Strimzi
Enable mutual TLS authentication (Internal) #4992
Replies: 1 comment 4 replies
-
|
Please use the Markdown code formatting to made the YAML snippets more readable. This way, it is hard to see the alignment, whitespaces etc. So I cannot tell if you have it right or wrong. Also, did you checked the docs? I think this is all covered there. |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for the inconvenience. And this is my kafka user yaml file: In the documentation I couldn't find how they have used these certificates to validate the broker and client. I mean where we have to specify the details of these certificates, details in the sense [.crt,key etc]. It would be helpful for me If you can explain how to achieve this . |
Beta Was this translation helpful? Give feedback.
-
|
Well, Strimzi can only tell you where to get the certificates. But using them will be different for each client ... so it really depends on what you use. Each one might need different format etc. For the Java Kafka clients it is described in our docs. For example here: https://strimzi.io/docs/operators/latest/full/deploying.html#setup-external-clients-str ... for other clients, you need to consult their documentation. |
Beta Was this translation helpful? Give feedback.
-
|
well the above link describes setting up external clients which is exposed outside the kubernetes cluster. but my requirement is to achieve TLS authetication within the kubernetes cluster. Basically while running producer we run the below command as per the documentation So in this case we cannot provide any external config file which contains ssl truststore password,ssl truststore location, etc. So is there way we can provide config file which contains ssl properties within the kubernetes cluster? But In case of external client we will be using loadbalancer ip which is public. So while using external configuration we can provide external config file |
Beta Was this translation helpful? Give feedback.
-
|
Well, then you should check the helm of the console consumer / producer or Kafka documentation. |
Beta Was this translation helpful? Give feedback.
-
I want to enable mutual TLS authentication between my kafka broker and my kafka user.
Below is the configuration of my kafka broker:
listeners:
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
authorization:
type: simple
Below is the configuration of my kafka user:
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: my-user
labels:
strimzi.io/cluster: my-cluster
spec:
authentication:
type: tls
authorization:
type: simple
acls:
- resource:
type: topic
name: my-topic
patternType: literal
operation: Read
host: ""
- resource:
type: topic
name: my-topic
patternType: literal
operation: Describe
host: ""
- resource:
type: topic
name: my-topic
patternType: literal
operation: Write
host: ""
- resource:
type: topic
name: my-topic
patternType: literal
operation: Create
host: ""
- resource:
type: topic
name: my-topic
patternType: literal
operation: Describe
host: "*"
Now how do I tell my kafka broker to validate the client certificate and vice versa [i.e. client should validate broker certificate]. I know that when I deploy KafkaUser it creates a new Secret with the same name as the KafkaUser resource. How to use this secret?
Exactly where in the yaml file should I specify the details of my broker certificate and client certificate?
Please help
Beta Was this translation helpful? Give feedback.
All reactions