I am running a Kafka instance on Kubernetes (AKS) using the Bitnami helm chart, it is exposed through a loadbalancer service. I have a registered hostname and a DNS rule in Azure that points to the loadbalancer service.
The Kafka instance has TLS enabled, it uses a certificate signed by letsencrypt, issued to the registered domain. The problem is that the Bitnami chart seems to automatically compute the advertised listeners based on the external loadbalancer IP, causing a mismatch with the domain that the certificate is issued to. So then it returns the ip address of the loadbalancer to the client to connect to. Of course, the client will not be able to match the CN on the certificate with the ip address so it fails to verify the hostname and returns:
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address <ip> found
I have solved the issue by explicitly setting the domain as part of external advertisedListeners helm value and overriding the default value that is computed automatically.
I could not find anything explicit in the docs about my issue, but I was wondering if there is a better/more elegant solution for this. Is it e.g. possible to explicitly pass the hostname of the domain somewhere for instance, so that is taken into account during automatic computation of the advertised listeners?
