Test kafka ssl/sasl

Author: everesio

Dockerfile

@@ -1,6 +1,6 @@
 FROM golang:1.14-alpine3.11 as builder
 
-RUN apk add alpine-sdk
+RUN apk add alpine-sdk ca-certificates
 
 WORKDIR "/code"
 ADD . "/code"

README.md

@@ -52,19 +52,62 @@ prerequisites
 
 3. publish messages using mosquitto client
 
+    * proxy using Kafka PLAINTEXT listener
     ```
     docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy:1883/dummy -m "test qos 0" --repeat 1 -q 0
     docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy:1883/dummy -m "test qos 1" --repeat 1 -q 1
     docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy:1883/dummy -m "test qos 2" --repeat 1 -q 2
     ```
 
+    * proxy using Kafka SSL listener
+    ```
+    docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy-ssl:1884/dummy -m "test qos 0" --repeat 1 -q 0
+    docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy-ssl:1884/dummy -m "test qos 1" --repeat 1 -q 1
+    docker exec -it mqtt-client mosquitto_pub -L mqtt://mqtt-proxy-ssl:1884/dummy -m "test qos 2" --repeat 1 -q 2
+    ```
+
 4. check the prometheus metrics
 
     ```
     watch -c 'curl -s localhost:9090/metrics | grep mqtt | egrep -v '^#''
     ```
 
+5. see also [cp-kafka](scripts/cp-kafka/Makefile) with SASL_PLAINTEXT and SASL_SSL configuration
+
+### publish to Amazon MSK
+
+1. provision test MSK and EC2 running in [podman](https://podman.io/) 2 proxy containers
+
+    ```
+    cd scripts/msk
+    make tf-apply
+    ```
+
+2. create Kafka mqtt-test topic
+
+3. publish
+
+    * container connects to MSK PLAINTEXT listener
+    ```
+    mosquitto_pub -m "on" -t "dummy" -k 20 -i mqtt-proxy.clientv --repeat 1 -q 1 -h <ec2-ip> -p 1883
+    ```
+
+    * container connects to MSK TLS listener
+    ```
+    mosquitto_pub -m "on" -t "dummy" -k 20 -i mqtt-proxy.clientv --repeat 1 -q 1 -h <ec2-ip> -p 1884
+    ```
+
 ## Configuration
+
+### Kafka publisher
+
+Kafka producer configuration properties used by [librdkafka](https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md) should be prefixed with `producer.`
+
+```
+--mqtt.publisher.kafka.config=producer.sasl.mechanisms=PLAIN,producer.security.protocol=SASL_SSL,producer.sasl.username=myuser,producer.sasl.password=mypasswd
+```
+
+
 ### Examples
 
 - Ignore subscribe / unsubscribe requests

pkg/config/config_test.go

@@ -0,0 +1,49 @@
+package config
+
+import (
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestKafkaConfArgs(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  string
+		output KafkaConfigArgs
+		err    error
+	}{
+		{
+			name:  "Set parameters",
+			input: "bootstrap.servers=localhost:9092,producer.sasl.mechanisms=PLAIN,producer.security.protocol=SASL_SSL,producer.sasl.username=myuser,producer.sasl.password=mypasswd,{qos-0}.producer.hello=property for qos 0",
+			output: KafkaConfigArgs{
+				conf: map[string]kafka.ConfigValue{
+					"bootstrap.servers":          "localhost:9092",
+					"producer.sasl.mechanisms":   "PLAIN",
+					"producer.security.protocol": "SASL_SSL",
+					"producer.sasl.username":     "myuser",
+					"producer.sasl.password":     "mypasswd",
+					"{qos-0}.producer.hello":     "property for qos 0",
+				},
+			},
+		},
+		{
+			name:  "Error expected key=value",
+			input: "bootstrap.servers",
+			output: KafkaConfigArgs{
+				conf: map[string]kafka.ConfigValue{},
+			},
+			err: kafka.NewError(-186, "Expected key=value", false),
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			a := assert.New(t)
+
+			s := new(Server)
+			err := s.MQTT.Publisher.Kafka.ConfArgs.Set(tc.input)
+			a.Equal(tc.err, err)
+			a.Equal(tc.output, s.MQTT.Publisher.Kafka.ConfArgs)
+		})
+	}
+}

