K
Q

Kubernetes kerberos and kafka secret setup using helm

2/3/2020

I have a requirement to consume from Kafka, which has SASA_PLAINTEXT protocol. My application is springboot app and I am trying to deploy it in kubernetes using helm chart.

I have key tab added as kubernetes secret that I mounted as file using below code :

apiVersion: v1
kind: Pod
metadata:
  name: service-name
spec:
  volumes:
  - name: Kafka-secret
    secret:
    secretName : kafka-keytab
    emptyDir: {}
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: Kafka-secret
      mountPath: “/etc/security”

I am specifying that mounted location on key tab in spring.jaas.config in application.yaml

sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true  \
    keyTab="/etc/security/keytabs/kafka-keytab“ (This is a mounted path on kubernetes and kafka-vol is key name) \
    principal="kafka-client-1@EXAMPLE.COM";

I have kerberos setup. Currently I am adding krb5.cong in Dockerfile using below

FROM java-jdk:11
ADD service-name.tar /

ADD krb5.conf /etc/krb5.conf
ENTRYPOINT java -Djava.security.krb5.conf=/etc/krb5.conf -jar /<jar-path>

I am getting below error after starting pod in kubernets :

2019-08-14T09:49:51.949-05:00 [APP/PROC/WEB/0] [OUT] INFO [d3-5b28248c661c] o.a.k.common.network.SaslChannelBuilder o.a.k.c.n.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:119) - ||||||||||||||Failed to create channel due to : org.apache.kafka.common.KafkaException: Failed to configure SaslClientAuthenticator at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.configure(SaslClientAuthenticator.java:125) at java.lang.Thread.run(Thread.java:748)Caused by: org.apache.kafka.common.KafkaException: Failed to create SaslClient with mechanism GSSAPI at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:140) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:131) ... 11 common frames omittedCaused by: org.ietf.jgss.GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm) at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:129) at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95) at

Please let me know if any information is needed. Appreciate any pointers or help regarding this issue.

-- Priya Tanwar
kerberos
kubernetes
kubernetes-helm
spring-kafka

Similar Questions

Spring boot external config in a docker environment: application.yml does not exist
Pods were terminated due to crashloopback
Best way to run exit logic on accidental pod shutdown
Change the secret a Kubernetes deployment expects

0 Answers