type-KafkaListenerAuthenticationScramSha512-reference
from charts.
@dicolasi That shouldn't matter. I'd recommend you take a look at your certificates again and see what SANs are configured. There are multiple ways to connect internally to your cluster. (e. g. kafka:9093
or kafka.namespace.svc.cluster.local:9093
, ...)
Above Kafka server error message seem to indicate that endpoint identification is required which does not work. I hope that gives you something to research for. I'm not very familar with Strimzi and I won't be able to assist with that issue, sorry.
from charts.
@weeco I am already connected properly:
kafka:
brokers:
- kafka-prod-kafka-bootstrap.kafka.svc:9093
Thanks anyway :)
from charts.
@dicolasi The DNS is probably used to verify the SSL certificate though. Hence I mentioned that your specific DNS might not be one of the SANs in your TLS certificates
from charts.
Related Issues (17)
- Add missing space for volume name
- Secret keys should be configurable
- Pod annotations should be configurable
- Do not set default podSecurityContext in values.yaml HOT 2
- Configure Okta access via secrets HOT 12
- Sidecar feature HOT 5
- Chart Versions HOT 2
- Add chart in artifacthub.io
- Reference brokers in different clusters HOT 1
- Kowl buissness chart args don't match application HOT 2
- Unable to use extraVolumes and Mounts HOT 1
- Pod labels should be configurable
- Kowl chart does not setting a priorityClassName
- Using TLS with the existing secret option is not user friendly HOT 1
- [helm chart] Set log level HOT 1
- secrets: not clear how to set TLS ones HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.