How to add a user (for producer or consumer) with custom SSL certificate to Kafka cluster?

Question

I have Strimzi Kafka installed with Kafka cluster with TLS listeners (in OpenShift, if it matters). When I add a KafkaUser I request TLS authentication like that:

spec:
  authentication:
    type: tls
  authorization:
    type: simple

Then I extract created by Strimzi user's keystore and provide it when I connect to Kafka bootstrap server from a client code.

Question: how can I provide custom SSL certificate when add KafkaUser, or is there a way to replace auto generated SSL user certificate with custom one (e.g. to extend validity period)? In particular, to which secret's truststore add user's certificate? Or it's a bad practice and I should stick with auto generated?

score 0 · Answer 1 · answered Mar 17 '21 at 22:50

To authenticate against the cluster, you have to use a certificate signed by a trusted CA. So you cannot provide a random certificate and use it. So if you want to use the User operator, you have to use the the CA trusted by the brokers and the User Operator geenrates the user cert from it. You can either use the generated Strimzi CA or provide your own. Alternatively, if you want, you can also provide your own trusted certificate and issue your user certs any way you want and not use the User operator and KafkaUser resources at all.

How to add a user (for producer or consumer) with custom SSL certificate to Kafka cluster?

1 Answers1