kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Maarek <steph...@simplemachines.com.au>
Subject Kafka SSL encryption plus external CA
Date Mon, 19 Dec 2016 03:50:38 GMT
Hi,

I have read the docs extensively but yet there are a few answers I can’t
find. It has to do with external CA
Please confirm my understanding if possible:

I can create my own CA to sign all the brokers and clients certificates.
Pros:
- cheap, easy, automated. I need to find a way to access that CA
programatically for new brokers if I want to automated their deployment,
but I could use something like credstash or vault for that.
Cons:
- all of my clients needs to trust the CA. That means somehow find a way
for my clients to get access to the CA  using ca-cert and add it to their
truststore… correct?

I don’t really like the fact that I need to provide the CA cert file to
every client. That seems quite hard to achieve, and prevents my users from
using the Kafka cluster directly. What’s the best way for the Kafka clients
to get access to the CA, while my users are doing dev, etc? Most of our
applications run in Docker, which means we usually pass stuff around using
environment variables.


My next idea was to use an external CA (like Verisign) to sign my
certificate with a wildcard *.kafka.mydomain.com (A records pointing to
internal IPs - the DNS name would be the advertised kafka hostname). My
goal was then for the clients not to require to trust the CA because it
would be automatically trusted? Do I have the correct understanding? Or do
I still need to add the external CA to the truststore of my clients?
(basically I’m trying to reproduce the behaviour of what a web browser
does).


Finally, is it recommended to enable SSL in my dev Kafka cluster vs my prod
Kafka cluster, or to have SSL on each cluster?

Thanks!

Kind regards,
Stephane

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message