Strimzi
Is Kafka.spec.clientsCa configurable with Organisations CA? #10679
Replies: 1 comment 4 replies
-
|
The |
Beta Was this translation helpful? Give feedback.
-
|
@scholzj can you point me to the exact place in the docs where it shows how to configure custom CA in Kafka.spec.clientsCa because I couldnt find a secret property for that (im using 0.41 operator) |
Beta Was this translation helpful? Give feedback.
-
|
I do not have the link at hand, sorry. But I would expect that if you search for something like custom CA or own CA, you should be able to find it. |
Beta Was this translation helpful? Give feedback.
-
|
so the custom CA secrets need to be called <cluster_name>-clients-ca-cert and <cluster_name>-clients-ca for this to work? |
Beta Was this translation helpful? Give feedback.
-
|
It also needs to have some special annotations etc. |
Beta Was this translation helpful? Give feedback.
-
I'm using Strimzi operator version 0.41 and struggling to understand how to configure the Kafka client to use our organisation's CA for mTLS. In Kafka.spec.clientsCa, there are fields to set generateCertificateAuthority to false, which disables the automatic generation of the CA. However, I would expect there to be a way to provide a secret for my own client CA, but there doesn’t appear to be such a property. When I set generateCertificateAuthority to false without providing a secret, the Kafka CRD complains that no secret has been provided!
I’m configuring mTLS for the externalTLS listener and have successfully set the broker certificate with:
This part works fine — when I connect to the broker, I can see the server certificate containing my organisation's information. However, the brokers are still only accepting client requests from certificates signed by Strimzi's default CA.
I believe I'm missing something real dumb here.
Beta Was this translation helpful? Give feedback.
All reactions