pkg/publisher/kafka/kafka.go

@@ -203,7 +203,7 @@ func producerProperties(qos byte, opts options) *kafka.ConfigMap {
 	for k, v := range propertiesWithPrefix(opts.configMap, "producer.", true) {
 		_ = configMap.SetKey(k, v)
 	}
-	for k, v := range propertiesWithPrefix(opts.configMap, fmt.Sprintf("{qos=%d}.producer.", qos), true) {
+	for k, v := range propertiesWithPrefix(opts.configMap, fmt.Sprintf("{qos-%d}.producer.", qos), true) {
 		_ = configMap.SetKey(k, v)
 	}
 	return &configMap

pkg/publisher/kafka/kafka_test.go

@@ -0,0 +1,48 @@
+package kafka
+
+import (
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestProducerProperties(t *testing.T) {
+	tests := []struct {
+		name   string
+		qos    byte
+		input  options
+		output kafka.ConfigMap
+	}{
+		{
+			name: "Set producer parameters",
+			qos:  0,
+			input: options{
+				bootstrapServers: "localhost:9092",
+				configMap: kafka.ConfigMap{
+					"producer.sasl.mechanisms":   "PLAIN",
+					"producer.security.protocol": "SASL_SSL",
+					"producer.sasl.username":     "myuser",
+					"producer.sasl.password":     "mypasswd",
+					"{qos-1}.producer.hello":     "property for qos 1",
+					"{qos-0}.producer.hello":     "property for qos 0",
+				},
+			},
+			output: kafka.ConfigMap{
+				"bootstrap.servers": "localhost:9092",
+				"sasl.mechanisms":   "PLAIN",
+				"security.protocol": "SASL_SSL",
+				"sasl.username":     "myuser",
+				"sasl.password":     "mypasswd",
+				"hello":             "property for qos 0",
+			},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			a := assert.New(t)
+
+			actual := producerProperties(tc.qos, tc.input)
+			a.Equal(tc.output, *actual)
+		})
+	}
+}

scripts/cp-kafka/Makefile

@@ -1,6 +1,9 @@
 .DEFAULT_GOAL := build-up
 .PHONY: build up down build-up
 
+ROOT_DIR       := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+MQTT_PROXY     := $(ROOT_DIR)/../../mqtt-proxy
+
 build-up: build up
 
 build:
@@ -22,3 +25,53 @@ test-publish:
 
 test-listen:
 	docker exec -it broker kafka-console-consumer --bootstrap-server localhost:9092 --topic mqtt-test --property print.key=true --from-beginning
+
+server-security-plaintext:
+	@$(MQTT_PROXY) server \
+       --mqtt.listen-address="0.0.0.0:2883" \
+       --http.listen-address="0.0.0.0:10090" \
+       --mqtt.publisher.name=kafka \
+	   --mqtt.publisher.kafka.bootstrap-servers=localhost:9092 \
+	   --mqtt.publisher.kafka.default-topic=mqtt-test
+
+server-security-sasl-plaintext:
+	@$(MQTT_PROXY) server \
+       --mqtt.listen-address="0.0.0.0:2883" \
+       --http.listen-address="0.0.0.0:10090" \
+       --mqtt.publisher.name=kafka \
+	   --mqtt.publisher.kafka.bootstrap-servers=localhost:9093 \
+	   --mqtt.publisher.kafka.config=producer.sasl.mechanisms=PLAIN,producer.security.protocol=SASL_PLAINTEXT,producer.sasl.username=mqtt_proxy,producer.sasl.password=mqtt-proxy-secret \
+	   --mqtt.publisher.kafka.default-topic=mqtt-test
+
+server-security-ssl:
+	@$(MQTT_PROXY) server \
+       --mqtt.listen-address="0.0.0.0:2883" \
+       --http.listen-address="0.0.0.0:10090" \
+       --mqtt.publisher.name=kafka \
+	   --mqtt.publisher.kafka.bootstrap-servers=localhost:9094 \
+	   --mqtt.publisher.kafka.config=producer.security.protocol=SSL,producer.ssl.ca.location=$(ROOT_DIR)/security/certs/ca-cert.pem \
+	   --mqtt.publisher.kafka.default-topic=mqtt-test
+
+server-security-sasl-ssl:
+	@$(MQTT_PROXY) server \
+       --mqtt.listen-address="0.0.0.0:2883" \
+       --http.listen-address="0.0.0.0:10090" \
+       --mqtt.publisher.name=kafka \
+	   --mqtt.publisher.kafka.bootstrap-servers=localhost:9095 \
+	   --mqtt.publisher.kafka.config=producer.sasl.mechanisms=PLAIN,producer.security.protocol=SASL_SSL,producer.ssl.ca.location=$(ROOT_DIR)/security/certs/ca-cert.pem,producer.sasl.username=mqtt_proxy,producer.sasl.password=mqtt-proxy-secret \
+	   --mqtt.publisher.kafka.default-topic=mqtt-test
+
+server-tls-security-plaintext:
+	@$(MQTT_PROXY) server \
+       --mqtt.listen-address="0.0.0.0:3883" \
+       --http.listen-address="0.0.0.0:20090" \
+       --mqtt.server-tls-key=$(ROOT_DIR)/security/certs/proxy-key.pem  \
+       --mqtt.server-tls-cert=$(ROOT_DIR)/security/certs/proxy-signed.pem  \
+       --mqtt.publisher.name=kafka \
+	   --mqtt.publisher.kafka.bootstrap-servers=localhost:9092 \
+	   --mqtt.publisher.kafka.default-topic=mqtt-test
+
+publish-mosquitto:
+	mosquitto_pub -L mqtt://localhost:2883/dummy -m "test qos 0" --repeat 1 -q 0
+	mosquitto_pub -L mqtt://localhost:2883/dummy -m "test qos 1" --repeat 1 -q 1
+	mosquitto_pub -L mqtt://localhost:2883/dummy -m "test qos 2" --repeat 1 -q 2

