Kafka MirrorMaker2 cannot connect to kafka node with TLS. Returns a timeout error

[Runsterbraze123]

I have two k8s setups on which kafka clusters are running. On my origin setup no TLS or authentication is required. My target setup has both SCRAM-SHA-512 and TLS setup.
The config of my KafkaMirrorMaker2 is as follows:-

spec:
  clusters:
  - alias: source-dummy-six
    bootstrapServers: origin-kafka:9092
  - alias: target-dummy-six
    authentication:
      passwordSecret:
        password: target-password
        secretName: password-secret-dummy-six
      type: scram-sha-512
      username: kafka-username
    bootstrapServers: 10.11.12.13:32182
    config:
      config.storage.replication.factor: -1
      config.storage.topic: dummy-six-configs
      group.id: dummy-six-group-id
      offset.storage.replication.factor: -1
      offset.storage.topic: dummy-six-offset
      reconnect.backoff.max.ms: 2000
      reconnect.backoff.ms: 2000
      request.timeout.ms: 60000
      retry.backoff.max.ms: 2000
      retry.backoff.ms: 2000
      socket.connection.setup.timeout.ms: 30000
      ssl.endpoint.identification.algorithm: ""
      status.storage.replication.factor: -1
      status.storage.topic: dummy-six-status
    tls:
      trustedCertificates:
      - certificate: ca.cert
        secretName: target-tls-secret-dummy-six
  connectCluster: target-dummy-six
  logging:
    loggers:
      connect.root.logger.level: INFO
    type: inline
  metricsConfig:
    type: jmxPrometheusExporter
    valueFrom:
      configMapKeyRef:
        key: mirrormaker-metrics-config
        name: mirror-maker-2-metrics
  mirrors:
  - checkpointConnector:
      config:
        checkpoints.topic.replication.factor: 1
        offset-syncs.topic.location: target
        refresh.groups.interval.seconds: 20
        replication.policy.class: com.company.CustomRepPolicy
        replication.policy.dest.metric.topic.name: test_metric_con
        sync.group.offsets.enabled: false
    groupsPattern: .*
    heartbeatConnector:
      config:
        heartbeats.topic.replication.factor: 1
    sourceCluster: source-dummy-six
    sourceConnector:
      config:
        offset-syncs.topic.location: target
        offset-syncs.topic.replication.factor: 1
        refresh.topics.interval.seconds: 20
        replication.factor: 1
        replication.policy.class: com.company.CustomRepPolicy
        replication.policy.dest.metric.topic.name: test_metric_con
        replication.policy.separator: .
        sync.group.offsets.enabled: false
        sync.topic.acls.enabled: "true"
        topic.creation.default.message.format.version: 2.8-IV0
        topic.creation.default.partitions: -1
        topic.creation.default.replication.factor: -1
      tasksMax: 4
    targetCluster: target-dummy-six
    topicsPattern: my_target_topic

