You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Wei Yang <we...@cengn.ca> on 2022/01/12 21:50:18 UTC

Re: Enable TLS Authentication + Enable External Access using LoadBalancer

Hi Luke,

Thanks a lot for the clarifications. Very helpful to me for getting started.

As we can import the root CA of all certificates to trust them all, I’d like to understand

  *   Why Kafka needs one LoadBalancer per broker?

Thank you very much!

Regards,
Wei

From: Luke Chen <sh...@gmail.com>
Date: Tuesday, December 21, 2021 at 8:55 AM
To: Kafka Users <us...@kafka.apache.org>
Subject: Re: Enable TLS Authentication + Enable External Access using LoadBalancer
Hi Wei Yang,

> On Kafka cluster side, how to configure *advertised.listeners* for
external access? All 3 LoadBalancer IPs + port, or any 1 LoadBalancer IP +
port?

Since you have one LoadBalancer per broker, you should set
*advertised.listeners
*one LoadBalancer IP + port.
You can check this good blog post to learn how to configure the load
balancer environment in k8s for Kafka here
<https://strimzi.io/blog/2019/05/13/accessing-kafka-part-4/>.

> On external client side, does it need all 3 broker’s certificates?

You need to import all the certificates into client's truststore. Usually
you can import the root CA of all the certificates, to trust them all.

> How does the client know using which certificate while creating request
to Kafka cluster?

That's the basic of SSL connection. It's like when you connect to Google,
how does the browser know which certificate to use to connect? The answer
is, the browser doesn't need to know, it just verifies if the server's
certificate is in my trust list. Something like that.

Hope it helps.

Thank you.
Luke


On Tue, Dec 21, 2021 at 12:51 AM Wei Yang <we...@cengn.ca> wrote:

> Hello,
>
>
>
> Being new to Kafka, I’d like to deploy a Kafka cluster on K8s with 3
> brokers with listenerSecurityProtocolMap:
> "INTERNAL:SSL,CLIENT:PLAINTEXT,EXTERNAL:SSL"
>
>
>
> To enable TLS authentication, I use self-signed TLS certificates. To
> enable external access, for Kafka, it needs to use 3 LoadBalancers, one
> LoadBalancer per broker.
>
>
>
> I’d like to understand how to configure Kafka cluster and external client
> in order to enable encryption between Kafka cluster and external client.
>
>    - On Kafka cluster side, how to configure *advertised.listeners* for
>    external access? All 3 LoadBalancer IPs + port, or any 1 LoadBalancer IP +
>    port?
>    - On external client side, does it need all 3 broker’s certificates?
>       - How does the client know using which certificate while creating
>       request to Kafka cluster?
>
>
>
> Thanks and regards,
>
> Wei Yang
>
> Cloud Infrastructure Engineer
>
> [image:
> /var/folders/lz/j260ry496sxfn5wtpwvf3yscgy48r3/T/com.microsoft.Outlook/Content.MSO/DB2DAAE.tmp]
> <https://www.cengn.ca/>
>
> 555 Legget Drive| Tower A | Suite 600| Ottawa ON | K2K 2X3 | 613-793-6345
>
> www.cengn.ca<http://www.cengn.ca>  Follow us @CENGNCanada
>
>
>