confluentinc · howard-tran · Nov 20, 2025 · Nov 21, 2025
@@ -0,0 +1,2 @@
+kafka1
+kafka2
@@ -22,7 +22,15 @@ keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepa
 # Enables 'confluent login --ca-cert-path /etc/kafka/secrets/snakeoil-ca-1.crt --url https://kafka1:8091'
 DNS_ALT_NAMES=$(printf '%s\n' "DNS.1 = $i" "DNS.2 = localhost")
 if [[ "$i" == "mds" ]]; then
-  DNS_ALT_NAMES=$(printf '%s\n' "$DNS_ALT_NAMES" "DNS.3 = kafka1" "DNS.4 = kafka2")
+	BROKER_FILES="brokers.txt"
+
+	dns_index=3  # start after DNS.1 and DNS.2
+
+	while IFS= read -r broker || [[ -n "$broker" ]]; do
+		[[ -z "$broker" ]] && continue
+		DNS_ALT_NAMES=$(printf '%s\nDNS.%d = %s' "$DNS_ALT_NAMES" "$dns_index" "$broker")
+		((dns_index++))
+	done < "$BROKER_FILES"
 fi
 # control-center and ksqldb-server share a certificate
 if [[ "$i" == "controlCenterAndKsqlDBServer" ]]; then

@@ -18,7 +18,18 @@ openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 36
 #
 # This is necessary as browsers never prompt to trust certificates for this kind of wss:// connection, see https://stackoverflow.com/a/23036270/452210 .
 #
-users=(kafka1 kafka2 client schemaregistry restproxy connect connectorSA controlCenterAndKsqlDBServer ksqlDBUser appSA badapp clientListen mds)
+users=(client schemaregistry restproxy connect connectorSA controlCenterAndKsqlDBServer ksqlDBUser appSA badapp clientListen mds)
+
+# Suppose this script is run in the following manner
+# cd /etc/kafka/secrets && ./certs-create.sh
+BROKER_FILE="brokers.txt"
+
+while IFS= read -r broker || [[ -n "$broker" ]]; do
+    # Skip empty lines
+    [[ -z "$broker" ]] && continue
+    users+=("$broker")
+done < "$BROKER_FILE"
+
 echo "Creating certificates"
 printf '%s\0' "${users[@]}" | xargs -0 -I{} -n1 -P15 sh -c './certs-create-per-user.sh "$1" > "certs-create-$1.log" 2>&1 && echo "Created certificates for $1"' -- {}
 echo "Creating certificates completed"