osowski/confluent-external-config.properties

## confluent-external-config.properties
bootstrap.servers=kafka.{kubernetes-cluster-fully-qualified-domain-name}:443
security.protocol=SSL
ssl.truststore.location={/provided/to/you/by/kafka/administrator}
ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
ssl.key.password={__generated_in_coordination_with_kafka_administrator__}

## confluent-internal-config.properties
  bootstrap.servers=kafka.{namespace}.svc.cluster.local:9071
  security.protocol=SSL
  ssl.truststore.location={/provided/to/you/by/kafka/administrator}
  ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
  ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
  ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
  ssl.key.password={__generated_in_coordination_with_kafka_administrator__}

## kafka-cluster-listeners-patch.yaml
listeners:
- name: plain
  port: 9092
  type: internal
  tls: false
- name: tls
  port: 9093
  type: internal
  tls: true
- name: external
  port: 9094
  type: route
  tls: true
  authentication:
    type: tls

## kafka-quickstart-scenario-01.sh
curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
tar xvf kafka.tgz
cd kafka_2.13-2.6.1

## kafka-quickstart-scenario-02.sh
oc project kafka-security

## kafka-quickstart-scenario-03.sh
export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
export CONFIG_FILE=local-config-tls.properties
export CACERT_DIR=cacert-blog
export KAFKAUSER_DIR=my-user-blog

## kafka-quickstart-scenario-04.sh
rm -f ${CONFIG_FILE}
echo "security.protocol=SSL" >> ${CONFIG_FILE}

## kafka-quickstart-scenario-05.sh
rm -rf ${CACERT_DIR}
mkdir ${CACERT_DIR}
oc extract secret/my-cluster-cluster-ca-cert --to=./${CACERT_DIR}
echo "ssl.truststore.location=$(pwd)/${CACERT_DIR}/ca.p12" >> ${CONFIG_FILE}
echo "ssl.truststore.password=$(cat ${CACERT_DIR}/ca.password)" >> ${CONFIG_FILE}

## kafka-quickstart-scenario-06.sh
rm -rf ${KAFKAUSER_DIR}
mkdir ${KAFKAUSER_DIR}
oc extract secret/my-user --to=./${KAFKAUSER_DIR}
echo "ssl.keystore.location=$(pwd)/${KAFKAUSER_DIR}/user.p12" >> ${CONFIG_FILE}
echo "ssl.keystore.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
echo "ssl.key.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}

## kafka-quickstart-scenario-07.sh
bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
        --command-config ${CONFIG_FILE} --list

## kafka-quickstart-scenario-08.sh
bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
        --producer.config ${CONFIG_FILE} --topic my-topic

## kafka-quickstart-scenario-09.sh
bin/kafka-console-consumer.sh --bootstrap-server ${BOOTSTRAP} \
        --consumer.config ${CONFIG_FILE} --topic my-topic --from-beginning

## kafka-quickstart-scenario-all.sh
curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
tar xvf kafka.tgz
cd kafka_2.13-2.6.1

oc project kafka-security

export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
export CONFIG_FILE=local-config-tls.properties
export CACERT_DIR=cacert-blog
export KAFKAUSER_DIR=my-user-blog

rm -f ${CONFIG_FILE}
echo "security.protocol=SSL" >> ${CONFIG_FILE}

rm -rf ${CACERT_DIR}
mkdir ${CACERT_DIR}
oc extract secret/my-cluster-cluster-ca-cert --to=./${CACERT_DIR}
echo "ssl.truststore.location=$(pwd)/${CACERT_DIR}/ca.p12" >> ${CONFIG_FILE}
echo "ssl.truststore.password=$(cat ${CACERT_DIR}/ca.password)" >> ${CONFIG_FILE}

rm -rf ${KAFKAUSER_DIR}
mkdir ${KAFKAUSER_DIR}
oc extract secret/my-user --to=./${KAFKAUSER_DIR}
echo "ssl.keystore.location=$(pwd)/${KAFKAUSER_DIR}/user.p12" >> ${CONFIG_FILE}
echo "ssl.keystore.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
echo "ssl.key.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}

bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
        --command-config ${CONFIG_FILE} --list

bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
        --producer.config ${CONFIG_FILE} --topic my-topic

bin/kafka-console-consumer.sh --bootstrap-server ${BOOTSTRAP} \
        --consumer.config ${CONFIG_FILE} --topic my-topic --from-beginning