scripts/cp-kafka/docker-compose.yml

@@ -18,17 +18,38 @@ services:
     depends_on:
       - zookeeper
     ports:
-      - "19092:19092"
       - "9092:9092"
+      - "9093:9093"
+      - "9094:9094"
+      - "9095:9095"
+      - "19092:19092"
+      - "19093:19093"
+      - "19094:19094"
+      - "19095:19095"
+    volumes:
+      - $PWD/security:/etc/kafka/secrets
     environment:
       KAFKA_BROKER_ID: 1
       KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
-      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
-      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://broker:19092,PLAINTEXT_HOST://localhost:9092
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_PLAINTEXT_HOST:SASL_PLAINTEXT,SSL:SSL,SSL_HOST:SSL,SASL_SSL:SASL_SSL,SASL_SSL_HOST:SASL_SSL
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://broker:19092,PLAINTEXT_HOST://localhost:9092,SASL_PLAINTEXT://broker:19093,SASL_PLAINTEXT_HOST://localhost:9093,SSL://broker:19094,SSL_HOST://localhost:9094,SASL_SSL://broker:19095,SASL_SSL_HOST://localhost:9095
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
       KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
       KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
       KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
+      KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
+      # KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf -Djavax.net.debug=all
+      KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf
+      KAFKA_ZOOKEEPER_SASL_CLIENT: 'FALSE'
+      ZOOKEEPER_SASL_CLIENT: 'FALSE'
+      ZOOKEEPER_SASL_ENABLED: 'FALSE'
+      KAFKA_SSL_KEYSTORE_FILENAME: certs/docker.kafka.server.keystore.jks
+      KAFKA_SSL_KEYSTORE_CREDENTIALS: certs/docker.kafka.server.keystore.passwd
+      KAFKA_SSL_KEY_CREDENTIALS: certs/docker.kafka.server.key.passwd
+      KAFKA_SSL_TRUSTSTORE_FILENAME: certs/docker.kafka.server.truststore.jks
+      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: certs/docker.kafka.server.truststore.passwd
+      # none, requested, required
+      KAFKA_SSL_CLIENT_AUTH: requested
   mqtt-proxy:
     hostname: mqtt-proxy
     container_name: mqtt-proxy
@@ -46,6 +67,28 @@ services:
       - 1883:1883/tcp
       - 9090:9090/tcp
     restart: unless-stopped
+  mqtt-proxy-ssl:
+    hostname: mqtt-proxy-ssl
+    container_name: mqtt-proxy-ssl
+    build:
+      context: ../..
+      dockerfile: Dockerfile
+    command:
+      - server
+      - '--mqtt.publisher.name=kafka'
+      - '--mqtt.listen-address=0.0.0.0:1884'
+      - '--http.listen-address=0.0.0.0:9091'
+      - '--mqtt.publisher.kafka.bootstrap-servers=broker:19094'
+      - '--mqtt.publisher.kafka.default-topic=mqtt-test'
+      - '--mqtt.publisher.kafka.config=producer.security.protocol=SSL,producer.ssl.ca.location=/etc/mqtt-proxy/secrets/certs/ca-cert.pem'
+    depends_on:
+      - broker
+    ports:
+      - 1884:1884/tcp
+      - 9091:9091/tcp
+    volumes:
+      - $PWD/security:/etc/mqtt-proxy/secrets
+    restart: unless-stopped
   mqtt-client:
     image: eclipse-mosquitto
     hostname: mqtt-client

