Strimzi clients ca certificate management

[opsocomusr]

We have added additional public certificates in the strimzi-clients-ca-cert secret and left the ca.crt as is so that,

1. we can still use the tls authentication for internal apps (connect, mirrormaker, streams etc.,)
2. we can use the tls-external authentication type for the users who wants to connect from outside of our AKS cluster.

With this setting, we are able to utilize both tls and tls-external authentication types without any issues since the clients-ca now trusts both the strimzi generated user certs and externally signed certs.

But the problem is when Strimzi renews the ca.crt in strimzi-clients-ca-cert secret, the external public certificates are removed from the secret and it ends up not trusting the externally signed certificates which were working prior to the renewal.

Is it possible to retain the external public certificates as is in the secret and update only the ca.crt, ca.p12 and ca.password managed by Strimzi?

[scholzj]

TBH, I'm not sure we should support something like that. It is just overcomplicating things without any clear benefits. If you can use the Strimzi CA for some apps, why not for all of them? If you can use external CA for some users, why not use it for all of them? But having the secret partially maintained by Strimzi definitely does sounds like a bad idea TBH.

[opsocomusr]

We wanted to use both since we can utilize the certificate auto-renewal feature of Strimzi for the internal apps(which is more in number) and the recommendation from our organization is to use only the approved CAs for all external users(limited numbers) who wants to connect from outside of the organization. If we have support for both, we can reduce the number of certificates that we needed to manage and probably ending up not trusting the external ones after strimzi auto-renews the internal certificates.

I created a draft pull request in my own fork with the required changes. Please let me know if this can be supported so that we can use both tls and tls-external authentication types.

https://github.com/Pradeep2103/strimzi-kafka-operator/pull/1/files

[scholzj]

Tom Bentley is working on some redesign of the CA handling. Maybe he can think about if / how to add this. I personally think that this should not mix in a single secret. So this would need to be implemented in some other although more difficult way. Having user managed and Strimzi managed certs in a single secret is asking for troubles, it would not be possible to use GitOps for that, it would be in danger of overriding each others changes etc.