KafkaUser with tls-external

[seemasanjaisinghani]

Here is our configuration :

1. We have configured brokerCertChainAndKey: in kafkaCluster.yaml
   The certificates we are using for brokerCertChaninAnd key are generated from GOogle CAS
   ----------------------->
   apiVersion: kafka.strimzi.io/v1beta2
   kind: Kafka
   metadata:
   name: {{ .Values.kafka_cluster_name }}
   spec:
   clusterCa:
   generateCertificateAuthority: {{ .Values.kafka_generate_cert }}
   clientsCa:
   generateCertificateAuthority: {{ .Values.kafka_generate_client_cert }}
   kafka:
   version: 2.8.0
   replicas: {{ .Values.kafka_replicas }}
   logging:
   type: inline
   loggers:
   kafka.authorizer.logger: "DEBUG"
   authorization:
   type: simple
   listeners:

   • name: plain
     port: 9092
     type: internal
     tls: false
   • name: external
     port: 9094
     type: loadbalancer
     tls: true
     authentication:
     type: tls
     configuration:
     brokerCertChainAndKey:
     secretName: kafka-gcp-cert-2
     certificate: tls.crt
     key: tls.key
     loadBalancerSourceRanges:
     - {{ .Values.kafka_listeners_external_load_balancer_source_ranges }}
     <----------------------------------

2. We have created KafkaUser.yaml with authentication:tls-external

---------------------------------------->
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: acl-user1
labels:
strimzi.io/cluster: test-cluster
spec:
authentication:
type: tls-external
authorization:
type: simple
acls:
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Read
host: ""
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Describe
host: ""
- resource:
type: group
name: my-group
patternType: literal
operation: Read
host: "*"
<-------------------------------------------------

3. When our above generated KafkaUser with "CN:acl-user1" tried to communicate with broker/bootstrap, its shows handshake failed on kafka Cluster.
   For user CN=acl-user1, we have our on prem certs generated with same CN name as user.
   When the user CN=acl-user1, tries to communicate with kafka, which truststore/CA does it verify the keystore of KafkaUser?

• Does it verify it against brokerCertChainandKey or CLinetCA?
• Is the truststore KafkaUser external certs are verified with, is configurable?

4. If we disable authentication on kafkaCluster then the SSL handshake works well, but with authentication:true , the handshake fails.

[scholzj]

Please format the examples as code to make them readable. And please make sure to share the actual values and not just some templates. Without that it is hard to understand what re you actually doing.

[seemasanjaisinghani]

KafkaUser -

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: acl-user1
  labels:
    strimzi.io/cluster: test-cluster
spec:
  authentication:
    type: tls-external 
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: kafka-cert-topic
          patternType: literal
        operation: Read
        host: "*"
      - resource:
          type: topic
          name: kafka-cert-topic
          patternType: literal
        operation: Describe
        host: "*"
      - resource:
          type: group
          name: my-group
          patternType: literal
        operation: Read
        host: "*"
      # Example Producer Acls for topic my-topic
      - resource:
          type: topic
          name: kafka-cert-topic
          patternType: literal
        operation: Write
        host: "*"
      - resource:
          type: topic
          name: kafka-cert-topic
          patternType: literal
        operation: Create
        host: "*"
      - resource:
          type: topic
          name: kafka-cert-topic
          patternType: literal
        operation: Describe
        host: "*"

[scholzj]

@scholzj sorry for formatting but it doesn't pick up the code format, these are my real templates. Copied from our repo

They might be your real templates. But the actual values is what matters. You should get the actual custom resource from your Kubernetes cluster.

[seemasanjaisinghani]

@scholzj Sorry for bothering, but which actual values? Sorry I am novice here in Kafka.

[scholzj]

The resources you shared are not actual resources but just some templates. They are full of {{ ... }} placeholders. But without knowing the actual values it is hard to understand how you configured it. So you should do kubectl get kafka <NAME-OF-YOUR-KAFKA-CLUSTER> -o yaml to get the actual custom resource with the actual values and not just placeholders.

[scholzj]

In particular for your question the value of clientsCa is what definitely matters.