OSCP Support / Cluster CA

[jason0598647]

Apparently Kafka does not directly support OCSP verification, but it can be added directly to java using java.security properties.
I'm currently generating my own client certs in EJBCA, and need Kafka to reject any connections from revoked clients.

The problem for me is that I was using the default CA certs in Strimzi but these will no longer work as they won't be validated in my OCSP responder.
Is it possible to externally provide all the Strimzi Cluster certs and turn off the Strimzi cert generation altogether?
Or is the only option to provide an intermediate CA key/cert to Strimzi to get this to work?

[scholzj]

It depends on what exactly you want to do which is not completely clear as you seem to be mixing the server and client certificates. In general, you can provide your own CA -> that is covered by the docs, so you should be able to find the details there.

[jason0598647]

No worries. Yeh I did try supplying a ejbca generated certificate with signing capabilities but it’s getting stuck bringing up the zookeeper pod with No CA found. Same as this issue #4004

I’ll dig a bit deeper and make sure my cert is being added correctly. Is there a way to debug the zookeeper container and inspect the cert files getting added to zookeeper? Because it stops right away I can’t check out the file system on the container

[scholzj]

Well, the No CA found failure is IIRC even before ZooKeeper starts. That is just an OPenSSL command which fails to find the CA which signed the server cert: https://github.com/strimzi/strimzi-kafka-operator/blob/main/docker-images/kafka-based/kafka/scripts/zookeeper_tls_prepare_certificates.sh#L22

[jason0598647]

It turns out I didn't have CA flag set in X509v3 extensions. Once I fixed that, I get passed zookeeper bringup.

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE

But the problem is now that my CA does not know about the certificates that Strimzi is managing, it can not give an OCSP response for those certificates and Kafka fails to come up.

Note the error below when attempting to OCSP verify the cert "CERTIFICATE_UNKNOWN"

Which means that we cannot use certificates not generated by our CA.

You mentioned that it's possible but not documented? Are you able to provide more info on this as I have no other choice but to generate the certificates in the cluster using my CA as Kakfa does not directly support OSCP, it must be configured directly in Java and therefore will apply to all TLS communications.

Or as a separate option, maybe I could customize the script that generates the certificates and generate them on my CA instead? The operator script could generate a CSR and submit it to the EJBCA API in order to receive the signed cert.
Are the cert generation scripts all here: https://github.com/strimzi/strimzi-kafka-operator/tree/main/docker-images/kafka-based/kafka/scripts ?

javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|CertificateRequest.java:979|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate_request_context": "",
  "extensions": [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "certificate_authorities (47)": {
      "certificate authorities": [
        C=US, O=example, OU=internal, CN=kafka]
    }
  ]
}
)
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:192|Consumed extension: certificate_authorities
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms_cert
javax.net.ssl|WARNING|01|main|2022-10-29 22:33:59.173 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: certificate_authorities
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.174 UTC|CertificateMessage.java:1172|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "...",
      "signature algorithm": "SHA512withRSA",
      "issuer"             : "C=US, O=example, CN=kafka",
      "not before"         : "2022-10-29 22:33:31.000 UTC",
      "not  after"         : "2023-10-29 22:33:31.000 UTC",
      "subject"            : "CN=example-kafka-kafka, O=io.strimzi",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.17 Criticality=false
          SubjectAlternativeName [
            IPAddress: ...
            DNSName: example-kafka-kafka-bootstrap.kafka.svc
            IPAddress: ...
            DNSName: example-kafka-kafka-bootstrap
            DNSName: example-kafka-kafka-brokers.kafka.svc.cluster.local
            DNSName: example-kafka-kafka-brokers.kafka.svc
            DNSName: example-kafka-kafka-bootstrap.kafka.svc.cluster.local
            DNSName: example-kafka-kafka-bootstrap.kafka
            DNSName: example-kafka-kafka-brokers
            DNSName: example-kafka-kafka-0.example-kafka-kafka-brokers.kafka.svc.cluster.local
            DNSName: kafka-broker-0.core.example.io
            DNSName: example-kafka-kafka-brokers.kafka
            DNSName: example-kafka-kafka-0.example-kafka-kafka-brokers.kafka.svc
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "...",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "C=US, O=example, CN=exampleCA",
      "not before"         : "2022-10-29 22:11:25.000 UTC",
      "not  after"         : "2024-10-28 22:11:25.000 UTC",
      "subject"            : "C=US, O=example, CN=kafka",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
  ..<.
          ]
          ]
        },
        {
          ObjectId: 2.5.29.19 Criticality=true
          BasicConstraints:[
            CA:true
            PathLen:2147483647
          ]
        },
        {
          ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
            serverAuth
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=true
          KeyUsage [
            DigitalSignature
            Key_Encipherment
            Key_CertSign
            Crl_Sign
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
                      Q.1X
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "...",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "C=US, O=example, CN=exampleCA",
      "not before"         : "2022-09-09 02:48:13.000 UTC",
      "not  after"         : "2032-09-06 02:48:13.000 UTC",
      "subject"            : "C=US, O=example, CN=exampleCA",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
                           ..<.
          ]
          ]
        },
        {
          ObjectId: 2.5.29.19 Criticality=true
          BasicConstraints:[
            CA:true
            PathLen:2147483647
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=true
          KeyUsage [
            DigitalSignature
            Key_CertSign
            Crl_Sign
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
                            ..<.
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.174 UTC|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.174 UTC|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01|main|2022-10-29 22:33:59.175 UTC|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|ERROR|01|main|2022-10-29 22:33:59.179 UTC|TransportContext.java:345|Fatal (CERTIFICATE_UNKNOWN): PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status
  	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
  	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:263)
  	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
  	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
  	at java.base/java.security.AccessController.doPrivileged(Native Method)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
  	at org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.handshake(SslFactory.java:453)
  	at org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.validate(SslFactory.java:394)
  	at org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.validate(SslFactory.java:371)
  	at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:100)
  	at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:73)
  	at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
  	at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
  	at kafka.network.Processor.<init>(SocketServer.scala:1008)
  	at kafka.network.Acceptor.newProcessor(SocketServer.scala:921)
  	at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:894)
  	at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
  	at kafka.network.Acceptor.addProcessors(SocketServer.scala:893)
  	at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:600)
  	at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:269)
  	at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:261)
  	at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:563)
  	at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:561)
  	at scala.collection.AbstractIterable.foreach(Iterable.scala:926)
  	at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:261)
  	at kafka.network.SocketServer.startup(SocketServer.scala:135)
  	at kafka.server.KafkaServer.startup(KafkaServer.scala:309)
  	at kafka.Kafka$.main(Kafka.scala:109)
  	at kafka.Kafka.main(Kafka.scala)
  Caused by: java.security.cert.CertPathValidatorException: Could not determine revocation status
  	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
  	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
  	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
  	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
  	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
  	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
  	... 37 more
  Caused by: java.security.cert.CertPathValidatorException: Could not determine revocation status
  	at java.base/sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1111)
  	at java.base/sun.security.provider.certpath.RevocationChecker.verifyWithSeparateSigningKey(RevocationChecker.java:931)
  	at java.base/sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:604)
  	at java.base/sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:464)
  	at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:366)
  	at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336)
  	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
  	... 42 more}

[jason0598647]

Or is there an option to disable TLS inside the cluster altogether? And just enable TLS for the external listener? My inter node communication is all on a private network anyway

[scholzj]

Or is there an option to disable TLS inside the cluster altogether? And just enable TLS for the external listener? My inter node communication is all on a private network anyway

No, that is currently not possible. But if you think that you don't need TLS for the internal communication at all, why do you both with OSCP for the same?

Or as a separate option, maybe I could customize the script that generates the certificates and generate them on my CA instead? The operator script could generate a CSR and submit it to the EJBCA API in order to receive the signed cert.
Are the cert generation scripts all here: https://github.com/strimzi/strimzi-kafka-operator/tree/main/docker-images/kafka-based/kafka/scripts ?

There is no script generating certificates. It is part of the operator code. There is a work in progress proposal to make it more pluggable and configurable. But if you read it, it is not completely trivial to handle this.

You mentioned that it's possible but not documented? Are you able to provide more info on this as I have no other choice but to generate the certificates in the cluster using my CA as Kakfa does not directly support OSCP, it must be configured directly in Java and therefore will apply to all TLS communications.

