Kubernetes kerberos和Kafka使用头盔的秘密设置

时间:2020-02-03 07:23:29

标签: kubernetes kerberos kubernetes-helm spring-kafka

我需要从具有SASA_PLAINTEXT协议的Kafka消费。 我的应用程序是springboot应用程序,我正在尝试使用头盔图表将其部署到kubernetes中。

我添加了密钥选项卡作为kubernetes秘密,并使用以下代码将其作为文件安装:

apiVersion: v1
kind: Pod
metadata:
  name: service-name
spec:
  volumes:
  - name: Kafka-secret
    secret:
    secretName : kafka-keytab
    emptyDir: {}
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: Kafka-secret
      mountPath: “/etc/security”

我在application.yaml的spring.jaas.config中的关键选项卡上指定了安装位置

sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true  \
    keyTab="/etc/security/keytabs/kafka-keytab“ (This is a mounted path on kubernetes and kafka-vol is key name) \
    principal="kafka-client-1@EXAMPLE.COM";

我有kerberos设置。目前,我正在使用以下方法在Dockerfile中添加krb5.cong 

FROM java-jdk:11
ADD service-name.tar /

ADD krb5.conf /etc/krb5.conf
ENTRYPOINT java -Djava.security.krb5.conf=/etc/krb5.conf -jar /<jar-path>

在kubernets中启动pod之后,我遇到以下错误:

2019-08-14T09:49:51.949-05:00 [APP/PROC/WEB/0] [OUT] INFO [d3-5b28248c661c] o.a.k.common.network.SaslChannelBuilder o.a.k.c.n.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:119) - ||||||||||||||Failed to create channel due to :
org.apache.kafka.common.KafkaException: Failed to configure SaslClientAuthenticator at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.configure(SaslClientAuthenticator.java:125) at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.kafka.common.KafkaException: Failed to create SaslClient with mechanism GSSAPI 
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:140) 
at javax.security.auth.Subject.doAs(Subject.java:422) 
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:131) ... 11 common frames omitted
Caused by: org.ietf.jgss.GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm) 
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:129) 
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)

请让我知道是否需要任何信息。感谢有关此问题的任何指示或帮助。

0 个答案:

没有答案
相关问题
最新问题