1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
version: "3.9"
services:
zookeeper:
hostname: zookeeper
container_name: zookeeper
restart: always
image: confluentinc/cp-zookeeper:7.4.0
environment:
ZOOKEEPER_CLIENT_PORT: 2181
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
-DrequireClientAuthScheme=sasl
-Dzookeeper.allowSaslFailedClients=false
volumes:
- ./secrets:/etc/kafka/secrets
broker:
image: confluentinc/cp-kafka:7.4.0
hostname: broker
container_name: broker
restart: always
ports:
- 29092:29092
- 9092:9092
volumes:
- ./secrets:/etc/kafka/secrets
environment:
KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
KAFKA_INTER_BROKER_LISTENER_NAME: SASL_SSL
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,SASL_SSL_HOST:SASL_SSL
KAFKA_ADVERTISED_LISTENERS: SASL_SSL://localhost:9092,SASL_SSL_HOST://broker:29092
KAFKA_LISTENERS: SASL_SSL://:9092,SASL_SSL_HOST://:29092
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
CONFLUENT_METRICS_REPORTER_SECURITY_PROTOCOL: SASL_SSL
CONFLUENT_METRICS_REPORTER_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.plain.PlainLoginModule required \
username=\"client\" \
password=\"client-secret\";"
KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
KAFKA_SSL_KEYSTORE_FILENAME: server.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: creds
KAFKA_SSL_KEY_CREDENTIALS: creds
KAFKA_SSL_TRUSTSTORE_FILENAME: server.truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: creds
# KAFKA_SSL_CIPHER.SUITES: TLS_CHACHA20_POLY1305_SHA256 # FIPS non compliant algo.
# enables 2-way authentication
KAFKA_SSL_CLIENT_AUTH: "required"
KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf
KAFKA_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=(.*?),OU=TEST.*$$/$$1/,DEFAULT
|
