kafka-download-aiven-certs.sh

#!/bin/bash

set -euo pipefail

if [ $# -lt 1 ];
then
    echo Usage: $0 servicename
    exit 1
fi

rm -f ca.pem service.key service.cert

echo Dowloading ca.pem
avn project ca-get --target-filepath ca.pem

tempjson=$(mktemp)
echo Using temp file ${tempjson}

avn service get $1 --json > ${tempjson}
jq -r .connection_info.kafka_access_cert "${tempjson}" > service.cert
jq -r .connection_info.kafka_access_key "${tempjson}" > service.key

openssl pkcs12 -export -inkey service.key -in service.cert -out client.keystore.p12 -name service_key -passout pass:secret
keytool -import -file ca.pem -alias CA -keystore client.truststore.jks -storepass secret -noprompt


current_dir=$(pwd)
service_uri=$(avn service get $1 --json| jq -r .service_uri)

cat > kafka.properties <<EOF
security.protocol=SSL
ssl.keystore.type=PKCS12
ssl.keystore.location=${current_dir}/client.keystore.p12
ssl.keystore.password=secret
ssl.key.password=secret
ssl.truststore.location=${current_dir}/client.truststore.jks
ssl.truststore.password=secret
EOF


cat > kcat.sh <<EOF
#!/bin/bash

kafkacat \
  -X security.protocol=ssl \
  -X ssl.ca.location=${current_dir}/ca.pem \
  -X ssl.certificate.location=${current_dir}/service.cert \
  -X ssl.key.location=${current_dir}/service.key \
  -b ${service_uri} \
  \$@

EOF
chmod a+x kcat.sh


rm -f $tempjson

If one does not need Java style keystore files, one can also use simply avn service user-creds-download --username avnadmin [SERVICE_NAME]