Well, it is maybe possible and it really depends a lot on what your expectations are.

• The server certificates are stored in Secrets. The documented and working way is that you prepare the secret with the CA to use your own CA and Strimzi generates the certificates. In general, you can prepare all the secrets with the server certificates as well. But it is more complicated as you need to make sure they have the proper common names, SANs etc. to make this work.
• Setting it up should be still the easy part as you can copy the CNs and the SANs from an existing cluster using the Strimzi CA. But the next issue would be a renewal where you need to roll out the new certificates and CAs which is not simple today manually. You would probably need to roll the pods manually etc.

[jason0598647]

“But if you think that you don't need TLS for the internal communication at all, why do you both with OSCP for the same?” Like I said, Kafka does not support OCSP, so it must be enabled at the Java level. Therefore I cannot distinguish between external and internal TLS. If I could turn off internal TLS, then my problem is solved. I cannot turn off OCSP for internal traffic though if I need it for external. It’s either all or all off.

…

On Sun, Oct 30, 2022 at 5:53 AM Jakub Scholz ***@***.***> wrote: Or is there an option to disable TLS inside the cluster altogether? And just enable TLS for the external listener? My inter node communication is all on a private network anyway No, that is currently not possible. But if you think that you don't need TLS for the internal communication at all, why do you both with OSCP for the same? Or as a separate option, maybe I could customize the script that generates the certificates and generate them on my CA instead? The operator script could generate a CSR and submit it to the EJBCA API in order to receive the signed cert. Are the cert generation scripts all here: https://github.com/strimzi/strimzi-kafka-operator/tree/main/docker-images/kafka-based/kafka/scripts ? There is no script generating certificates. It is part of the operator code. There is a work in progress proposal <strimzi/proposals#46> to make it more pluggable and configurable. But if you read it, it is not completely trivial to handle this. You mentioned that it's possible but not documented? Are you able to provide more info on this as I have no other choice but to generate the certificates in the cluster using my CA as Kakfa does not directly support OSCP, it must be configured directly in Java and therefore will apply to all TLS communications. Well, it is *maybe* possible and it really depends a lot on what your expectations are. - The server certificates are stored in Secrets. The documented and working way is that you prepare the secret with the CA to use your own CA and Strimzi generates the certificates. In general, you can prepare all the secrets with the server certificates as well. But it is more complicated as you need to make sure they have the proper common names, SANs etc. to make this work. - Setting it up should be still the easy part as you can copy the CNs and the SANs from an existing cluster using the Strimzi CA. But the next issue would be a renewal where you need to roll out the new certificates and CAs which is not simple today manually. You would probably need to roll the pods manually etc. — Reply to this email directly, view it on GitHub <#7539 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDTDHTVDO5HAVLYHDFHUIDWFZOTRANCNFSM6AAAAAARQWPV5Q> . You are receiving this because you authored the thread.Message ID: <strimzi/strimzi-kafka-operator/repo-discussions/7539/comments/4011945@ github.com>

[scholzj]

Like I said, Kafka does not support OCSP, so it must be enabled at the Java
level. Therefore I cannot distinguish between external and internal TLS. If
I could turn off internal TLS, then my problem is solved. I cannot turn off
OCSP for internal traffic though if I need it for external. It’s either all
or all off.

Maybe I misunderstand what do you mean. But there is no internal or external TLS. The TLS is always done by Kafka using Java libraries for it. Do you mean with internal and external TLS the TLS on internal and external Kafka listeners? I.e. within the Kube cluster and outside the Kube cluster? Or what do you mean with it?

[jason0598647]

Yeh exactly, when I say internal TLS I mean within the cluster. When I say external I mean to my clients at the edge connecting over the internet. I only need TLS on the external listener where the edge clients connect.

