Use ksqlDB with Aiven for Apache Kafka®#
Aiven provides a managed Apache Kafka® solution together with a number of auxiliary services like Apache Kafka Connect, Kafka REST and Schema Registry via Karapace. A managed ksqlDB service in Aiven is, however, not supported. If you want to define streaming data pipelines with SQL, you have two options:
Run a self-hosted ksqlDB cluster.
Prerequisites#
To connect ksqlDB to Aiven for Apache Kafka® you need to create a Java keystore and truststore containing the service SSL certificates.
Furthermore, you need to collect the following information:
APACHE_KAFKA_HOST: The Aiven for Apache Kafka hostnameAPACHE_KAFKA_PORT: The Aiven for Apache Kafka portSCHEMA_REGISTRY_PORT: The Aiven for Apache Kafka schema registry port, if enabledSCHEMA_REGISTRY_PASSWORD: The password associated with theavnadminuser for Schema RegistryKEYSTORE_FILE_NAME: The name of the Java keystore containing the Aiven for Apache Kafka SSL certificatesTRUSTSTORE_FILE_NAME: The name of the Java truststore containing the Aiven for Apache Kafka SSL certificatesSSL_KEYSTORE_PASSWORD: The password used to secure the Java keystoreSSL_KEY_PASSWORD: The password used to secure the Java keySSL_TRUSTSTORE_PASSWORD: The password used to secure the Java truststoreSSL_STORE_FOLDER: The absolute path of the folder containing both the truststore and keystoreTRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME: The name of the Java truststore containing the schema registry (Karapace) certificateTRUSTSTORE_SCHEMA_REGISTRY_PASSWORD: The password used to secure the Java truststore for the schema registry (Karapace) certificate
Create a keystore for schema registry’s ca file#
ksqlDB by default uses the ssl.truststore settings for the Schema Registry connection.
To have ksqlDB working with Aiven’s Karapace Schema Registry you need to explicitly define a truststore that contains the commonly trusted root CA of Schema Registry server. To create such a truststore:
Obtain the root CA of the server with the following
opensslcommand by replacing theAPACHE_KAFKA_HOSTandSCHEMA_REGISTRY_PORTplaceholders:openssl s_client -connect APACHE_KAFKA_HOST:SCHEMA_REGISTRY_PORT \ -showcerts < /dev/null 2>/dev/null | \ awk '/BEGIN CERT/{s=1}; s{t=t "\n" $0}; /END CERT/ {last=t; t=""; s=0}; END{print last}' \ > ca_schema_registry.cert
Create the truststore with the following
keytoolcommand by replacing theTRUSTSTORE_SCHEMA_REGISTRY_FILE_NAMEandTRUSTSTORE_SCHEMA_REGISTRY_PASSWORDplaceholders:keytool -import -file ca_schema_registry.cert \ -alias CA \ -keystore TRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME \ -storepass TRUSTSTORE_SCHEMA_REGISTRY_PASSWORD \ -noprompt
Tip
The TRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME can be any name but the extension should be .jks
Run ksqlDB on Docker#
You can run ksqlDB on Docker with the following command, by replacing the placeholders:
SSL_STORE_FOLDERAPACHE_KAFKA_HOSTAPACHE_KAFKA_PORTKEYSTORE_FILE_NAMESSL_KEYSTORE_PASSWORDSSL_KEY_PASSWORDTRUSTSTORE_FILE_NAMESSL_TRUSTSTORE_PASSWORDSCHEMA_REGISTRY_PORTSCHEMA_REGISTRY_PASSWORDTRUSTSTORE_SCHEMA_REGISTRY_FILE_NAMETRUSTSTORE_SCHEMA_REGISTRY_PASSWORD
docker run -d --name ksql \
-v SSL_STORE_FOLDER/:/ssl_settings/ \
-p 127.0.0.1:8088:8088 \
-e KSQL_BOOTSTRAP_SERVERS=APACHE_KAFKA_HOST:APACHE_KAFKA_PORT \
-e KSQL_LISTENERS=http://0.0.0.0:8088/ \
-e KSQL_KSQL_SERVICE_ID=ksql_service_1_ \
-e KSQL_OPTS="-Dsecurity.protocol=SSL
-Dssl.keystore.type=PKCS12
-Dssl.keystore.location=/ssl_settings/KEYSTORE_FILE_NAME
-Dssl.keystore.password=SSL_KEYSTORE_PASSWORD
-Dssl.key.password=SSL_KEY_PASSWORD
-Dssl.truststore.type=JKS
-Dssl.truststore.location=/ssl_settings/TRUSTSTORE_FILE_NAME
-Dssl.truststore.password=SSL_TRUSTSTORE_PASSWORD
-Dksql.schema.registry.url=APACHE_KAFKA_HOST:SCHEMA_REGISTRY_PORT
-Dksql.schema.registry.basic.auth.credentials.source=USER_INFO
-Dksql.schema.registry.basic.auth.user.info=avnadmin:SCHEMA_REGISTRY_PASSWORD
-Dksql.schema.registry.ssl.truststore.location=/ssl_settings/TRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME
-Dksql.schema.registry.ssl.truststore.password=TRUSTSTORE_SCHEMA_REGISTRY_PASSWORD" \
confluentinc/ksqldb-server:0.23.1
Tip
USER_INFO is not a placeholder, but rather a literal that shouldn’t be changed
Warning
Some docker setups have issues using the -v mounting options. In those cases copying the Keystore and Truststore in the container can be an easier option. This can be achieved with the following:
docker container create --name ksql \
-p 127.0.0.1:8088:8088 \
-e KSQL_BOOTSTRAP_SERVERS=APACHE_KAFKA_HOST:APACHE_KAFKA_PORT \
-e KSQL_LISTENERS=http://0.0.0.0:8088/ \
-e KSQL_KSQL_SERVICE_ID=ksql_service_1_ \
-e KSQL_OPTS="-Dsecurity.protocol=SSL
-Dssl.keystore.type=PKCS12
-Dssl.keystore.location=/home/appuser/KEYSTORE_FILE_NAME
-Dssl.keystore.password=SSL_KEYSTORE_PASSWORD
-Dssl.key.password=SSL_KEY_PASSWORD
-Dssl.truststore.type=JKS
-Dssl.truststore.location=/home/appuser/TRUSTSTORE_FILE_NAME
-Dssl.truststore.password=SSL_TRUSTSTORE_PASSWORD
-Dksql.schema.registry.url=APACHE_KAFKA_HOST:SCHEMA_REGISTRY_PORT
-Dksql.schema.registry.basic.auth.credentials.source=USER_INFO
-Dksql.schema.registry.basic.auth.user.info=avnadmin:SCHEMA_REGISTRY_PASSWORD
-Dksql.schema.registry.ssl.truststore.location=/home/appuser/TRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME
-Dksql.schema.registry.ssl.truststore.password=TRUSTSTORE_SCHEMA_REGISTRY_PASSWORD" \
confluentinc/ksqldb-server:0.23.1
docker cp KEYSTORE_FILE_NAME ksql:/home/appuser/
docker cp TRUSTSTORE_FILE_NAME ksql:/home/appuser/
docker cp TRUSTSTORE_SCHEMA_REGISTRY_FILE_NAME ksql:/home/appuser/
docker start ksql
Once the Docker image is up and running you should be able to access ksqlDB at localhost:8088 or connect via terminal with the following command:
docker exec -it ksql ksql