Enable TLS, v0.9.0.1

kafka/Dockerfile

@@ -4,24 +4,24 @@ FROM java:openjdk-8-jre
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV SCALA_VERSION 2.11
-ENV KAFKA_VERSION 0.8.2.1
+ENV KAFKA_VERSION 0.9.0.1
 ENV KAFKA_HOME /opt/kafka_"$SCALA_VERSION"-"$KAFKA_VERSION"
 
 # Install Kafka, Zookeeper and other needed things
 RUN apt-get update && \
-    apt-get install -y zookeeper wget supervisor dnsutils && \
+    apt-get install -y expect zookeeper wget supervisor dnsutils && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean && \
     wget -q http://apache.mirrors.spacedump.net/kafka/"$KAFKA_VERSION"/kafka_"$SCALA_VERSION"-"$KAFKA_VERSION".tgz -O /tmp/kafka_"$SCALA_VERSION"-"$KAFKA_VERSION".tgz && \
     tar xfz /tmp/kafka_"$SCALA_VERSION"-"$KAFKA_VERSION".tgz -C /opt && \
     rm /tmp/kafka_"$SCALA_VERSION"-"$KAFKA_VERSION".tgz
 
 ADD scripts/start-kafka.sh /usr/bin/start-kafka.sh
+ADD scripts/start-ocsp.sh /usr/bin/start-ocsp.sh
 
 # Supervisor config
-ADD supervisor/kafka.conf supervisor/zookeeper.conf /etc/supervisor/conf.d/
+ADD supervisor/kafka.conf supervisor/zookeeper.conf supervisor/ocsp.conf /etc/supervisor/conf.d/
 
 # 2181 is zookeeper, 9092 is kafka
-EXPOSE 2181 9092
 
 CMD ["supervisord", "-n"]

kafka/scripts/start-kafka.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Optional ENV variables:
 # * ADVERTISED_HOST: the external ip for the container, e.g. `docker-machine ip \`docker-machine active\``
@@ -8,18 +8,22 @@
 # * LOG_RETENTION_BYTES: configure the size at which segments are pruned from the log, (default is 1073741824, for 1GB)
 # * NUM_PARTITIONS: configure the default number of log partitions per topic
 
-# Configure advertised host/port if we run in helios
-if [ ! -z "$HELIOS_PORT_kafka" ]; then
-    ADVERTISED_HOST=`echo $HELIOS_PORT_kafka | cut -d':' -f 1 | xargs -n 1 dig +short | tail -n 1`
-    ADVERTISED_PORT=`echo $HELIOS_PORT_kafka | cut -d':' -f 2`
-fi
+function add_config_param {
+    echo "$1: $2"
+    if grep -q $1 $KAFKA_HOME/config/server.properties; then
+        sed -r -i "s|($1)=(.*)|\1=$2|g" $KAFKA_HOME/config/server.properties
+    else
+        echo "$1=$2" >> $KAFKA_HOME/config/server.properties
+    fi
+}
 
 # Set the external host and port
 if [ ! -z "$ADVERTISED_HOST" ]; then
     echo "advertised host: $ADVERTISED_HOST"
     sed -r -i "s/#(advertised.host.name)=(.*)/\1=$ADVERTISED_HOST/g" $KAFKA_HOME/config/server.properties
 fi
 if [ ! -z "$ADVERTISED_PORT" ]; then
+    add_config_param "port" $ADVERTISED_PORT
     echo "advertised port: $ADVERTISED_PORT"
     sed -r -i "s/#(advertised.port)=(.*)/\1=$ADVERTISED_PORT/g" $KAFKA_HOME/config/server.properties
 fi
@@ -63,5 +67,44 @@ if [ ! -z "$AUTO_CREATE_TOPICS" ]; then
     echo "auto.create.topics.enable=$AUTO_CREATE_TOPICS" >> $KAFKA_HOME/config/server.properties
 fi
 
+# sed -r -i "s|(log4j.logger.kafka)=(.*)|\1=DEBUG, kafkaAppender|g" $KAFKA_HOME/config/log4j.properties
+
+## SSL
+add_config_param "security.inter.broker.protocol" "SSL"
+add_config_param "ssl.enabled.protocols" "TLSv1.2,TLSv1.1,TLSv1"
+
+if [ ! -z "$SUPER_USERS" ]; then
+    add_config_param "super.users" $SUPER_USERS
+fi
+
+add_config_param "listeners" "PLAINTEXT://:$ADVERTISED_PORT,SSL://:$ADVERTISED_SSL_PORT"
+add_config_param "advertised.listeners" "PLAINTEXT://$ADVERTISED_HOST:$ADVERTISED_PORT,SSL://$ADVERTISED_HOST:$ADVERTISED_SSL_PORT"
+
+# Configure SSL Location
+if [ ! -z "$SSL_KEYSTORE_LOCATION" ]; then
+    add_config_param "ssl.keystore.location" $SSL_KEYSTORE_LOCATION
+    add_config_param "ssl.keystore.password" "changeit"
+fi
+
+# Configure SSL Truststore
+if [ ! -z "$SSL_TRUSTSTORE_LOCATION" ]; then
+    add_config_param "ssl.truststore.location" $SSL_TRUSTSTORE_LOCATION
+    add_config_param "ssl.truststore.password" "changeit"
+fi
+
+# Configure auth
+if [ ! -z "$SSL_CLIENT_AUTH" ]; then
+    add_config_param "ssl.client.auth" $SSL_CLIENT_AUTH
+    add_config_param "authorizer.class.name" "kafka.security.auth.SimpleAclAuthorizer"
+
+    sed -r -i "s|(log4j.logger.kafka.authorizer.logger)=(.*)|\1=DEBUG, authorizerAppender|g" $KAFKA_HOME/config/log4j.properties
+fi
+
+# OCSP
+if [ ! -z "$SSL_OCSP" ]; then
+    echo -e "ocsp.enable=true\nocsp.responderURL=http://localhost:8000" > $KAFKA_HOME/config/security.properties
+    export KAFKA_OPTS="-Djava.security.debug=all -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true -Djava.security.properties=$KAFKA_HOME/config/security.properties $KAFKA_OPTS"
+fi
+
 # Run Kafka
 $KAFKA_HOME/bin/kafka-server-start.sh $KAFKA_HOME/config/server.properties

kafka/scripts/start-ocsp.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/expect
+
+if {[info exists ::env(SSL_OCSP)] && [info exists ::env(SSL_OCSP_DIR)]} {
+	spawn openssl ocsp -port 8000 -index $::env(SSL_OCSP_DIR)/index.txt -CA $::env(SSL_OCSP_DIR)/ca-cert \
+	-rsigner $::env(SSL_OCSP_DIR)/ca-cert -rkey $::env(SSL_OCSP_DIR)/ca-key -text
+
+	expect "Enter pass phrase for"
+	send "changeit\r"
+	interact
+} else {
+	puts "Error. Not found SSL_OCSP_DIR var"
+	exit 1
+}

kafka/supervisor/ocsp.conf

@@ -0,0 +1,4 @@
+[program:ocsp]
+command=/usr/bin/start-ocsp.sh
+autostart=true
+autorestart=true