0

I have installed Strimzi Kafka and created TLS enabled cluster as follows:

    listeners:
      plain: {}
      tls:
        authentication:
          type: tls

The Kafka cluster CA certificate created automatically and looks like this:

Entry type: trustedCertEntry                                                                                                                                                                                                                                                                                                                                                                                                          
Owner: CN=cluster-ca v0, O=io.strimzi                                                                                                                                                                              
Issuer: CN=cluster-ca v0, O=io.strimzi                                                                                                                                                                             
Serial number: def376173b64bf84                                                                                                                                                                                    
Valid from: Tue Jan 26 23:25:07 MSK 2021 until: Wed Jan 26 23:25:07 MSK 2022                                                                                                                                       
Certificate fingerprints:                                                                                                                                                                                                   
SHA1: 4D:AA:27:0F:84:61:88:D0:B8:1C:CB:9A:DD:5F:D3:E8:3D:52:B4:65

The question is: what should I do after a year passed (as the certificate automatically created with 1 year period). I use TLS authentication for the clients (producers/consumers) -- and as a result I add this certificate to SSL truststore on the client side. What should I need on the client after a year passed? I guess update truststore with new cluster CA certificate?

Barat Sahdzijeu
  • 1,683
  • 1
  • 18
  • 29

2 Answers2

0

The CA will be automatically renewed by Strimzi. You can just update your truststore and keep using your cluster. If you prefer, you can also provide your own certificate for the listener: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str or your own CA: https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str

Jakub
  • 3,506
  • 12
  • 20
0

I recommend to provide your own CA certificates (either private CA if you use one, or public CA issued cert) in strimzi's Kafka object, which you can include in Kafka configuration a follows:

listeners:
  - name: plain
    port: 9092
    type: internal
    tls: false
  - name: external
    port: 9094
    type: loadbalancer
    tls: true
    authentication:
      type: tls
    configuration:
      brokerCertChainAndKey:
        secretName: my-secret
        certificate: my-listener-certificate.crt
        key: my-listener-key.key

In this case, you may not have to update all client application jks every time the Cluster cert is expiring:

https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q2/html/using_amq_streams_on_openshift/security-str#proc-installing-certs-per-listener-str

shariqmaws
  • 8,152
  • 1
  • 16
  • 35