Has anyone had any luck with GMS connecting to SR via TLS I DataHub #all-things-deployment

Has anyone had any luck with GMS connecting to SR ...

adventurous-apple-98365

11/15/2021, 12:08 AM

Has anyone had any luck with GMS connecting to SR via TLS? I've tried to follow these docs https://datahubproject.io/docs/how/kafka-config#ssl and have also read https://github.com/linkedin/datahub/issues/1861 but haven't had any luck.. I am using the

head

container for GMS from Docker hub. My ENVs are as follows on the container:

Copy code

KAFKASTORE_SSL_TRUSTORE_LOCATION: foo
KAFKASTORE_SSL_TRUSTSORE_PASSWORD: bar
KAFKASTORE_SECURITY_PROTOCOL: SSL
KAFKASTORE_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""

I've also tried using a few variations of these envs (

SCHEMA_REGISTRY, KAFKA

prefixes). Any insight would be appreciated! Thanks

big-carpet-38439

11/15/2021, 3:17 AM

Hi Michael! Thanks for reporting. Let us take a look & get back. @early-lamp-41924 Have you seen any issues here before?

adventurous-apple-98365

11/15/2021, 2:09 PM

Thanks - we will keep digging on this today too and update here if we find the issue. I did forget to add the stack trace,

Copy code

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131)

at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)

Copy code

```
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)

Copy code

at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)

Copy code

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)

Copy code

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)

Copy code

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)

Copy code

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)

Copy code

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)

Copy code

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)

``` at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)

early-lamp-41924

11/15/2021, 5:21 PM

Hey! For GMS, it uses spring to setup kafka config, so all configs must be prefixed by SPRING_KAFKA_PROPERTIES. Refer to how they are set in our helm chart here! https://github.com/acryldata/datahub-helm/blob/master/charts/datahub/subcharts/datahub-gms/templates/deployment.yaml#L155

adventurous-apple-98365

11/15/2021, 5:31 PM

Thanks for the quick response! I have those envs set - and I can connect to the brokers and pull metadata fine using the tls config, just not to schema registry

early-lamp-41924

11/15/2021, 5:55 PM

Ah hmn seems like we don’t set schema registry specific configs

early-lamp-41924

11/15/2021, 5:56 PM

https://github.com/linkedin/datahub/blob/27a5f6dc3b2339e853a0d2dd0956a6a1bb8a10c5/[…]ms/factory/kafka/schemaregistry/KafkaSchemaRegistryFactory.java

early-lamp-41924

11/15/2021, 6:05 PM

unfortunately, doesn’t seem like there is a spring-kafka native way of getting configs

early-lamp-41924

11/15/2021, 6:05 PM

so need to manually add them in

early-lamp-41924

11/15/2021, 6:05 PM

would you be willing to contribute here?

👍 1

adventurous-apple-98365

11/15/2021, 9:35 PM

Yep - can work on getting a pr added when I have time. Should be soonish!

adventurous-apple-98365

11/15/2021, 9:35 PM

Appreciate the insight 🙂 the issue made me think it was resolved

early-lamp-41924

11/15/2021, 9:47 PM

Thank you so much!!!

adventurous-apple-98365

11/15/2021, 11:03 PM

Np! I have validated that my fix is working properly. Will clean it up in the next day or so and PR it. Thanks again for your help

3 Views

Open in Slack

Previous Next