fix: Resolve Kafka SSL certificate generation issues

- Fix Kafka SSL script to properly generate CA certificate with password - Remove incorrect import of non-existent ca-cert file - Add password parameter to openssl CA key generation - Update Makefile to pass SSL environment variables to Docker container - Test SSL certificate generation for both Kafka and PostgreSQL Fixes: - keytool error: java.io.FileNotFoundException: ca-cert - openssl password prompt issues in non-interactive mode - SSL certificate generation now works correctly Author: Сергей Антропов Site: https://devops.org.ru
2025-09-10 17:56:40 +03:00 · 2025-09-10 17:56:40 +03:00 · 36ed1da92a
commit 36ed1da92a
parent de3c5ceee0
3 changed files with 7 additions and 4 deletions
--- a/6
+++ b/6
@ -163,7 +163,11 @@ restore: ## Восстановить данные из резервной коп
 ssl-generate: ## Генерация SSL сертификатов для Kafka и PostgreSQL
 	@echo "🔐 Генерация SSL сертификатов для Kafka..."
 	@mkdir -p ./kafka-ssl
-	@docker run --rm -v $$PWD:/workspace -w /workspace openjdk:11-jre-slim bash -c "apt-get update && apt-get install -y openssl && chmod +x /workspace/kafka-ssl/generate-ssl.sh && /workspace/kafka-ssl/generate-ssl.sh"
+	@docker run --rm -v $$PWD:/workspace -w /workspace \
+		-e KAFKA_SSL_KEYSTORE_PASSWORD=$${KAFKA_SSL_KEYSTORE_PASSWORD:-kafka123} \
+		-e KAFKA_SSL_TRUSTSTORE_PASSWORD=$${KAFKA_SSL_TRUSTSTORE_PASSWORD:-kafka123} \
+		-e KAFKA_SSL_KEY_PASSWORD=$${KAFKA_SSL_KEY_PASSWORD:-kafka123} \
+		openjdk:11-jre-slim bash -c "apt-get update && apt-get install -y openssl && chmod +x /workspace/kafka-ssl/generate-ssl.sh && /workspace/kafka-ssl/generate-ssl.sh"
 	@echo "✅ SSL сертификаты Kafka созданы в ./kafka-ssl/"
 	@echo "🔐 Генерация SSL сертификатов для PostgreSQL..."
 	@mkdir -p ./postgres-ssl
--- a/kafka-ssl/generate-ssl.sh
+++ b/kafka-ssl/generate-ssl.sh
@ -18,10 +18,9 @@ echo "🔐 Генерация SSL сертификатов для Kafka..."

 # 1. Создание CA (Certificate Authority)
 echo "📋 Создание CA сертификата..."
-keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $TRUSTSTORE_PASSWORD -keypass $KEY_PASSWORD -noprompt || true

 # Создание CA ключа и сертификата
-openssl req -new -x509 -keyout ca-key -out ca-cert -days $CERT_VALIDITY_DAYS -subj "/C=RU/ST=Moscow/L=Moscow/O=Sensus/OU=IT/CN=ca.sensus.local"
+openssl req -new -x509 -keyout ca-key -out ca-cert -days $CERT_VALIDITY_DAYS -passout pass:$KEY_PASSWORD -subj "/C=RU/ST=Moscow/L=Moscow/O=Sensus/OU=IT/CN=ca.sensus.local"

 # 2. Создание keystore для сервера
 echo "🔑 Создание keystore для сервера..."
--- a/postgres-ssl/ca.srl
+++ b/postgres-ssl/ca.srl
@ -1 +1 @@
-061A48EC483BA1607C89D669681A1BBD2B491BEC
+061A48EC483BA1607C89D669681A1BBD2B491BED