Accessing Kafka via OpenShift Routes

[AvihuHenya]

Hi.
I'm trying to understand the way strimzi handle requests from outside OpenShift when the external listener is configuring to work with OpenShift Route. What strimzi does to handle https requests? Does it uses Kafka Bridge for that purpose?
Reading this blog doesn't give me any explanation
https://strimzi.io/blog/2019/04/30/accessing-kafka-part-3/

Thanks.

[scholzj]

Kafka does not support HTTP or HTTPS. Kafka supports only its own TCP based protocol. So when you use the external listener, that is what you have to use. If you want tpo use HTTP / HTTPS, you need to use additional compoenent to do the bridging - such as our Kafka Bridge.

[AvihuHenya]

Thanks for answering.
I think you didn't understand my question.
My question is what happend behind the scenes when I use OpenShift Route for connect to the Kafka cluster outside OpenShift. What Strimzi does for switching between the HTTPS protocol and the Kafka TCP based protocol?

[scholzj]

It does not do any switching. It uses a TCP connection using Kafka protocol from the client to the broker. No HTTP(S) involved. This is allowed by the TLS Passthrough functionality as described in the blog post.

[fvaleri]

@AvihuHenya in a standard HTTP request the hostname information used by HAProxy for routing is contained in the Host header. When connecting from outside of OpenShift using non-HTTP protocols (e.g. Kafka, AMQP, etc.), both Route's edge and reencrypt TLS terminations do not work, because there is no such information.

In that case, you can use passthrough TLS termination connecting to port 443, with the encrypted traffic sent straight to the pod (a similar configuration is also available for NGinx/Ingress). Requests are routed using the unencrypted hostname information contained in the SNI (Server Name Indication) during the initial handshake.

Alternatively, you can use loadbalancer (TLS again) or nodeport (also without TLS) Service types. The last one may be handy, but you need to have access to every cluster node, not just infrastructure nodes, and limits scalability reserving ports on each node.