[Question] ...Unable to access kafka-cluster from outside cluster

[raju-lv]

I had deployed strimzi-kafka cluster with external listeners with load balancers. It is working fine within pod with 9092 port able to create topics. But actual issue facing while deploying kafka with tls. Here I don't know whether which method need to follow for accessing kafka from outside cluster. For apache kafka we used to conect through kafka client using keystore and truststore in properties file which can be provided in the command. Ex ./kafka-console-producer.sh --broker-list Ip:port --topic my-topic --producer.config ssl-properties.txt. This ssl-properties file contain path and passwords of truststore and keystore. For accessing strimzi kafka also do we need to create keystore and truststore or any other alternative method is there for accessing kafka clusters.
Providing my details of my deployment.
kafka.yaml:
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: my-cluster
#annotations:

metallb.universe.tf/allow-shared-ip: smart

spec:
kafka:
version: 2.5.0
replicas: 1
listeners:
plain: {}
external:
type: loadbalancer
tls: true
overrides:
bootstrap:
loadBalancerIP: xxxxx
brokers:
- broker: 0
loadBalancerIP: xxxxx

config:
  offsets.topic.replication.factor: 1
  transaction.state.log.replication.factor: 1
  transaction.state.log.min.isr: 1
  log.message.format.version: "2.5"
storage:
  type: persistent-claim
  size: 10Gi
  class: sc-paas
  deleteClaim: false
resources:
  requests:
    memory: 8Gi
    cpu: "1"
  limits:
    memory: 24Gi
    cpu: "3"
tlsSidecar:
  resources:
    requests:
      cpu: 250m
      memory: 100Mi
    limits:
      cpu: 250m
      memory: 100Mi

zookeeper:
replicas: 1
resources:
requests:
memory: 8Gi
cpu: "1"
limits:
memory: 24Gi
cpu: "3"
storage:
type: persistent-claim
size: 10Gi
class: sc-paas
deleteClaim: false

pods and services :
kubectl get all -n kafka-op-test
NAME READY STATUS RESTARTS AGE
pod/my-cluster-entity-operator-558ffb588d-24tlz 3/3 Running 0 25h
pod/my-cluster-kafka-0 2/2 Running 0 25h
pod/my-cluster-zookeeper-0 1/1 Running 0 25h
pod/strimzi-cluster-operator-55dd5ccd6f-pd4mk 1/1 Running 0 26h

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/my-cluster-kafka-0 LoadBalancer xxxxxxxxxx xxxxxxxxxxx 9094:30321/TCP 25h
service/my-cluster-kafka-bootstrap ClusterIP xxxxxxxxxx 9091/TCP,9092/TCP 25h
service/my-cluster-kafka-brokers ClusterIP None 9091/TCP,9092/TCP 25h
service/my-cluster-kafka-external-bootstrap LoadBalancer xxxxxxxxxx xxxxxxxxx 9094:31982/TCP 25h
service/my-cluster-zookeeper-client ClusterIP xxxxxxxxxx 2181/TCP 25h
service/my-cluster-zookeeper-nodes ClusterIP None 2181/TCP,2888/TCP,3888/TCP 25h

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/my-cluster-entity-operator 1/1 1 1 25h
deployment.apps/strimzi-cluster-operator 1/1 1 1 26h

NAME DESIRED CURRENT READY AGE
replicaset.apps/my-cluster-entity-operator-558ffb588d 1 1 1 25h
replicaset.apps/strimzi-cluster-operator-55dd5ccd6f 1 1 1 26h

NAME READY AGE
statefulset.apps/my-cluster-kafka 1/1 25h
statefulset.apps/my-cluster-zookeeper 1/1 25h

---

Secrets created by strimzi operator:
my-cluster-clients-ca Opaque 1 25h
my-cluster-clients-ca-cert Opaque 3 25h
my-cluster-cluster-ca Opaque 1 25h
my-cluster-cluster-ca-cert Opaque 3 25h
my-cluster-cluster-operator-certs Opaque 4 25h
my-cluster-entity-operator-certs Opaque 4 25h
my-cluster-entity-operator-token-zp5k2 kubernetes.io/service-account-token 3 25h
my-cluster-kafka-brokers Opaque 4 25h
my-cluster-kafka-token-bxff5 kubernetes.io/service-account-token 3 25h
my-cluster-zookeeper-nodes Opaque 4 25h
my-cluster-zookeeper-token-bfbx4 kubernetes.io/service-account-token 3 25h
my-secret Opaque 2 62d
my-user Opaque 5 60d
strimzi-cluster-operator-token-qcsjg kubernetes.io/service-account-token 3 78d

---

can you please suggest the next process to access kafka cluster with tls enabled.

