Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: OAuth endpoints with custom CA no longer working #11082

Open
nkostoulas opened this issue Jan 27, 2025 · 4 comments
Open

[Bug]: OAuth endpoints with custom CA no longer working #11082

nkostoulas opened this issue Jan 27, 2025 · 4 comments
Labels
bug needs-triage

Comments

@nkostoulas
Copy link

nkostoulas commented Jan 27, 2025
edited
Loading

Bug Description

After upgrading to 0.45 we are suddenly seeing the following error:

org.apache.kafka.common.KafkaException: io.strimzi.kafka.oauth.common.ConfigException: Failed to load truststore: /tmp/kafka/oauth-oauth-9097.truststore.p12

when trying to set up an OAuth endpoint with custom CA via tlsTrustedCertificates config.

According to the strimzi-kafka-oauth documentation both truststores and PEM certs are supported and this previously worked with a simple k8s Secret storing a CA in .pem format. Is there a reason it suddenly expects a truststore to be provided? I couldn't find anything in the Configuring Strimzi docs that explains this change.

Steps to reproduce

No response

Expected behavior

No response

Strimzi version

0.45

Kubernetes version

1.28

Installation method

No response

Infrastructure

No response

Configuration files and logs

No response

Additional context

No response
@scholzj
Copy link
Member

scholzj commented Jan 27, 2025

I guess you should start by providing a full configuration and log files.

@nkostoulas
Copy link
Author

nkostoulas commented Jan 28, 2025
edited
Loading

config:

  tlsTrustedCertificates:
    - secretName: oauth-server-ca
      certificate: tls.crt

mount paths:

    - mountPath: /opt/kafka/certificates/custom-external-9096-certs
      name: custom-external-9096-certs
    - mountPath: /opt/kafka/certificates/custom-oauth-9097-certs
      name: custom-oauth-9097-certs
    - mountPath: /opt/kafka/certificates/oauth-oauth-9097-certs/oauth-server-ca

logs:

org.apache.kafka.common.KafkaException: io.strimzi.kafka.oauth.common.ConfigException: Failed to load truststore: /tmp/kafka/oauth-oauth-9097.truststore.p12
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:183)
	at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
	at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
	at kafka.network.Processor.<init>(SocketServer.scala:977)
	at kafka.network.Acceptor.newProcessor(SocketServer.scala:882)
	at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:852)
	at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
	at kafka.network.Acceptor.addProcessors(SocketServer.scala:851)
	at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:525)
	at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:253)
	at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:177)
	at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:177)
	at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:619)
	at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:617)
	at scala.collection.AbstractIterable.foreach(Iterable.scala:935)
	at kafka.network.SocketServer.<init>(SocketServer.scala:177)
	at kafka.server.KafkaServer.startup(KafkaServer.scala:381)
	at kafka.Kafka$.main(Kafka.scala:112)
	at kafka.Kafka.main(Kafka.scala)
Caused by: io.strimzi.kafka.oauth.common.ConfigException: Failed to load truststore: /tmp/kafka/oauth-oauth-9097.truststore.p12
	at io.strimzi.kafka.oauth.common.SSLUtil.createSSLFactory(SSLUtil.java:71)
	at io.strimzi.kafka.oauth.common.ConfigUtil.createSSLFactory(ConfigUtil.java:35)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.delegatedConfigure(JaasServerOauthValidatorCallbackHandler.java:257)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.configure(JaasServerOauthValidatorCallbackHandler.java:238)
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:150)
	... 18 more
Caused by: java.io.FileNotFoundException: /tmp/kafka/oauth-oauth-9097.truststore.p12 (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111)
	at io.strimzi.kafka.oauth.common.SSLUtil.createSSLFactory(SSLUtil.java:67)
	... 22 more

@scholzj
Copy link
Member

scholzj commented Jan 28, 2025

Please share the full logs and full configurations? These things matter, and there is a reason we ask for them. If you know that these two snippets are all that is needed to figure things out, you might understand it better than we do and in that case please open a PR with the fix.

@nkostoulas
Copy link
Author

nkostoulas commented Jan 28, 2025
edited
Loading

Sorry I understand I just don't have full access any more and I was wondering if any of this make sense, otherwise I will share the full logs and configuration once I've tested this again and can share what is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scholzj @nkostoulas