## keytool.sh
keytool -exportcert -keypass {truststore-password} \
        -keystore {provided-kafka-truststore.jks}  \
        -rfc -file {desired-kafka-cert-output.pem}

## strimzi-external-config.properties
  bootstrap.servers={kafka-cluster-name}-kafka-bootstrap-{namespace}.{kubernetes-cluster-fully-qualified-domain-name}:443
  security.protocol=SSL
  ssl.truststore.location={/provided/to/you/by/kafka/administrator}
  ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
  ssl.keystore.location={/extracted/from/generated/kafka/user/secret}/user.p12
  ssl.keystore.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
  ssl.key.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}

## strimzi-internal-config.properties
  bootstrap.servers={kafka-cluster-name}-kafka-bootstrap.{namespace}.svc.cluster.local:9093
  security.protocol=SSL
  ssl.truststore.location={/provided/to/you/by/kafka/administrator}
  ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
  ssl.keystore.location={/extracted/from/generated/kafka/user/secret}/user.p12
  ssl.keystore.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
  ssl.key.password={__extracted_from_generated_kafka_user_secret_with_key=user.password__}
	bootstrap.servers=kafka.{kubernetes-cluster-fully-qualified-domain-name}:443
	security.protocol=SSL
	ssl.truststore.location={/provided/to/you/by/kafka/administrator}
	ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
	ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
	ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
	ssl.key.password={__generated_in_coordination_with_kafka_administrator__}
	bootstrap.servers=kafka.{namespace}.svc.cluster.local:9071
	security.protocol=SSL
	ssl.truststore.location={/provided/to/you/by/kafka/administrator}
	ssl.truststore.password={__provided_to_you_by_kafka_administrator__}
	ssl.keystore.location={/generated/in/coordination/with/kafka/adminstrator}
	ssl.keystore.password={__generated_in_coordination_with_kafka_administrator__}
	ssl.key.password={__generated_in_coordination_with_kafka_administrator__}
	listeners:
	- name: plain
	port: 9092
	type: internal
	tls: false
	- name: tls
	port: 9093
	type: internal
	tls: true
	- name: external
	port: 9094
	type: route
	tls: true
	authentication:
	type: tls
	curl https://archive.apache.org/dist/kafka/2.6.1/kafka_2.13-2.6.1.tgz -o kafka.tgz
	tar xvf kafka.tgz
	cd kafka_2.13-2.6.1
	export BOOTSTRAP="$(oc get route my-cluster-kafka-bootstrap -ojsonpath='{.spec.host}'):443"
	export CONFIG_FILE=local-config-tls.properties
	export CACERT_DIR=cacert-blog
	export KAFKAUSER_DIR=my-user-blog
	rm -f ${CONFIG_FILE}
	echo "security.protocol=SSL" >> ${CONFIG_FILE}
	rm -rf ${CACERT_DIR}
	mkdir ${CACERT_DIR}
	oc extract secret/my-cluster-cluster-ca-cert --to=./${CACERT_DIR}
	echo "ssl.truststore.location=$(pwd)/${CACERT_DIR}/ca.p12" >> ${CONFIG_FILE}
	echo "ssl.truststore.password=$(cat ${CACERT_DIR}/ca.password)" >> ${CONFIG_FILE}
	rm -rf ${KAFKAUSER_DIR}
	mkdir ${KAFKAUSER_DIR}
	oc extract secret/my-user --to=./${KAFKAUSER_DIR}
	echo "ssl.keystore.location=$(pwd)/${KAFKAUSER_DIR}/user.p12" >> ${CONFIG_FILE}
	echo "ssl.keystore.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
	echo "ssl.key.password=$(cat ${KAFKAUSER_DIR}/user.password)" >> ${CONFIG_FILE}
	bin/kafka-topics.sh --bootstrap-server ${BOOTSTRAP} \
	--command-config ${CONFIG_FILE} --list
	bin/kafka-console-producer.sh --bootstrap-server ${BOOTSTRAP} \
	--producer.config ${CONFIG_FILE} --topic my-topic