Need Help in settingup the strimzi kafka 0.47 with public certs i.e digicert for external node tls and with advertisedHost

[csuryac]

we have setup the kafka brokers with kraft using the below config and its working when calling the node port with advertisedHost using the scram password and ssl truststore location and truststore pasword which is same as secret which we used.
but we want to avoid using the truststore location from the client call as we are using digi cert root and advertisedHost as CN ,since the digi cert root is open public . we have that cert in all jdks cacert file .

we are able to do in apache kafka and confluent kafka community edition ,how can we achieve this using strimzi kafka .

strimzi operator :0.47
# Kafka version
version: 4.0.0
# KRaft metadata version
metadataVersion: 4.0-IV3

spec:
kafka:
# Listener configuration (required)
listeners:
- name: plain
port: 9092
type: internal
tls: false
configuration:
useServiceDnsDomain: true
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: external
port: 9094
type: nodeport
tls: true
authentication:
type: scram-sha-512
configuration:
brokers:
- broker: 0
advertisedHost: kafka-devops-1-olly-0.xxxx.com
advertisedPort: 32100
nodePort: 32100
- broker: 1
advertisedHost: kafka-devops-1-olly-1.xxxx.com
advertisedPort: 32101
nodePort: 32101
- broker: 2
advertisedHost: kafka-devops-1-olly-2.xxxx.com
advertisedPort: 32102
nodePort: 32102
brokerCertChainAndKey:
secretName: digi-kafka-broker-secret
certificate: tls.crt
key: tls.key

[scholzj]

You should:

• Properly format the YAMl you shared, because it is not readable
• Explain what exactly does not work and share the related logs

[csuryac]

apiVersion:` kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: strimzi-poc
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    # Listener configuration
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
        configuration:
          useServiceDnsDomain: true
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: nodeport
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          brokers:
            - broker: 0
              advertisedHost: kafka-devops-1-olly-0.xxx.com
              advertisedPort: 31090
              nodePort: 31090
            - broker: 1
              advertisedHost: kafka-devops-1-olly-1.xxx.com
              advertisedPort: 31091
              nodePort: 31091
            - broker: 2
              advertisedHost: kafka-devops-1-olly-2.xxx.com
              advertisedPort: 31092
              nodePort: 31092
          brokerCertChainAndKey:
            secretName: digi-kafka-broker-secret
            certificate: tls.crt
            key: tls.key
    authorization:
      type: simple
      superUsers:
        - admin
    version: 4.0.0
    metadataVersion: 4.0-IV3
    config:
      auto.create.topics.enable: "false"
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      default.replication.factor: 3
      min.insync.replicas: 2
    resources:
      requests:
        memory: 2Gi
        cpu: "1"
      limits:
        memory: 4Gi
        cpu: "2"
    logging:
      type: inline
      loggers:
        rootLogger.level: INFO
    readinessProbe:
      initialDelaySeconds: 15
      timeoutSeconds: 5
    livenessProbe:
      initialDelaySeconds: 15
      timeoutSeconds: 5
    jvmOptions:
      -Xms: 2048m
      -Xmx: 2048m

  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafkaExporter: {}``

[csuryac]

@scholzj the above code works
/opt/kafka/bin/kafka-topics.sh --bootstrap-server kafka-devops-1-olly-0.xxx.com --list --command-config client.config
Here is client client.config which we have used

  sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username=admin password="xx";
  security.protocol: SASL_SSL
  sasl.mechanism: SCRAM-SHA-512
   ssl.truststore.location: broker-digi.p12
  ssl.truststore.password: xx
  ssl.truststore.type: PKCS12

we want to avoid using the truststore location from the client.config since we are using digiCert Public CA root inside the broker-digi.p12

[scholzj]

Well, the custom reource looks good. I'm still not sure what does nto work for you as you did not shared anything about that - no logs etc.

[csuryac]

@scholzj We donot want to specify any truststore. We want to use the default CA certificates bundled with Java.
we are using digiCert Public CA root inside the broker-digi.p12.

when we remove the below entries it not working as expected
ssl.truststore.location: broker-digi.p12
ssl.truststore.password: xx
ssl.truststore.type: PKCS12

Hope i am clear on this

[scholzj]

I understand what you are trying to do. And if your certificate is signed b a trusted public CA, you should indeed not need the truststore. But without the logs etc., that is all I can tell you.