GSSAPI的Dockerfile配置,支持基于Alpine的Go映像的SASL_SSL

mhd8tkvw  于 2022-12-07  发布在  Go
关注(0)|答案(1)|浏览(247)

我有一个用Golang写的Confluence Kafka消费者。我正在尝试将它部署在PKS集群中。
Kafka的结构是这样的

kafka.bootstrap.servers=server.myserver.com
kafka.security.protocol=SASL_SSL
kafka.sasl.mechanisms=GSSAPI
kafka.group.id=kafka-go-getting-started
kafka.auto.offset.reset=latest
kafka.topic=topic.consumer-topic
acks=all

我需要配置我的Dockerfile的GSSAPI机制与SASL_SSL协议。我已经设法解决了GSSAPI的事情,但是,目前它显示,

**Failed to create consumer: Unsupported value "SASL_SSL" for configuration property "security.protocol": OpenSSL not available at build time**

下面是我的Dockerfile的外观:

FROM golang:1.19-alpine3.16 as c-bindings

RUN apk update && apk upgrade && apk add pkgconf git bash build-base sudo

RUN git clone https://github.com/edenhill/librdkafka.git
RUN cd librdkafka && ./configure && make && sudo make install

FROM c-bindings as app-builder

WORKDIR /go/app

COPY . .

RUN go mod download
RUN go mod verify

RUN go build -race -tags musl --ldflags "-extldflags -static -s -w" -o main ./main.go

FROM scratch AS app-runner

WORKDIR /go/app/

COPY --from=app-builder /go/app/main ./main

CMD ["/go/app/main"]`

在Dockerfile中尝试了一些方法来使OpenSSL可用,但是事情仍然是一样的。不确定GSSAPI机制和SASL_SSL协议是否可以通过一个共同的解决方案解决。
[Nov 2022年05月]最近一次尝试:
停靠文件,

FROM golang:1.19-alpine as c-bindings

RUN apk update && apk upgrade && apk add pkgconf git bash build-base sudo

FROM c-bindings as app-builder

WORKDIR /go/app

COPY . .

RUN go mod download
RUN go mod verify

RUN apk add zstd-dev

RUN apk add krb5
RUN apk add cyrus-sasl-gssapiv2
RUN apk add cyrus-sasl-dev

RUN apk add openssl-dev

RUN git clone https://github.com/edenhill/librdkafka.git
RUN cd librdkafka && ./configure --install-deps && make && sudo make install

COPY krb5.conf /etc/krb5.conf
COPY jaas.conf /etc/jaas.conf

RUN go build -race -tags dynamic -o main ./main.go

CMD ["/go/app/main"]

Kafka配置-

kafka.bootstrap.servers=server.myserver.com
kafka.security.protocol=SASL_SSL
kafka.sasl.mechanism=GSSAPI
kafka.group.id=kafka-go-getting-started
kafka.auto.offset.reset=latest
kafka.topic=topic.consumer-topic
kafka.ssl.ca.location=/etc/ssl/certs/my-cert.pem
kafka.sasl.kerberos.service.name=kafka
kafka.sasl.kerberos.keytab=/etc/security/keytab/consumer.keytab
kafka.sasl.kerberos.principal=principal@myprincipal.COM
acks=all

现在,从技术上讲,容器正在运行。但是,它无法运行Kafka消费者应用程序,并出现以下错误-
GSSAPI错误:令牌的MIC无效(未知机械代码0表示未知机械)

eqqqjvef

eqqqjvef1#

这是因为您缺少SSL或SASL相关性,您需要确保libssl-dev,尽管它也可能需要那些libsasl2-devlibsasl2-modules,但libssl-dev应该足够了
将以下内容添加到DOCKERFILE应该有助于解决此问题

RUN apk add libressl-dev

这里是official libsslalpine pkg

相关问题