[scholzj]

Right now, your kafka.yaml file configures only the encryption. Not any authentication. So the client does not need any keystore to connect. The truststore should be sufficient. You should be able to get the truststore from the my-cluster-cluster-ca-cert secret:

• Either use the p12 file (can be used directly from Java) and the related password
• Or take the crt file and create a truststore using keytool from Java

If you want to use also TLS client authentication you will need to enable it in the Kafka YAML:

      external:
        type: loadbalancer
        tls: true
        authentication:
          type: tls
        overrides:
          bootstrap:
            loadBalancerIP: xxxxx
          brokers:
          - broker: 0
            loadBalancerIP: xxxxx

And then you can get the keystore from the user secret (in your case I guess the one called my-user). Again, it should have:

• Either p12 keystore file with password which you should be able to use directly with Java
• Or crt and key files which you would need to convert into keystore.

[raju-lv]

Thanks for the help. Now I have upgraded strimzi operator to 0.20 and kafka version to 2.6.0, in this override option is depricated and my new listener configurations for type loadBalancer as below. I was facing the issue while deploying kafka cluster. Is there any configurations for mentioning specific Ip for bootstrap and kafka brokers as we did in earlier version. I found configuration in documentation but confused with ranges. Providing Url for reference
https://strimzi.io/docs/operators/master/using.html#type-GenericKafkaListener-reference

kafka.yaml :

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: kafka-develop
  annotations:
     metallb.universe.tf/allow-shared-ip: smart
spec:
  kafka:
    version: 2.6.0
    replicas: 1
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      log.message.format.version: "2.6"
    storage:
      type: persistent-claim
      size: 10Gi
      class: sc-paas
      deleteClaim: false
  zookeeper:
    replicas: 1
    storage:
      type: persistent-claim
      size: 10Gi
      class: sc-paas
      deleteClaim: false

Issue while deploying :

 kubectl create -f kafka-auth.yaml -n kafka-op-test
The Kafka "my-cluster" is invalid: []: Invalid value: map[string]interface {}{"apiVersion":"kafka.strimzi.io/v1beta1", "kind":"Kafka", "metadata":map[string]interface {}{"creationTimestamp":"2020-12-15T16:53:51Z", "generation":1, "name":"my-cluster", "namespace":"kafka-op-test", "uid":"cbe0340d-be8e-44d7-b046-12a5e67bff1e"}, "spec":map[string]interface {}{"entityOperator":map[string]interface {}{"topicOperator":map[string]interface {}{}, "userOperator":map[string]interface {}{}}, "kafka":map[string]interface {}{"config":map[string]interface {}{"log.message.format.version":"2.6", "offsets.topic.replication.factor":1, "transaction.state.log.min.isr":1, "transaction.state.log.replication.factor":1}, "jvmOptions":map[string]interface {}{"-Xms":"4096m", "-Xmx":"4096m"}, "listeners":[]interface {}{map[string]interface {}{"name":"plain", "port":9092, "tls":false, "type":"internal"}, map[string]interface {}{"name":"tls", "port":9093, "tls":true, "type":"internal"}}, "replicas":1, "resources":map[string]interface {}{"limits":map[string]interface {}{"cpu":"3", "memory":"24Gi"}, "requests":map[string]interface {}{"cpu":"1", "memory":"8Gi"}}, "storage":map[string]interface {}{"type":"jbod", "volumes":[]interface {}{map[string]interface {}{"class":"sc-paas", "deleteClaim":false, "id":0, "size":"10Gi", "type":"persistent-claim"}}}, "version":"2.6.0"}, "zookeeper":map[string]interface {}{"jvmOptions":map[string]interface {}{"-Xms":"4096m", "-Xmx":"4096m"}, "replicas":1, "resources":map[string]interface {}{"limits":map[string]interface {}{"cpu":"3", "memory":"24Gi"}, "requests":map[string]interface {}{"cpu":"1", "memory":"8Gi"}}, "storage":map[string]interface {}{"class":"sc-paas", "deleteClaim":false, "size":"10Gi", "type":"persistent-claim"}}}}: validation failure list:
spec.kafka.listeners in body must be of type object: "array"

[scholzj]

I do not think you updated to Strimzi 0.20.0. I think the error suggests that at least your CRD resources are still from previous version.

As for the overrides, the features from there are still available. They just merged into configuration. So you can specify it there. Please have a look at the docs.