This is the error I get

Node 2 disconnected. (org.apache.kafka.clients.NetworkClient) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:17,103 WARN [AdminClient clientId=adminclient-1] Connection to node 2 (kafka-target-cluster/10.23.52.37:32187) could not be established. Node may not be available. (org.apache.kafka.clients.NetworkClient) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,769 INFO [AdminClient clientId=adminclient-1] Node 0 disconnected. (org.apache.kafka.clients.NetworkClient) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,769 WARN [AdminClient clientId=adminclient-1] Connection to node 0 (kafka-target-cluster/10.23.52.37:32185) could not be established. Node may not be available. (org.apache.kafka.clients.NetworkClient) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,770 INFO App info kafka.admin.client for adminclient-1 unregistered (org.apache.kafka.common.utils.AppInfoParser) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,771 INFO [AdminClient clientId=adminclient-1] Metadata update failed (org.apache.kafka.clients.admin.internals.AdminMetadataManager) [kafka-admin-client-thread | adminclient-1]
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited. Call: fetchMetadata
2024-11-19 16:11:18,773 INFO [AdminClient clientId=adminclient-1] Timed out 1 remaining operation(s) during close. (org.apache.kafka.clients.admin.KafkaAdminClient) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,779 INFO Metrics scheduler closed (org.apache.kafka.common.metrics.Metrics) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,779 INFO Closing reporter org.apache.kafka.common.metrics.JmxReporter (org.apache.kafka.common.metrics.Metrics) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,779 INFO Metrics reporters closed (org.apache.kafka.common.metrics.Metrics) [kafka-admin-client-thread | adminclient-1]
2024-11-19 16:11:18,779 ERROR Stopping due to error (org.apache.kafka.connect.cli.AbstractConnectCli) [main]
org.apache.kafka.connect.errors.ConnectException: Failed to connect to and describe Kafka cluster. Check worker's broker connection and security properties.
	at org.apache.kafka.connect.runtime.WorkerConfig.lookupKafkaClusterId(WorkerConfig.java:305)
	at org.apache.kafka.connect.runtime.WorkerConfig.lookupKafkaClusterId(WorkerConfig.java:285)
	at org.apache.kafka.connect.runtime.WorkerConfig.kafkaClusterId(WorkerConfig.java:415)
	at org.apache.kafka.connect.cli.AbstractConnectCli.startConnect(AbstractConnectCli.java:124)
	at org.apache.kafka.connect.cli.AbstractConnectCli.run(AbstractConnectCli.java:94)
	at org.apache.kafka.connect.cli.ConnectDistributed.main(ConnectDistributed.java:116)
Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TimeoutException: Timed out waiting for a node assignment. Call: listNodes
	at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
	at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:165)
	at org.apache.kafka.connect.runtime.WorkerConfig.lookupKafkaClusterId(WorkerConfig.java:299)
	... 5 more
Caused by: org.apache.kafka.common.errors.TimeoutException: Timed out waiting for a node assignment. Call: listNodes

What I notice is I am providing the target bootstrap-server as 10.11.12.13:32182 but it fails to reach 10.23.52.37:32185. So this means that it is able to resolve the original bootstrap server and then identifies from the target kafka cluster metadata, the nodes. So TLS configuration and SCRAM-SHA-512 authentication is happening correctly.

Furthermore when I try to check the connection on 10.11.12.13:32182 I get this

nc -zv 10.11.12.13 32182
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 10.11.12.13:32182.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

But when I do the same with 10.23.52.37:32185 I am unable to eastablish a connection

nc -zv 10.23.52.37 32185
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connection timed out.

I have also verified the tls certificate by executing this command and cross checking the ca-cert I have provided with the last certificate of the output of this command

openssl s_client -connect 10.11.12.13:32182 -showcerts

Also on my target cluster I have not defined any acls. So by default all permissions should be enabled. As determined by the output of this

 ./kafka-acls.sh    --list  --bootstrap-server 10.11.12.13:32182
Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker
	at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
	at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:165)
	at kafka.admin.AclCommand$AdminClientService.getAcls(AclCommand.scala:180)
	at kafka.admin.AclCommand$AdminClientService.listAcls(AclCommand.scala:149)
	at kafka.admin.AclCommand$AdminClientService.$anonfun$listAcls$1(AclCommand.scala:142)
	at kafka.admin.AclCommand$AdminClientService.listAcls(AclCommand.scala:141)
	at kafka.admin.AclCommand$.main(AclCommand.scala:77)
	at kafka.admin.AclCommand.main(AclCommand.scala)
Caused by: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker

(I have changed the actual IP addresses)
Any advice on this would be very much appreciated.

[scholzj]

The Mirror Maker 2 config seems to be fine in theory. So I think you need to be looking at whether your security configuration is really correct, whether the networking is working etc. But those depend on your environment, so nobody can really help you with those.

[Runsterbraze123]

Yeah, it turned out to be a network issue. The hostname the bootstrap server was resolving to kafka-target-cluster/10.23.52.37:32185 was also present in my source k8s cluster. So it was not actually connecting to the target cluster.