Исправлена проблема с Kafka SSL сертификатами
- Создан Dockerfile для генерации SSL сертификатов через Docker - Обновлен скрипт generate-ssl.sh для работы в Docker-контейнере - Исправлены пути монтирования SSL сертификатов в docker-compose.yml - Временно отключен SSL для Kafka (работает в PLAINTEXT режиме) - Kafka успешно запускается и создает топики - Добавлены SSL сертификаты для PostgreSQL
This commit is contained in:
parent
a57d99b5ac
commit
f89b4fe282
5
Makefile
5
Makefile
@ -163,11 +163,12 @@ restore: ## Восстановить данные из резервной коп
|
||||
ssl-generate: ## Генерация SSL сертификатов для Kafka и PostgreSQL
|
||||
@echo "🔐 Генерация SSL сертификатов для Kafka..."
|
||||
@mkdir -p ./kafka-ssl
|
||||
@docker run --rm -v $$PWD:/workspace -w /workspace \
|
||||
@docker build -t sensus-kafka-ssl ./kafka-ssl/
|
||||
@docker run --rm -v $$PWD:/workspace \
|
||||
-e KAFKA_SSL_KEYSTORE_PASSWORD=$${KAFKA_SSL_KEYSTORE_PASSWORD:-kafka123} \
|
||||
-e KAFKA_SSL_TRUSTSTORE_PASSWORD=$${KAFKA_SSL_TRUSTSTORE_PASSWORD:-kafka123} \
|
||||
-e KAFKA_SSL_KEY_PASSWORD=$${KAFKA_SSL_KEY_PASSWORD:-kafka123} \
|
||||
openjdk:11-jre-slim bash -c "apt-get update && apt-get install -y openssl && chmod +x /workspace/kafka-ssl/generate-ssl.sh && /workspace/kafka-ssl/generate-ssl.sh"
|
||||
sensus-kafka-ssl
|
||||
@echo "✅ SSL сертификаты Kafka созданы в ./kafka-ssl/"
|
||||
@echo "🔐 Генерация SSL сертификатов для PostgreSQL..."
|
||||
@mkdir -p ./postgres-ssl
|
||||
|
||||
22
ca-cert
Normal file
22
ca-cert
Normal file
@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDrzCCApegAwIBAgIUSjePknvzx9A0iWmw4kymBR8xqVkwDQYJKoZIhvcNAQEL
|
||||
BQAwZzELMAkGA1UEBhMCUlUxDzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9z
|
||||
Y293MQ8wDQYDVQQKDAZTZW5zdXMxCzAJBgNVBAsMAklUMRgwFgYDVQQDDA9jYS5z
|
||||
ZW5zdXMubG9jYWwwHhcNMjUwOTEwMTU0MTE3WhcNMjYwOTEwMTU0MTE3WjBnMQsw
|
||||
CQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ8wDQYDVQQHDAZNb3Njb3cxDzAN
|
||||
BgNVBAoMBlNlbnN1czELMAkGA1UECwwCSVQxGDAWBgNVBAMMD2NhLnNlbnN1cy5s
|
||||
b2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKzwlx/OqUcg1DdL
|
||||
dCwuopkWPVHx1eZTaEWb5WM9Z1WkOJYkhlNeqzIqeH/EdvS0KvFJpsP4KJGj7HF0
|
||||
PG93aiNN7MMd64sIwf67cy1s1BTsm5WdRlf9NYf4NBZcjykQq9y5Y7SvrGBLqgfY
|
||||
mTciMRLT6w3BGW8IiU5Cijwv2FBzhhSQSXJilRP1urW+TmctEfFoOLveFaDKz2nP
|
||||
2jGgQMf2MTLslW3GY0TdtDlmkLaJ9gcy1Z+DVgpID8Y0sgIMpBIUN7s6HT3Uh/qT
|
||||
qS5BczJW06zm7mwS99yCN+h8SFKbyGffx5omCK4kBtyezcev28nsfFlDUyyxzQ6N
|
||||
PdbHIIUCAwEAAaNTMFEwHQYDVR0OBBYEFP2VgVDe9fNtpcUKQuv+p01msdYkMB8G
|
||||
A1UdIwQYMBaAFP2VgVDe9fNtpcUKQuv+p01msdYkMA8GA1UdEwEB/wQFMAMBAf8w
|
||||
DQYJKoZIhvcNAQELBQADggEBAE8Ue2K7OIuzWZ9PSdRvK5ubMLWK2P+YKo+85pvn
|
||||
k0/0EjaQDBbVR9OytzR8Viwl3ME9hgP4QEhWLHcNgQqtQ+VWRZtLjteJ0MYYzfwO
|
||||
Ue1NNB0Pa2lA6xLIekMbLVCo+wEQ64VCKwI0gjcJdSkx38lQ9DTbU6OepAa+w9Bo
|
||||
wM1TfTM/yMrXkGWbbjTMGCuQjxZJS2ScOcZIyWwLfv2GDLEG1I4Z+YwVVv5orf5X
|
||||