[raju-lv]

Thank you for the quick support. I have now upgraded to 0.20 now and deployed kafka with following configurations.
EXTERNAL-IP getting enabled for but kafka broker pods are not coming up. Please suggest any changes required in configuration.

kubectl get all -n kafka-op-test
NAME READY STATUS RESTARTS AGE
pod/kafka-develop-zookeeper-0 1/1 Running 0 24m
pod/strimzi-cluster-operator-79d4788f7c-wk9lh 1/1 Running 0 82m

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kafka-develop-kafka-0 LoadBalancer xxxxxxx 9094:31949/TCP 24m
service/kafka-develop-kafka-bootstrap ClusterIP xxxxxxxx 9091/TCP,9092/TCP,9093/TCP 24m
service/kafka-develop-kafka-brokers ClusterIP None 9091/TCP,9092/TCP,9093/TCP 24m
service/kafka-develop-kafka-external-bootstrap LoadBalancer xxxxxxx xxxxxxxx 9094:30387/TCP 24m
service/kafka-develop-zookeeper-client ClusterIP xxxxxxxx 2181/TCP 24m
service/kafka-develop-zookeeper-nodes ClusterIP None 2181/TCP,2888/TCP,3888/TCP 24m

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/strimzi-cluster-operator 1/1 1 1 82m

NAME DESIRED CURRENT READY AGE
replicaset.apps/strimzi-cluster-operator-79d4788f7c 1 1 1 82m

NAME READY AGE

Kafka.yaml:
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: kafka-develop
annotations:
metallb.universe.tf/allow-shared-ip: smart
spec:
kafka:
version: 2.6.0
replicas: 1
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
- name: external
port: 9094
type: loadbalancer
tls: true
configuration:
bootstrap:
loadBalancerIP: xxxxxxxxx
brokers:
- broker: 0
loadBalancerIP: xxxxxxxxx
config:
offsets.topic.replication.factor: 1
transaction.state.log.replication.factor: 1
transaction.state.log.min.isr: 1
log.message.format.version: "2.6"
resources:
requests:
memory: 8Gi
cpu: "1"
limits:
memory: 24Gi
cpu: "3"
storage:
type: persistent-claim
size: 10Gi
class: sc-paas
deleteClaim: false
zookeeper:
replicas: 1
resources:
requests:
memory: 8Gi
cpu: "1"
limits:
memory: 24Gi
cpu: "3"
storage:
type: persistent-claim
size: 10Gi
class: sc-paas
deleteClaim: false

Operator logs:
2020-12-15 21:20:49 WARN AbstractOperator:139 - Kafka resource kafka-develop in namespace kafka-op-test: Contains object at path spec.kafka.listeners.genericKafkaListeners.configuration.bootstrap with an unknown property: brokers
2020-12-15 21:20:49 WARN AbstractOperator:139 - Kafka resource kafka-develop in namespace kafka-op-test: Contains object at path spec.kafka.listeners.genericKafkaListeners.configuration.bootstrap with an unknown property: brokers
2020-12-15 21:20:49 INFO AbstractOperator:217 - Reconciliation #39(watch) Kafka(kafka-op-test/kafka-develop): Kafka kafka-develop will be checked for creation or modification
2020-12-15 21:21:47 INFO ClusterOperator:125 - Triggering periodic reconciliation for namespace *...
2020-12-15 21:21:57 WARN AbstractOperator:377 - Reconciliation #40(timer) Kafka(kafka-op-test/kafka-develop): Failed to acquire lock lock::kafka-op-test::Kafka::kafka-develop within 10000ms.
2020-12-15 21:23:47 INFO ClusterOperator:125 - Triggering periodic reconciliation for namespace *...
2020-12-15 21:23:57 WARN AbstractOperator:377 - Reconciliation #41(timer) Kafka(kafka-op-test/kafka-develop): Failed to acquire lock lock::kafka-op-test::Kafka::kafka-develop within 10000ms.
2020-12-15 21:25:47 INFO ClusterOperator:125 - Triggering periodic reconciliation for namespace *...
2020-12-15 21:25:50 ERROR Util:124 - Exceeded timeout of 300000ms while waiting for Service resource kafka-develop-kafka-0 in namespace kafka-op-test to be addressable
2020-12-15 21:25:50 ERROR AbstractOperator:238 - Reconciliation #39(watch) Kafka(kafka-op-test/kafka-develop): createOrUpdate failed
io.strimzi.operator.common.operator.resource.TimeoutException: Exceeded timeout of 300000ms while waiting for Service resource kafka-develop-kafka-0 in namespace kafka-op-test to be addressable
at io.strimzi.operator.common.Util$1.lambda$handle$1(Util.java:125) ~[io.strimzi.operator-common-0.20.0.jar:0.20.0]
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:327) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.vertx.core.impl.ContextImpl.executeTask(ContextImpl.java:366) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.vertx.core.impl.EventLoopContext.lambda$executeAsync$0(EventLoopContext.java:38) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500) [io.netty.netty-transport-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at java.lang.Thread.run(Thread.java:834) [?:?]
2020-12-15 21:25:50 WARN AbstractOperator:470 - Reconciliation #39(watch) Kafka(kafka-op-test/kafka-develop): Failed to reconcile
io.strimzi.operator.common.operator.resource.TimeoutException: Exceeded timeout of 300000ms while waiting for Service resource kafka-develop-kafka-0 in namespace kafka-op-test to be addressable
at io.strimzi.operator.common.Util$1.lambda$handle$1(Util.java:125) ~[io.strimzi.operator-common-0.20.0.jar:0.20.0]
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:327) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.vertx.core.impl.ContextImpl.executeTask(ContextImpl.java:366) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.vertx.core.impl.EventLoopContext.lambda$executeAsync$0(EventLoopContext.java:38) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500) [io.netty.netty-transport-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
at java.lang.Thread.run(Thread.java:834) [?:?]
2020-12-15 21:25:50 WARN AbstractOperator:139 - Kafka resource kafka-develop in namespace kafka-op-test: Contains object at path spec.kafka.listeners.genericKafkaListeners.configuration.bootstrap with an unknown property: brokers
2020-12-15 21:25:50 WARN AbstractOperator:139 - Kafka resource kafka-develop in namespace kafka-op-test: Contains object at path spec.kafka.listeners.genericKafkaListeners.configuration.bootstrap with an unknown property: brokers
2020-12-15 21:25:50 INFO AbstractOperator:217 - Reconciliation #42(timer) Kafka(kafka-op-test/kafka-develop): Kafka kafka-develop will be checked for creation or modification

