Skip to main content
Quick navigation

mTLS, when SASL_SSL is not enough

When passwords are not enough, you can rely on TLS client certificate But certificates do not host vcluster information, so let's map manually CN to vclusters.

View the full demo in realtime

You can either follow all the steps manually, or watch the recording

Review the docker compose environment

As can be seen from docker-compose.yaml the demo environment consists of the following services:

  • gateway1
  • gateway2
  • kafka-client
  • kafka1
  • kafka2
  • kafka3
  • schema-registry
  • zookeeper
cat docker-compose.yaml

Generate self-signed ssl certificates

rm -f *jks *key *p12 *crt

openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 3560 \
-nodes \
-keyout san.key \
-out san.crt \
-subj '/CN=username' \
-extensions san \
-config openssl.config

openssl pkcs12 \
-export \
-in san.crt \
-inkey san.key \
-name brokers \
-out san.p12 \
-password "pass:123456"

keytool \
-noprompt \
-alias brokers \
-importkeystore \
-deststorepass 123456 \
-destkeystore keystore.jks \
-srckeystore san.p12 \
-srcstoretype PKCS12 \
-srcstorepass 123456

keytool \
-noprompt \
-import \
-alias brokers \
-file san.crt \
-keypass 123456 \
-destkeystore truststore.jks \
-storepass 123456

echo """
""" > client.config

Starting the docker environment

Start all your docker processes, wait for them to be up and ready, then run in background

  • --wait: Wait for services to be running|healthy. Implies detached mode.
  • --detach: Detached mode: Run containers in the background
docker compose up --detach --wait

Adding user mapping for CN=username

cat step-06-user-mapping.json | jq

curl \
--request POST 'http://localhost:8888/admin/userMappings/v1' \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data "@step-06-user-mapping.json" | jq

Creating topic foo on gateway1

Creating on gateway1:

  • Topic foo with partitions:10 and replication-factor:1
kafka-topics \
--bootstrap-server localhost:6969 \
--command-config client.config \
--replication-factor 1 \
--partitions 10 \
--create --if-not-exists \
--topic foo

Listing topics in gateway1

kafka-topics \
--bootstrap-server localhost:6969 \
--command-config client.config \

Listing topics in kafka1

kafka-topics \
--bootstrap-server localhost:19092,localhost:19093,localhost:19094 \

Tearing down the docker environment

Remove all your docker processes and associated volumes

  • --volumes: Remove named volumes declared in the "volumes" section of the Compose file and anonymous volumes attached to containers.
docker compose down --volumes