一、概述
文本主要讲解使用Docker-compose在三个节点上部署Kafka3.5.1(现阶段最新版本)-kraft模式,加密使用了用户名密码加密的SASL_PLAINTEXT+PLAIN方式。SSL加密在我的docker-compose.yml文件基础上微调一下就好。所有的配置都通过环境变量注入,仅将加密文件进行了挂载,其他配置未挂载出容器。
二、硬件信息
前置需要做集群免密和时间同步操作。
| 节点名称 | 操作系统 | 开放端口 |
|---|---|---|
| node1 | centos7 | 9092/9093 |
| node2 | centos7 | 9092/9093 |
| node3 | centos7 | 9092/9093 |
三、前置配置
- 生成JKS文件
对于生成密钥,bitnami/kafka镜像官方介绍也给了kafka-generate-ssl.sh脚本用于生成JSK文件。这个脚本可以多次运行,第一次运行遇到提示“Do you need to generate a trust store and associated private key?”,选“y”,完成1和2环节;其他时候运行,选“n”,完成2环节。
第一次运行成功后查看结果:
$ ls
truststore/ keystore/ kafka-generate-ssl.sh
$ ls truststore
ca-key kafka.truststore.jks
$ ls keystore
kafka.keystore.jks
- 将JKS文件放到需要挂载进去的目录
我三个节点用的JKS文件是同一个JKS加密文件。
四、docker-compose配置文件
- node1 配置文件
version: '3'
services:
kafka-1:
#环境变量的含义可以去dockerHub查看该镜像的介绍
image: bitnami/kafka:3.5.1
hostname: kafka-1
ports:
- "9092:9092"
- "9093:9093"
environment:
- KAFKA_CFG_PROCESS_ROLES=broker,controller #声明角色
- BITNAMI_DEBUG=true #控制台打印日志
- ALLOW_PLAINTEXT_LISTENER=no #生产环境选择no
- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
- KAFKA_CFG_NUM_PARTITIONS=6 #默认分区数
- KAFKA_CFG_LISTENERS=INTERNAL://:9094,CLIENT://:9095,CONTROLLER://:9093, EXTERNAL://:9092
- KAFKA_CFG_ADVERTISED_LISTENERS=INTERNAL://kafka-1:9094,CLIENT://:9095,EXTERNAL://node1:9092 #外部连入方式,暴露出去的端口需要指定宿主机,controller不用申明
- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SASL_PLAINTEXT,CLIENT:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT #指定加密方式,我内部传输是明文,按需修改
- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=INTERNAL
- KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM= #不验证域名
- KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
- KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
- KAFKA_CERTIFICATE_PASSWORD=AZ2023
- KAFKA_TLS_TYPE=JKS
- KAFKA_CLIENT_USERS=az
- KAFKA_CLIENT_PASSWORDS=AZ2023
- KAFKA_INTER_BROKER_USER=az
- KAFKA_INTER_BROKER_PASSWORD=AZ2023
- KAFKA_CFG_NODE_ID=0
- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@node1:9093,1@node2:9093,2@node3:9093
- KAFKA_KRAFT_CLUSTER_ID=abcdefghijklmnopqrstuv #集群唯一id
volumes:
- "/etc/hosts:/etc/hosts"
- "./kafka/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro"
- "./kafka/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro"
- node2配置
version: '3'
services:
kafka-2:
image: bitnami/kafka:3.5.1
hostname: kafka-2
ports:
- "9092:9092"
- "9093:9093"
environment:
- KAFKA_CFG_PROCESS_ROLES=broker,controller
- BITNAMI_DEBUG=false
- ALLOW_PLAINTEXT_LISTENER=no
- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
- KAFKA_CFG_LISTENERS=INTERNAL://:9094,CLIENT://:9095,CONTROLLER://:9093, EXTERNAL://:9092
- KAFKA_CFG_ADVERTISED_LISTENERS=INTERNAL://kafka-1:9094,CLIENT://:9095,EXTERNAL://node2:9092
- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SASL_PLAINTEXT,CLIENT:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=INTERNAL
- KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=
- KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
- KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
- KAFKA_CERTIFICATE_PASSWORD=AZ2023
- KAFKA_TLS_TYPE=JKS
- KAFKA_CLIENT_USERS=az
- KAFKA_CLIENT_PASSWORDS=AZ2023
- KAFKA_INTER_BROKER_USER=az
- KAFKA_INTER_BROKER_PASSWORD=AZ2023
- KAFKA_CFG_NODE_ID=1
- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@node1:9093,1@node2:9093,2@node3:9093
- KAFKA_KRAFT_CLUSTER_ID=abcdefghijklmnopqrstuv
volumes:
- "/etc/hosts:/etc/hosts"
- "./kafka/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro"
- "./kafka/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro"
#这里开启了一个kafka-ui组件等之后验证下集群状态
kafka-ui:
container_name: kafka-ui
image: provectuslabs/kafka-ui:master
volumes:
- /etc/hosts:/etc/hosts
ports:
- 9888:8080
environment:
DYNAMIC_CONFIG_ENABLED: true
- node3配置
version: '3'
services:
kafka-3:
image: bitnami/kafka:3.5.1
hostname: kafka-3
ports:
- "9092:9092"
- "9093:9093"
environment:
- KAFKA_CFG_PROCESS_ROLES=broker,controller
- BITNAMI_DEBUG=false
- ALLOW_PLAINTEXT_LISTENER=no
- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
- KAFKA_CFG_LISTENERS=INTERNAL://:9094,CLIENT://:9095,CONTROLLER://:9093, EXTERNAL://:9092
- KAFKA_CFG_ADVERTISED_LISTENERS=INTERNAL://kafka-1:9094,CLIENT://:9095,EXTERNAL://node3:9092
- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SASL_PLAINTEXT,CLIENT:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=INTERNAL
- KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=
- KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
- KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
- KAFKA_CERTIFICATE_PASSWORD=AZ2023
- KAFKA_TLS_TYPE=JKS
- KAFKA_CLIENT_USERS=az
- KAFKA_CLIENT_PASSWORDS=AZ2023
- KAFKA_INTER_BROKER_USER=az
- KAFKA_INTER_BROKER_PASSWORD=AZ2023
- KAFKA_CFG_NODE_ID=2
- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@node1:9093,1@node2:9093,2@node3:9093
- KAFKA_KRAFT_CLUSTER_ID=abcdefghijklmnopqrstuv
volumes:
- "/etc/hosts:/etc/hosts"
- "./kafka/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro"
- "./kafka/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro"
五、集群验证
- 通过kafka-ui的可视化页面验证
相关参考文章:
https://zhuanlan.zhihu.com/p/586005021
https://hub.docker.com/r/bitnami/kafka