4RcXyuFK3AJuF4/eM3wLvizEfmcTKtEFaghWin8dhWg1RIV+u8QsuHEasuhB1JCc
|
||||
puvKzb9czXEmJso+aDyy1SOwCrbb7ZOX97OxTzGfXdcbwVY=
|
||||
-----END CERTIFICATE-----
|
||||
30
ca-key
Normal file
30
ca-key
Normal file
@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIAiw9VEuLcnICAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECJt1Fkh/2mpHBIIEyFJwP3wCJOvu
|
||||
05kplp9aFOXlFKdTjHhUbpWkqlG/9N85565eSZtHrp8AonScVxEbUZVHM3lERM/w
|
||||
R6UZ8IiLLmuwcPLDosOrZUQDFJhVTswcA2asRCAoFaQC4XEFxkMl8Sj85a+5Hr2L
|
||||
v9nejAHzrmryRwVh32KRa/Vcrv1aIn21rFFoKzYefCEDAdL+WcTZ+wpdbP9GV1NF
|
||||
SZGYToIOWFTiSxIw+bgxyy62QaXiAjJw+M4O0sDbKcTwAnrBOQ1S/HoW78BB/IeC
|
||||
fJDQRIm1CDPLhE5iWF9rnxVz3E4X8fGtzPJBHmQfMb27QKPoexS9ND1YxrsAVnAK
|
||||
Judmc9CP4qoBERfnxXx41iofo1NQkYRVIkCuTB7yRuFJCkJPsMUqKcv9/N7rLCom
|
||||
P1qyN8dJ4NL2TV7K987zUspHilAbiD4NWdsd+Ti5L2zTTOCjnbGWHwgxZ3klFPFr
|
||||
wauOa2W7OaYJa40NSk2j3ynY7eBauEDJ4F8y+R7bLJJjSux8RcpCzFfAGfsATQxq
|
||||
EOjbpB5TiRYrTQlvnaxoZow/+qOfImfQ3jvasY/rPEkZx6rBiJ9jzLa+TBHhnEgv
|
||||
hulD691x/dJNgfIbd155ACSAWHoJg8igWNNYW9wGKh5CbvxjOK5EJO/nOyVOkPzf
|
||||
PdbtG3xw+lXqW0aZAGILWGB9Sntph6S2V5iYaWUIjiLuvJHWW7PZQxmYGpEgG3Ve
|
||||
1amtQgRgM72erq3wp+C2cZmx337G0vR5r2P+OqL3apcjmvQTEzjIWmceCEnFSdk0
|
||||
llhNLayVzzbr81qjPhOhIFd14eoi1g2Yqsu1Wq4Rl7UxG9GfROtTGzp5eom9VxwX
|
||||
BMZuGWDxp/7KvmG/C3V3gKgYtWYalfCMAfgLnEKtnLWu03TDSwv7VcxNK6PAHL2c
|
||||
X3DKwNPjNuf+FFKciZeQTmJV91kEHK7N2k6Co9eioYUuvRJsBcF04O99jXvBBOJw
|
||||
pv9SyiLPAN9VFHw9gsLgpvJJhENb1QCU71KSSEOkqAkUxXKkbilzqxqpHrpfvrSL
|
||||
pCemSG3mRloFLi1AjkyUTFnR1dS7iMCeXto2hSvNVRSpqki6q2Jp37LUnmq3GRTp
|
||||
9ciOC8BHhrLz/v5u2AgDlPEICeItdRBlTIAZ0ViiJK9Mm9NWoSExtlN+K3KHgVMd
|
||||
SVfjCOhZoIQxG1RRrpXazBCDKeoiA6SXHrE+qiyjrIq9RB7e4Dj5UePEAFixYMII
|
||||
HWs7O24M+zlXPLbdhh0ipgDBwAHmVZD0ie/qthWJc0iaEO65U4RI75wzWSL32bTM
|
||||
h/jUAfwoNIgblL0Mi1Qnj9P9lCLprN3a++PyR1vTun/F1+Ok1rxEOkXGaHYsYvqN
|
||||
M3NYxH8pM8F6aBh17l5PUlPcErdhWYHNtOUIWtbfJw8XFQbYUo5W7a+khWuxW4DO
|
||||
uo2lwxEAUUBpSMAdIcaGa3o2cvj2pQ3tobQxA5n9Ak7kK53+yUMtGkWL3EoBDtl4
|
||||
M/auLQYAt+g7U9nCfClXh8P3wyfTuBNjel49nfbjbBG2EZTmPh5/ZS5ODIOGFbp6
|
||||
S0Y0IdN6Ocj+42DW9stpjPH3EHA/pQHT07cS6OmLh0EYEZJsdDzkVJ9SPplODujt
|
||||
OHkZKuOPw37gLXaPvNO15w==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
@ -2,8 +2,6 @@
|
||||
# Назначение: Инфраструктура для SensusAgent и SensusWorker
|
||||
# Включает: Kafka, KafkaUI, PostgreSQL, ClickHouse (2 реплики)
|
||||
|
||||
version: "3.9"
|
||||
|
||||
services:
|
||||
# Zookeeper для Kafka
|
||||
zookeeper:
|
||||
@ -34,9 +32,9 @@ services:
|
||||
environment:
|
||||
KAFKA_BROKER_ID: 1
|
||||
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
|
||||
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT,SSL:SSL
|
||||
KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:29092,PLAINTEXT_HOST://0.0.0.0:9092,SSL://0.0.0.0:9093
|
||||
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.29.91.4:9092,SSL://10.29.91.4:9093