scripts/cp-kafka/security/broker_jaas.conf

@@ -0,0 +1,16 @@
+KafkaServer {
+    org.apache.kafka.common.security.plain.PlainLoginModule required
+    username="broker"
+    password="broker-secret"
+    user_broker="broker-secret"
+    user_mqtt_proxy="mqtt-proxy-secret"
+    ;
+};
+
+KafkaClient {
+  org.apache.kafka.common.security.plain.PlainLoginModule required
+  username="broker"
+  password="broker-secret"
+  user_broker="broker-secret"
+  ;
+};

scripts/cp-kafka/security/certs/ca-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUWS/AVh8AcU8xMSmChyenwlb9liowDQYJKoZIhvcNAQEL
+BQAwUzELMAkGA1UEBhMCREUxDTALBgNVBAcMBEJvbm4xEjAQBgNVBAoMCWdyZXBw
+bGFiczENMAsGA1UECwwETm9uZTESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMDUy
+OTE1NDQzNloXDTQwMDUyNDE1NDQzNlowUzELMAkGA1UEBhMCREUxDTALBgNVBAcM
+BEJvbm4xEjAQBgNVBAoMCWdyZXBwbGFiczENMAsGA1UECwwETm9uZTESMBAGA1UE
+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0II7
+7/IAZpKaluc8q8i9PTWZ/R+I9AcCifrZGSkCSTwL52qWeoVFnv4xEpUhQVgqVqAq
+q099J1+y0bZ+4YtdCxs+DHBuT70XVY5n0Dc92viOqCFfCMB9IjT6lc0ZEzj3qcks
+Qh+TrebEYrqlLgO+K6H2i1cdQW1qzOg7BD5YOUAU6vBm/McpcsEON0bEl7CkscdS
+vJBt19xZaccKfWUx3m93PMjqrmUQRzBPI8T9iqD244lltAmhx5LzdFD+mJaf0iOG
+UElfEjKqEFbmtwOOxy60wCEsbaKokrILAGEWXacA+3T+nmAvF0pSkh4WUVbUixnY
+Pqda9cpjJM+gmOcZ/QIDAQABo1MwUTAdBgNVHQ4EFgQUu5xOVc73Ro+iwoK1qc9U
+NWM/2IYwHwYDVR0jBBgwFoAUu5xOVc73Ro+iwoK1qc9UNWM/2IYwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHnsDTSkngXjnY97MB82r7TPY3L3q
+p0dfu8FKt/Ybik9tjoX3CWWAcbv/7SxiXdC8Dw1xbqJO8UHJwzPeHyQZRebcDbrB
+vbN8C4iJDiMyfs6fnxZCAWL/zWIhxujqJSurae4kcm2sMNxbwcMITnixHwU38euQ
+paXkyKzXzzj0vFxNQCj34QNisFLqM2nrZuDneQ7VbnKHDF5hf5ZiPViDmUEFwHjk
+HpAKgUXWULX6UWRdDROJyfGu9mjY8mcQSzhUXL3+qZ5mYlyLZ0aR5bgz+/+BTvoN
+0GHeHwlSNG//Cd7LiKdTiUjWxL7pLhksru0OPyWJpIT9FjAKSQo0zrpT4g==
+-----END CERTIFICATE-----

scripts/cp-kafka/security/certs/ca-cert.srl

@@ -0,0 +1 @@
+21068AE6AF5C4D92DD05FA750CF6F70E0D92A0DB