From 36ed1da92af41aca674941a217ba64e7f7fcb0d5 Mon Sep 17 00:00:00 2001
From: Sergey Antropoff <sergey@antropoff.ru>
Date: Wed, 10 Sep 2025 17:56:40 +0300
Subject: [PATCH] fix: Resolve Kafka SSL certificate generation issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix Kafka SSL script to properly generate CA certificate with password
- Remove incorrect import of non-existent ca-cert file
- Add password parameter to openssl CA key generation
- Update Makefile to pass SSL environment variables to Docker container
- Test SSL certificate generation for both Kafka and PostgreSQL

Fixes:
- keytool error: java.io.FileNotFoundException: ca-cert
- openssl password prompt issues in non-interactive mode
- SSL certificate generation now works correctly

Author: Сергей Антропов
Site: https://devops.org.ru
---
 Makefile                  | 6 +++++-
 kafka-ssl/generate-ssl.sh | 3 +--
 postgres-ssl/ca.srl       | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 99888d4..c0c24b6 100644
--- a/Makefile
+++ b/Makefile
@@ -163,7 +163,11 @@ restore: ## Восстановить данные из резервной коп
 ssl-generate: ## Генерация SSL сертификатов для Kafka и PostgreSQL
 	@echo "🔐 Генерация SSL сертификатов для Kafka..."
 	@mkdir -p ./kafka-ssl
-	@docker run --rm -v $$PWD:/workspace -w /workspace openjdk:11-jre-slim bash -c "apt-get update && apt-get install -y openssl && chmod +x /workspace/kafka-ssl/generate-ssl.sh && /workspace/kafka-ssl/generate-ssl.sh"
+	@docker run --rm -v $$PWD:/workspace -w /workspace \
+		-e KAFKA_SSL_KEYSTORE_PASSWORD=$${KAFKA_SSL_KEYSTORE_PASSWORD:-kafka123} \
+		-e KAFKA_SSL_TRUSTSTORE_PASSWORD=$${KAFKA_SSL_TRUSTSTORE_PASSWORD:-kafka123} \
+		-e KAFKA_SSL_KEY_PASSWORD=$${KAFKA_SSL_KEY_PASSWORD:-kafka123} \
+		openjdk:11-jre-slim bash -c "apt-get update && apt-get install -y openssl && chmod +x /workspace/kafka-ssl/generate-ssl.sh && /workspace/kafka-ssl/generate-ssl.sh"
 	@echo "✅ SSL сертификаты Kafka созданы в ./kafka-ssl/"
 	@echo "🔐 Генерация SSL сертификатов для PostgreSQL..."
 	@mkdir -p ./postgres-ssl
diff --git a/kafka-ssl/generate-ssl.sh b/kafka-ssl/generate-ssl.sh
index 3abd74c..d537ff2 100755
--- a/kafka-ssl/generate-ssl.sh
+++ b/kafka-ssl/generate-ssl.sh
@@ -18,10 +18,9 @@ echo "🔐 Генерация SSL сертификатов для Kafka..."
 
 # 1. Создание CA (Certificate Authority)
 echo "📋 Создание CA сертификата..."
-keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $TRUSTSTORE_PASSWORD -keypass $KEY_PASSWORD -noprompt || true
 
 # Создание CA ключа и сертификата
-openssl req -new -x509 -keyout ca-key -out ca-cert -days $CERT_VALIDITY_DAYS -subj "/C=RU/ST=Moscow/L=Moscow/O=Sensus/OU=IT/CN=ca.sensus.local"
+openssl req -new -x509 -keyout ca-key -out ca-cert -days $CERT_VALIDITY_DAYS -passout pass:$KEY_PASSWORD -subj "/C=RU/ST=Moscow/L=Moscow/O=Sensus/OU=IT/CN=ca.sensus.local"
 
 # 2. Создание keystore для сервера
 echo "🔑 Создание keystore для сервера..."
diff --git a/postgres-ssl/ca.srl b/postgres-ssl/ca.srl
index c556d8c..eeeed7e 100644
--- a/postgres-ssl/ca.srl
+++ b/postgres-ssl/ca.srl
@@ -1 +1 @@
-061A48EC483BA1607C89D669681A1BBD2B491BEC
+061A48EC483BA1607C89D669681A1BBD2B491BED