/
docker-compose.yml
69 lines (68 loc) 路 3.44 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
---
version: '3.8'
services:
zookeeper:
image: confluentinc/cp-zookeeper:7.3.2
container_name: zookeeper-sasl-plain-tls-localhost
environment:
ZOO_MY_ID: 1
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_SASL_ENABLED: "false"
healthcheck:
test: nc -z localhost 2181 || exit 1
interval: 10s
retries: 10
start_period: 15s
timeout: 10s
kafka-broker:
image: confluentinc/cp-kafka:7.3.2
container_name: broker-sasl-plain-tls-localhost
ports:
- "9095:9095"
- "29095:29095"
depends_on:
zookeeper:
condition: service_healthy
environment:
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
# do not use SASL authentication when communicating with Zookeeper (it will use no authentication and no TLS)
ZOOKEEPER_SASL_ENABLED: "false"
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
# configure two listeners: one for SASL_SSL (TLS with authentication) and one for PLAINTEXT (not TLS and no authentication)
# clients can use SASL_SSL to connect to the broker and authenticate using the username and password
# the broker can use PLAINTEXT to communicate with other brokers
KAFKA_LISTENERS: SASL_SSL://0.0.0.0:9095, PLAINTEXT://0.0.0.0:29095
# configure advertised listeners (listeners that will be used by clients to connect to the broker)
KAFKA_ADVERTISED_LISTENERS: SASL_SSL://localhost:9095, PLAINTEXT://localhost:29095
# let the brokers communicate with each other using PLAINTEXT listener (not TLS and no authentication)
KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
# enable SASL_PLAIN authentication mechanism (username and password)
KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
# configure Kafka to use JAAS (Java Authentication and Authorization Service) for authentication
# usernames and passwords will be provided by the JAAS file
KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/broker_jaas.conf"
# our TLS certificate is signed by a CA (Certificate Authority) and stored in a keystore along with CA certificate
KAFKA_SSL_KEYSTORE_FILENAME: kafka.server.keystore.jks
# keystore is protected by password stored in ssl_keystore_credentials file
# this file will be mounted by the confluent KAFKA docker container and password will be set as an environment variable inside container
KAFKA_SSL_KEYSTORE_CREDENTIALS: ssl_keystore_credentials
# our TLS certificate is signed by a CA (Certificate Authority) which is password protected
# to unlock TLS certificate we need to provide CA's password stored in ssl_key_credentials file
# this file will be mounted by the confluent KAFKA docker container and password will be set as an environment variable inside container
KAFKA_SSL_KEY_CREDENTIALS: ssl_key_credentials
# we enable TLSv1.2, TLSv1.1 and TLSv1 encryption protocols
KAFKA_SSL_ENABLED_PROTOCOLS: TLSv1.2,TLSv1.1,TLSv1
# enable DEBUG logging for Kafka
KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG
volumes:
- ./broker_jaas.conf:/etc/kafka/broker_jaas.conf
- ./server.keystore.jks:/etc/kafka/secrets/kafka.server.keystore.jks
- ./ssl_key_credentials:/etc/kafka/secrets/ssl_key_credentials
- ./ssl_keystore_credentials:/etc/kafka/secrets/ssl_keystore_credentials
healthcheck:
test: nc -z localhost 9095 || exit 1
interval: 30s
retries: 10
start_period: 15s
timeout: 10s