Fluid server services rdkafka orderer implementation for Fluid reference service.
See GitHub for more details on the Fluid Framework and packages within.
Fundamentally, to setup SSL/TLS for Kafka, both Kafka client and Kafka server changes are needed.
This implementation using node-rdkafka provides built-in support for SSL/TLS. But, by default, SSL is disabled in this implementation since the setup in routerlicious' docker-compose.yml does not configure SSL for the Kafka service.
If you wish to enable SSL for Kafka, please follow these instructions:
-
Configure SSL in the Kafka service. General instructions on how to do that can be found in the official Kafka documentation. But since we are using
node-rdkafka, which is based onlibrdkafka, you can uselibrdkafka'sgen-ssl-certs.shscript to help you with the process. Instructions are available here. An example of putting the instructions in practice can be found below. Please note that for this example we will be using self-signed certificates, plus Docker Kafka's service name asBROKER, and also the default passwords and values in thegen-ssl-certs.shscript. Finally, the example below only configures encryption, and not Kafka client authentication.-
Under
FluidFramework/server/routerlicious, create a directory calledcerts. Open the directory.$ mkdir certs $ cd certs -
Save a copy of
gen-ssl-certs.shincerts. Make sure to make it executable.$ chmod +rx gen-ssl-certs.sh
-
Run the following commands:
$ ./gen-ssl-certs.sh ca ca-cert Kafka-Security-CA $ BROKER=kafka $ ./gen-ssl-certs.sh -k server ca-cert broker_${BROKER}_ ${BROKER}
You should now have new files under
certs, including a JKS Truststore, a JKS Keystore and the ca-cert file. -
-
Update
docker-compose.ymlunderFluidFramework/server/routerliciousto use the following setup for Kafka:kafka: image: wurstmeister/kafka:2.11-1.1.1 ports: - "9092:9092" environment: KAFKA_ADVERTISED_LISTENERS: "SSL://kafka:9092" KAFKA_LISTENERS: "SSL://0.0.0.0:9092" KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_CREATE_TOPICS: "deltas:8:1,rawdeltas:8:1,testtopic:8:1,deltas2:8:1,rawdeltas2:8:1" KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_SSL_KEYSTORE_TYPE: "JKS" KAFKA_SSL_KEYSTORE_LOCATION: "/certs/broker_kafka_server.keystore.jks" KAFKA_SSL_KEYSTORE_PASSWORD: "abcdefgh" KAFKA_SSL_KEY_PASSWORD: "abcdefgh" KAFKA_SSL_TRUSTSTORE_TYPE: "JKS" KAFKA_SSL_TRUSTSTORE_LOCATION: "/certs/broker_kafka_server.truststore.jks" KAFKA_SSL_TRUSTSTORE_PASSWORD: "abcdefgh" KAFKA_SSL_CLIENT_AUTH: "none" KAFKA_SECURITY_INTER_BROKER_PROTOCOL: "SSL" volumes: - ./certs:/certs restart: always
-
Update
docker-compose.dev.ymlunderFluidFramework/server/routerliciousto use volume mapping and copy thecertsfolder to the different Docker services. Please note that...below means that the other volume mapping rules have been omitted.version: "3.4" services: alfred: volumes: ... - ./certs:/certs deli: volumes: ... - ./certs:/certs scriptorium: volumes: ... - ./certs:/certs copier: volumes: ... - ./certs:/certs scribe: volumes: ... - ./certs:/certs riddler: volumes: ... - ./certs:/certs
-
Update
config.jsonunderFluidFramework/server/routerlicious/packages/routerlicious/configto include thesslCACertFilePathproperty inkafka.lib. Example:"kafka": { "lib": { "name": "rdkafka", "endpoint": "kafka:9092", "producerPollIntervalMs": 10, "numberOfPartitions": 8, "replicationFactor": 1, "rdkafkaOptimizedRebalance": true, "rdkafkaAutomaticConsume": true, "rdkafkaConsumeTimeout": 5, "rdkafkaMaxConsumerCommitRetries": 10, "sslCACertFilePath": "/certs/ca-cert" } },
-
Now, you can build and run routerlicious as usual and it will use SSL/TLS for Kafka.