Installing our own certificates

[barryzhounb]

In Kafka, there are two CAs - cluster CA and client CA.

Now we want to use our own certificates, the reason is, we have a client outside of Cloud and Kafka lives on Cloud. client needs to connect Kafka via SSL mode. Then we create our own root CA and apply to Kafka, and client's Certificate Signing Request will be assigned by this our own root CA.

My question is, which CA needs to be replaced - cluster CA or client CA ?

[scholzj]

The Clients CA is used for generating user certificates used for TLS client authentication. The Cluster CA is used to sign the server certificates used by the brokers. So it depends what do you really want to do - it is not completely clear from your description.

PS: You can also specify a server certificate on per-listener basis as an alternative to providing your own Cluster CA which is not always easy.

[barryzhounb]

We have an app that sits outside of Cloud, so this app needs a secure TLS connection to connect Kafka cluster via TLS, this app will generate a CSR and signed by a root CA (I am not clear it is client CA or cluster CA), then our app get app's keystore (please see the following yaml, it is /opt/si/services/conf/keystore.jks). So the question is, in order to get /opt/si/services/conf/keystore.jks, here what is this root CA? client CA or cluster CA?

      security.protocol: 'SSL'
      ssl.trustmanager.algorithm: 'PKIX'
      ssl.truststore.location: '/opt/si/services/conf/truststore.jks'
      ssl.truststore.password: '123456'
      ssl.truststore.type: 'JKS'
      ssl.keystore.location: '/opt/si/services/conf/keystore.jks'
      ssl.keystore.password: '123456'
      ssl.keystore.type: 'JKS'

[scholzj]

First of all - just in case it was not clear - you can do this with Strimzi out of the box without providing any CA. You can just configure the TLS on the listener and use the User Operator / KafkaUser resource to generate the user certificate.

If you really want to use you custom CA, it sounds like you are talking about client authentication here if it goes into the keystore on the Kafka client side. So in that case you would need to set the CA as a Clients CA in the Kafka cluster => that way it will get into the broker truststores and will trust all users with a certificate signed by this CA.

[barryzhounb]

Yes, we will use the second way. Thanks you @scholzj .

[barryzhounb]

Hello @scholzj I saw the procedure you sent me - https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str, it introduces how to install our certificate, however all procedures are manually integration. I am wondering whether it is possible to complete these procedure via programing? That means, is there any API or service in Strimiz Operator that we can install our CA certificate via remote call ?

[scholzj]

Well, everything what you do using kubectl can be done using the Kubernetes API. It is really just creating a secret with the right name, labels and fields. So you can use the API for it. But any examples etc. would depend on the programming languages you want to use etc.