Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v22.3.x] Backport 5994 66 #7891

Merged
merged 3 commits into from
Jan 2, 2023
Merged

[v22.3.x] Backport 5994 66 #7891

merged 3 commits into from
Jan 2, 2023

Conversation

alenkacz
Copy link
Contributor

@alenkacz alenkacz commented Dec 21, 2022
edited
Loading

When kafka api has tls enabled, we don't properly configure pandaproxy and schema registry clients to connect to kafka via these private listeners which meant that it did not work. This PR adds the missing parts of configmap and mounts the missing certificates to make it possible for pp/sr to connect.

For mTLS we need both node cert (if self signed - so that client can verify node cert) and also client certs mounted.

Example redpanda node boostrap config when internal kafka listener has enabled Require Client Auth option:

pandaproxy:
    pandaproxy_api:
        - address: 0.0.0.0
          port: 8082
          name: proxy
pandaproxy_client:
    brokers:
        - address: cluster-0.cluster.local
          port: 123
    broker_tls:
        key_file: /etc/tls/certs/ca/tls.key
        cert_file: /etc/tls/certs/ca/tls.crt
        truststore_file: /etc/tls/certs/ca.crt
        enabled: true
schema_registry:
    schema_registry_api:
        - address: 0.0.0.0
          port: 8081
          name: schema-registry
schema_registry_client:
    brokers:
        - address: cluster-0.cluster.local
          port: 123
    broker_tls:
        key_file: /etc/tls/certs/ca/tls.key
        cert_file: /etc/tls/certs/ca/tls.crt
        truststore_file: /etc/tls/certs/ca.crt
        enabled: true

Fixes #5994

Backports Required

  • none - not a bug fix
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v22.3.x
  • v22.2.x
  • v22.1.x

UX Changes

Release Notes

Bug Fixes

  • Fixes pandaproxy and schemaregistry integration with redpanda when TLS is enabled on internal listener

@alenkacz alenkacz requested a review from a team as a code owner December 21, 2022 14:44
@jcsp jcsp added the kind/backport PRs targeting a stable branch label Dec 21, 2022
@jcsp jcsp changed the title Backport 5994 v22.3.x 66 [v22.3.x] Backport 5994 66 Dec 21, 2022
@piyushredpanda
Copy link
Contributor

@alenkacz : This is all good to merge? If so, please do so. We might be cutting a minor first week of Jan and would be great to have this.

@alenkacz alenkacz merged commit 519bc5e into redpanda-data:v22.3.x Jan 2, 2023
@BenPope BenPope added this to the v22.3.10 milestone Jan 5, 2023
@BenPope
Copy link
Member

BenPope commented Jan 6, 2023

This is a backport of #7820

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RafalKorepta RafalKorepta RafalKorepta approved these changes

Assignees
No one assigned
Labels
area/k8s kind/backport PRs targeting a stable branch
Projects
None yet
Milestone
v22.3.10
Development

Successfully merging this pull request may close these issues.
5 participants
@alenkacz @piyushredpanda @BenPope @RafalKorepta @jcsp