1

We have a Strimzi kafka cluster on GKE with TLS implemented, the TLS certs have a default expiry of 1 year i.e. the certs get renewed every year

Currently, on expiry - we have to provide the external Kafka clients with new certs, the objective is to automate this process i.e. One should not have to distribute the certs manually to the multiple clients, instead - this should be automated

What is the best way to achieve this ? I was checking CMPv2 as an option - however, the documentation is not very clear on this.

Any pointers on this is appreciated !

tia!

Karan Alang
  • 869
  • 2
  • 10
  • 35
  • We haven’t found a good solution for distribution of SSL client certs.That’s why we are switching our clients to SASL authentication instead of SSL. – Mikhail Dubrovin Jan 07 '23 at 10:18
  • @MikhailDubrovin - can you pls provide details on how SASL is helping with this scenario ? what protocol are you using for auth/encryption ? – Karan Alang Jan 11 '23 at 06:34
  • SASL is authentication method. Instead of usign client SSL certificate and reissue it every some period of time, e.g. 1y, we decided to use username/password(SASL). SSL is still used to establish secured connection. Truststore contains all trusted root certificates, it's enough to identify server and establish SSL connection. Valid date is much more for server's certificates and it's much easier to revoke access for the app in case of SASL. BTW: secure protocol is SASL_SSL. [Confluent doc](https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html#jaas) – Mikhail Dubrovin Jan 12 '23 at 13:31

0 Answers0