I'm deploying the kafka bitnami chart with TLS enabled for the external client for testing.
I follow the instruction, however, I've got following error. What is wrong with my configuration?
$ kubectl logs my-release-kafka-0
Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled.
Secret Creation is like this.
kubectl create secret generic kafka-jks --from-file=./kafka.truststore.jks --from-file=./kafka-0.keystore.jks
Deploy helm chart is following.
helm install my-release
--set externalAccess.enabled=true
--set externalAccess.service.type=LoadBalancer
--set externalAccess.service.port=9094
--set externalAccess.autoDiscovery.enabled=true
--set serviceAccount.create=true
--set rbac.create=true
--set auth.clientProtocol=tls
--set auth.jksSecret=kafka-jks
--set auth.jksPassword=<MY_JKS_PASSWORD>
bitnami/kafka
According to the kubectl describe pod, it looks successfully mounted.
Mounts:
/bitnami/kafka from data (rw)
/certs from kafka-certificates (ro)
/opt/bitnami/kafka/logs from logs (rw)
/scripts/setup.sh from scripts (rw,path="setup.sh")
/shared from shared (rw)
/var/run/secrets/kubernetes.io/serviceaccount from my-release-kafka-token-bkqgt (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
data:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: data-my-release-kafka-0
ReadOnly: false
scripts:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: my-release-kafka-scripts
Optional: false
shared:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
kafka-certificates:
Type: Secret (a volume populated by a Secret)
SecretName: kafka-jks
Optional: false
:
$ kubectl describe secret kafka-jks
Name: kafka-jks
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
kafka-0.keystore.jks: 5181 bytes
kafka.truststore.jks: 1346 bytes
I also test if the keystore works correctly. It looks work.
$ keytool -keystore kafka-0.keystore.jks -export -alias localhost -rfc -file signed_exported.crt
Enter keystore password:
Certificate stored in file <signed_exported.crt>