Unable to deploy Kafka cluster with own certificates

[Sai-Charan-Madhvaraj]

Hi Team,

We are trying to deploy kafka cluster with our own certificates but unable to.

Here are the steps doing

1. Created a CSR and Key file and got it signed certificate from organisation root CA.

2. Created a two secrets in kubernetes cluster.

        a. kubectl create secret generic $kafkaclustername-cluster-ca-cert --from-file=ca.crt=path-to-crt-file-procured-from-step1 --from-file=ca.p12=path-converted-from-cert-file-of-step1 --from-literal=ca.password=capassword.
         b. kubectl create secret generic $kafkaclustername-cluster-ca --from-file=ca.key=path-to-key-generated-instep1.    
   

3. kubectl label secret $kafkaclustername-cluster-ca-cert strimzi.io/kind=Kafka strimzi.io/cluster=$kafkaclustername

4. kubectl label secret $kafkaclustername-cluster-ca strimzi.io/kind=Kafka strimzi.io/cluster=$kafkaclustername

Next in Kafka CR file , we made below changes.

   clusterCa:
     renewalDays: 30
     validityDays: 365
     generateCertificateAuthority: false
     generateSecretOwnerReference: false

Once the cluster is deployed, seeing below error in the zookeeper pods.

Detected Zookeeper ID 1
Preparing truststore
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/zookeeper/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore is complete
Looking for the right CA
No CA found. Thus exiting.

Next we tried updating the ca.crt in the cluster-ca-cert to just Root CA cert of organization and tried to deploy but resulted in same error.
Also we dont have the Private key of intermediate or root certificates.

[scholzj]

I guess you should check the docs and make sure you are following them properly. I do not see anywhere that you create the secret with the key. You should also double-check that the certificate you use as a CA is actually allowed to be used as a CA which is another common issue.

[Sai-Charan-Madhvaraj]

Yeah, its a copy paste error..but the secret with key is being created.

[Sai-Charan-Madhvaraj]

@scholzj can we use our own certificate , i see according to docs only they asked to use the KEY and certificate of CA.

[scholzj]

You can use your own certificate. But it is a CA, so it needs to be a CA certificate and not a regular server certificate.

[Sai-Charan-Madhvaraj]

Since we dont have the private key of the root or intermediate certificates, i think our signed certificate wont work here i feel.

Any other options available here to use our own certs instead if strimzi signed. ?

[scholzj]

Well, if you do not have a CA, then you cannot use your own CA. But you can check out the listener certificate. You can use them to use your own server certificate on a specific listener instead of using it to secure the whole cluster which is multi-tier application and needs the CA.