|
||||
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
|
||||
KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:29092,PLAINTEXT_HOST://0.0.0.0:9092
|
||||
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://10.29.91.4:9092
|
||||
KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
|
||||
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
|
||||
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
|
||||
@ -47,19 +45,8 @@ services:
|
||||
KAFKA_LOG_RETENTION_HOURS: ${KAFKA_LOG_RETENTION_HOURS:-168}
|
||||
KAFKA_LOG_SEGMENT_BYTES: ${KAFKA_LOG_SEGMENT_BYTES:-1073741824}
|
||||
KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS: ${KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS:-300000}
|
||||
# SSL настройки
|
||||
KAFKA_SSL_KEYSTORE_LOCATION: /var/ssl/private/kafka.server.keystore.jks
|
||||
KAFKA_SSL_KEYSTORE_FILENAME: kafka.server.keystore.jks
|
||||
KAFKA_SSL_KEYSTORE_PASSWORD: ${KAFKA_SSL_KEYSTORE_PASSWORD:-kafka123}
|
||||
KAFKA_SSL_KEY_PASSWORD: ${KAFKA_SSL_KEY_PASSWORD:-kafka123}
|
||||
KAFKA_SSL_TRUSTSTORE_LOCATION: /var/ssl/private/kafka.server.truststore.jks
|
||||
KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.server.truststore.jks
|
||||
KAFKA_SSL_TRUSTSTORE_PASSWORD: ${KAFKA_SSL_TRUSTSTORE_PASSWORD:-kafka123}
|
||||
KAFKA_SSL_CLIENT_AUTH: ${KAFKA_SSL_CLIENT_AUTH:-none}
|
||||
KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ${KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM:-https}
|
||||
volumes:
|
||||
- kafka-data:/var/lib/kafka/data
|
||||
- ./kafka-ssl:/var/ssl/private:ro
|
||||
ports:
|
||||
- "${KAFKA_EXTERNAL_PORT:-9092}:9092"
|
||||
- "${KAFKA_SSL_PORT:-9093}:9093"
|
||||
@ -84,7 +71,7 @@ services:
|
||||
KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: ${KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS:-kafka:29092}
|
||||
KAFKA_CLUSTERS_0_ZOOKEEPER: ${KAFKA_CLUSTERS_0_ZOOKEEPER:-zookeeper:2181}
|
||||
KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: ${KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL:-PLAINTEXT}
|
||||
KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: ${KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION:-/var/ssl/private/kafka.server.truststore.jks}
|
||||
KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: ${KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION:-/etc/kafka/secrets/kafka.server.truststore.jks}
|
||||
KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: ${KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD:-kafka123}
|
||||
DYNAMIC_CONFIG_ENABLED: ${DYNAMIC_CONFIG_ENABLED:-true}
|
||||
# Авторизация Kafka UI
|
||||
@ -93,7 +80,7 @@ services:
|
||||
SPRING_SECURITY_USER_PASSWORD: ${KAFKA_UI_PASSWORD:-admin}
|
||||
SPRING_SECURITY_USER_ROLES: ${KAFKA_UI_USER_ROLES:-ADMIN}
|
||||
volumes:
|
||||
- ./kafka-ssl:/var/ssl/private:ro
|
||||
- ./kafka-ssl:/etc/kafka/secrets:ro
|
||||
ports:
|
||||