…

On Sun, Oct 30, 2022 at 8:51 AM Jakub Scholz ***@***.***> wrote: Like I said, Kafka does not support OCSP, so it must be enabled at the Java level. Therefore I cannot distinguish between external and internal TLS. If I could turn off internal TLS, then my problem is solved. I cannot turn off OCSP for internal traffic though if I need it for external. It’s either all or all off. Maybe I misunderstand what do you mean. But there is no internal or external TLS. The TLS is always done by Kafka using Java libraries for it. Do you mean with *internal* and *external* TLS the TLS on internal and external Kafka listeners? I.e. within the Kube cluster and outside the Kube cluster? Or what do you mean with it? — Reply to this email directly, view it on GitHub <#7539 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDTDHR2SHIMPDOJA6XTJ23WF2DOZANCNFSM6AAAAAARQWPV5Q> . You are receiving this because you authored the thread.Message ID: <strimzi/strimzi-kafka-operator/repo-discussions/7539/comments/4012655@ github.com>

[scholzj]

So, there are 3 different parts:

1. Internal as in really internal => includes the replication and other communication between the Kafka nodes, ZooKeeper communication, communication between Zoo and Kafka etc. This is always TLS. This is the most complicated part as you have multiple layers (Zoo + Kafka + operators) which you need to link and secure which makes the roll out and things such as renewals hard. This is also where particular CNs or SANs are needed most as not having them breaks your cluster.
2. Internal communication as in the type: internal listeners -> this means communication between clients running in the same Kube cluster and the Kafka brokers. Here, you can enable or disable TLS according to your needs.
3. External communication meaning the listeners which expose the Kafka cluster outside of your Kube cluster. Here, it depends on the exact type. Routes and Ingress requires TLS encryption to be enabled because of internal Route and Ingress workings. For node ports or load balancers, you can enable or disable TLS as you want.

Now, for 1), the Strimzi CA is used and normally, Strimzi uses it to issue the server certificates. For 2+3), by default the Strimzi CA and certificates issues by it are what is used (if you enabled the TLS encryption in the first place). But you can configure your own listener certificate. Which is just a server certificate which is used for given particular listener. You issue it whatever way you want - so you can configure your own rules for it.

Not sure if this helps in your particular use-case. But these are the different levels of TLS in Strimzi. The custom Cluster CA is not always what users want or what they can customize. But often there are happy with the custom listener certs which are easier to configure and simply leave the 1) part to Strimzi.

---

The Clients CA stands on a side of these -> this is what is used for TLS client authentication / mTLS and is completely separate from the server certificates described above.

[jason0598647]

Yeh no worries. The problem for me is that only certificates signed by my external CA can be used due to the OCSP requirement. Looks like I’ll need to build the cluster manually without the operator. Thanks anyway. Cheers

…

On Sun, Oct 30, 2022 at 11:40 AM Jakub Scholz ***@***.***> wrote: So, there are 3 different parts: 1. Internal as in really internal => includes the replication and other communication between the Kafka nodes, ZooKeeper communication, communication between Zoo and Kafka etc. This is always TLS. This is the most complicated part as you have multiple layers (Zoo + Kafka + operators) which you need to link and secure which makes the roll out and things such as renewals hard. This is also where particular CNs or SANs are needed most as not having them breaks your cluster. 2. Internal communication as in the type: internal listeners -> this means communication between clients running in the same Kube cluster and the Kafka brokers. Here, you can enable or disable TLS according to your needs. 3. External communication meaning the listeners which expose the Kafka cluster outside of your Kube cluster. Here, it depends on the exact type. Routes and Ingress requires TLS encryption to be enabled because of internal Route and Ingress workings. For node ports or load balancers, you can enable or disable TLS as you want. Now, for 1), the Strimzi CA is used and normally, Strimzi uses it to issue the server certificates. For 2+3), by default the Strimzi CA and certificates issues by it are what is used (if you enabled the TLS encryption in the first place). But you can configure your own *listener certificate*. Which is just a server certificate which is used for given particular listener. You issue it whatever way you want - so you can configure your own rules for it. Not sure if this helps in your particular use-case. But these are the different levels of TLS in Strimzi. The custom Cluster CA is not always what users want or what they can customize. But often there are happy with the custom listener certs which are easier to configure and simply leave the 1) part to Strimzi. ------------------------------ The Clients CA stands on a side of these -> this is what is used for TLS client authentication / mTLS and is completely separate from the server certificates described above. — Reply to this email directly, view it on GitHub <#7539 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDTDHXH3VMN2YOCAN3VH4TWF2XJDANCNFSM6AAAAAARQWPV5Q> . You are receiving this because you authored the thread.Message ID: <strimzi/strimzi-kafka-operator/repo-discussions/7539/comments/4013285@ github.com>