[scholzj]

Could you please use code formatting for the YAMLs and command outputs? It would make it much easier to decode it and help.

The error says Exceeded timeout of 300000ms while waiting for Service resource kafka-develop-kafka-0 in namespace kafka-op-test to be addressable ... and you masked the output in the list of services. So I do not know what exactly is there for the kafka-develop-kafka-0 service. But I guess the load balancer was not provisioned. Does it have something like Pending instead of the load balancer IP or something like that? Its address is needed to configure the Kafka broker. So the operator cannot proceed without it.

[raju-lv]

Thanks for reply. external listener is now working fine and but I want enable authentication using oauth and authorization using keycloak with tls enabled . I tried with following configurations and was facing the issue. Regarding to tlsTrustedCertificates: property which secret I need to use here. I found one of issue which is similar to my requirement, providing link below. Please suggest any configuration changes I need to be done. Thanks

#2662

kafka.yaml:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: kafka-develop
#annotations:
#metallb.universe.tf/allow-shared-ip: smart
spec:
  kafka:
    version: 2.6.0
    replicas: 3
    listeners:
    - name: external
      port: 9094
      type: loadbalancer
      tls: true
      tls:
        authentication:
        type: oauth
        validIssuerUri: https://keycloak-nst.com:30193/auth/realms/test
        jwksEndpointUri: https://keycloak-nst.com:30193/auth/realms/test/protocol/openid-connect/certs
        userNameClaim: preferred_username
     # tlsTrustedCertificates:
     # - secretName: oauth-server-cert
     # certificate: ca.crt
  authorization:
    type: keycloak
    clientId: strimzi-op-kafka
    tokenEndpointUri: https://keycloak-nst.com:30193/auth/realms/test/protocol/openid-connect/token
    delegateToKafkaAcls: true
    superUsers:
    - User:service-account-kafka

Issue:
kubectl create -f kafka-new.yaml -n operator
The Kafka "kafka-develop" is invalid:

• : Invalid value: "": "spec.kafka.listeners" must validate one and only one schema (oneOf). Found none valid
• spec.kafka.listeners.tls: Invalid value: "object": spec.kafka.listeners.tls in body must be of type boolean: "object"

[raju-lv]

Sorry, after posting the comment its original format changing and tried to edit the comment as well. I'll try to provide original format of kafka.yaml file.

[scholzj]

Well, the YAML you posted is wrong ... you have the tls key twice there and have authentication misaligned. Also the authorization section seems to be badly aligned.

[raju-lv]

I'm providing as screen shot now.

[scholzj]

Please read my answer above.

[Cshanmukh80]

this is my server.properties
--> security.protocol=SSL
ssl.truststore.location=/tmp/kafka/kafka.truststore.jks
ssl.truststore.password=kafka123
ssl.keystore.location=/tmp/kafka/kafka.keystore.jks
ssl.keystore.password=kafka123
ssl.key.password=kafka123
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=

but while i am producing messages in the strimzi kafka it showing below error
--> [2021-03-11 11:27:51,523] ERROR [Producer clientId=console-producer] Connection to node -1 (localhost/127.0.0.1:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
can any one please solve my issue

[scholzj]

@Cshanmukh80 And how does it relate to this issue? Unless it is related you can ask your questions here: https://github.com/strimzi/strimzi-kafka-operator/discussions ... you should also provide all the information including full logs, configuration of your Kafka cluster (the Kafka custom resource etc.), explain how are you trying to access the cluster etc.