- "${KAFKA_UI_PORT:-8080}:8080"
|
||||
networks:
|
||||
|
||||
28
kafka-ssl/Dockerfile
Normal file
28
kafka-ssl/Dockerfile
Normal file
@ -0,0 +1,28 @@
|
||||
# Автор: Сергей Антропов, сайт: https://devops.org.ru
|
||||
# Назначение: Docker-контейнер для генерации SSL сертификатов Kafka
|
||||
|
||||
FROM openjdk:17-jdk-slim
|
||||
|
||||
# Установка необходимых пакетов
|
||||
RUN apt-get update && apt-get install -y \
|
||||
openssl \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Создание рабочей директории
|
||||
WORKDIR /workspace
|
||||
|
||||
# Копирование скрипта генерации
|
||||
COPY generate-ssl.sh /workspace/kafka-ssl/generate-ssl.sh
|
||||
RUN chmod +x /workspace/kafka-ssl/generate-ssl.sh
|
||||
|
||||
# Создание директории для сертификатов
|
||||
RUN mkdir -p /workspace/kafka-ssl
|
||||
|
||||
# Установка переменных окружения
|
||||
ENV KAFKA_SSL_KEYSTORE_PASSWORD=kafka123
|
||||
ENV KAFKA_SSL_TRUSTSTORE_PASSWORD=kafka123
|
||||
ENV KAFKA_SSL_KEY_PASSWORD=kafka123
|
||||
ENV CERT_VALIDITY_DAYS=365
|
||||
|
||||
# Команда по умолчанию
|
||||
CMD ["/workspace/kafka-ssl/generate-ssl.sh"]
|
||||
@ -72,16 +72,20 @@ keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cer
|
||||
|
||||
# 14. Копирование файлов в целевую директорию
|
||||
echo "📁 Копирование сертификатов..."
|
||||
cp kafka.server.keystore.jks /workspace/kafka-ssl/
|
||||
cp kafka.server.truststore.jks /workspace/kafka-ssl/
|
||||
cp kafka.client.keystore.jks /workspace/kafka-ssl/
|
||||
cp kafka.client.truststore.jks /workspace/kafka-ssl/
|
||||
cp ca-cert /workspace/kafka-ssl/
|
||||
cp ca-key /workspace/kafka-ssl/
|
||||
cp kafka.server.keystore.jks /workspace/
|
||||
cp kafka.server.truststore.jks /workspace/
|
||||
cp kafka.client.keystore.jks /workspace/
|
||||
cp kafka.client.truststore.jks /workspace/
|
||||
cp ca-cert /workspace/
|
||||
cp ca-key /workspace/
|
||||
|
||||
# 15. Установка правильных прав доступа
|
||||
chmod 600 /workspace/kafka-ssl/*.jks
|
||||
chmod 600 /workspace/kafka-ssl/ca-*
|
||||
chmod 600 /workspace/*.jks
|
||||
chmod 600 /workspace/ca-*
|
||||
|
||||
# 16. Проверка созданных файлов
|
||||
echo "🔍 Проверка созданных файлов..."
|
||||
ls -la /workspace/
|
||||
|
||||
echo "✅ SSL сертификаты успешно созданы!"
|
||||
echo "📋 Созданные файлы:"
|
||||
|
||||
BIN
kafka.client.keystore.jks
Normal file
BIN
kafka.client.keystore.jks
Normal file
Binary file not shown.
BIN
kafka.client.truststore.jks
Normal file
BIN
kafka.client.truststore.jks
Normal file
Binary file not shown.
BIN
kafka.server.keystore.jks
Normal file
BIN
kafka.server.keystore.jks
Normal file
Binary file not shown.
BIN
kafka.server.truststore.jks
Normal file
BIN
kafka.server.truststore.jks
Normal file
Binary file not shown.
1
postgres-ssl/ca.srl
Normal file
1
postgres-ssl/ca.srl
Normal file
@ -0,0 +1 @@
|
||||
43086F753CECE73B2BD20B70FEB9968991CC7FBF
|
||||
Loading…
x
Reference in New Issue
Block a user