How to provide multiple clients-CA certificates to kafka

[NathanAvx]

Hi @scholzj ,

We have created a secret with custom clients ca with the below commands, it worked fine.

kubectl -n avx-kafka create secret generic avx-kafka-cluster-clients-ca --from-file=ca.key=client-ca.key
kubectl -n avx-kafka create secret generic avx-kafka-cluster-clients-ca-cert --from-file=ca.crt=client-ca-chain.crt  --from-file=ca.p12=client-ca.p12 --from-literal=ca.password=password

kubectl -n avx-kafka label secret avx-kafka-cluster-clients-ca strimzi.io/kind=Kafka strimzi.io/cluster=avx-kafka-cluster strimzi.io/name=strimzi
kubectl -n avx-kafka label secret avx-kafka-cluster-clients-ca-cert strimzi.io/kind=Kafka strimzi.io/cluster=avx-kafka-cluster strimzi.io/name=strimzi

We have a use case to have multiple client CA, How can we achieve it ?
Please advice.
Thanks.

[scholzj]

I'm not sure this is currently supported. Definitely not as part of the User Operator. So you can try to disable the User Operator and provide multiple CA certificates as part of the secret which is what propagates into the Kafka broker's truststore and then issue the user certificates on your own.

[scholzj]

One think to keep in mind is that you would definitely need to keep the original structure. So I guess for a start you can try to:

• Add multiple certs into the ca.crt
• Add additional .crt files to the secret

[NathanAvx]

Thank you very much

[NathanAvx]

Hi @scholzj ,
Disabled user operator & added 2 client-ca then restarted the kafka pods, as expected the certs are propagated to the kafka brokers, but new kafkauser & its secret are not linked (meaning secret is not shown in the status of kafkauser)

$ kubectl -n avx-kafka get  kafkauser --show-labels
NAME               CLUSTER             AUTHENTICATION   AUTHORIZATION   READY   LABELS
avx-kafka-user-2   avx-kafka-cluster   tls              simple                  strimzi.io/cluster=avx-kafka-cluster
avx-kafka-user-3   avx-kafka-cluster   tls              simple                  strimzi.io/cluster=avx-kafka-cluster

$ kubectl -n avx-kafka get secret avx-kafka-user-2 avx-kafka-user-3 --show-labels
NAME               TYPE     DATA   AGE    LABELS
avx-kafka-user-2   Opaque   5      29h    strimzi.io/cluster=avx-kafka-cluster,strimzi.io/kind=KafkaUser
avx-kafka-user-3   Opaque   5      109m   strimzi.io/cluster=avx-kafka-cluster,strimzi.io/kind=KafkaUser

Can you help me on this ?

[scholzj]

Sorry if that was not clear ... the KafkaUser resources are handled by the User Operator. So with the UserOperator disabled, nothing will happen with them since there is nothing to handle it.

[scholzj]

So out of curiosity ... how did you do it? Do you have two CRT files in the secret? Or did you put both certificates into the same CRT file?

[NathanAvx]

Hi @scholzj,

As we discussed, disabled user operator, added 2 client-ca & then restarted the kafka pods, as expected certs are propagated to the kafka brokers but when I create a new kafka user, it is not getting linked with the created secret (meaning secret is not shown in the kafka user status)

$ kubectl -n avx-kafka get secret avx-kafka-user-2 avx-kafka-user-3 --show-labels
NAME               TYPE     DATA   AGE    LABELS
avx-kafka-user-2   Opaque   5      29h    strimzi.io/cluster=avx-kafka-cluster,strimzi.io/kind=KafkaUser
avx-kafka-user-3   Opaque   5      109m   strimzi.io/cluster=avx-kafka-cluster,strimzi.io/kind=KafkaUser

$ kubectl -n avx-kafka get  kafkauser --show-labels
NAME               CLUSTER             AUTHENTICATION   AUTHORIZATION   READY   LABELS
avx-kafka-user-2   avx-kafka-cluster   tls              simple                  strimzi.io/cluster=avx-kafka-cluster
avx-kafka-user-3   avx-kafka-cluster   tls              simple                  strimzi.io/cluster=avx-kafka-cluster

Can you help me on this ?

[scholzj]

That is the same as above, or?

[NathanAvx]

Same.

[NathanAvx]

This is how I added the certs to the secret

$ kubectl -n avx-kafka get secret  avx-kafka-cluster-clients-ca-cert -o yaml
apiVersion: v1
data:
  ca.crt: <base64>
  ca.p12: <base64> 
  ca.password: <base64>
  client-ca-1.crt: <base64>
  client-ca-2.crt: <base64>

[NathanAvx]

@scholzj, So without User Operator there is no way to link the secret with the KafkaUser ?

[scholzj]

But with the custom CA, you do not need to link the secret to the KafkaUser. The client has the certificate wherever it wants and just uses it. And as long it is trusted by the broker it works. So you do not need to care about the KafkaUser resource and its secret. The user secret is there just for the user - it is not in any way linked into the cluster. The only thing in the cluster is the CA which signed it. So you do not need it to have it trusted by the broker.

[NathanAvx]

As you mentioned it worked (2 client ca trusted by brokers & 2 user certs signed by the client ca respectively, No User Operator, No KafkaUser & its secret). Thanks @scholzj.
Could you please help me with another tip to achieve ACL in this case.

[scholzj]

You would need to use the Kafka Admin API to manage things such as ACLs or Quotas.

[NathanAvx]

Done it. Thanks.