Zookeeper SSL Connect · countableset

Suppose you want to compare what zookeeper metadata has vs what the kafka controller might report.

However, there is no ‘easy’ way to connect to zookeeper with the --zookeeper flag via ssl. Unlike --bootstrap-server and --command-config which does have better configuration options.

Instead use KAFKA_OPTS to set the correct ssl configuration for zookeeper. For example:

export KAFKA_OPTS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty \
  -Dzookeeper.client.secure=true \
  -Dzookeeper.ssl.keyStore.location=/etc/kafka/kafka.client.keystore.jks \
  -Dzookeeper.ssl.keyStore.password=password \
  -Dzookeeper.ssl.trustStore.location=/etc/kafka/kafka.client.truststore.jks \
  -Dzookeeper.ssl.trustStore.password=password"

Will return that zookeeper has:

kafka-topics.sh --zookeeper zookeeper.example.net:2182 --describe --topic test-topic

Will return what the controller has:

kafka-topics.sh --bootstrap-server kafka.example.net:9094 --command-config /etc/kafka/client.ssl.properties --describe --topic test-topic