Using custom certitifcate as User Certificate

[rajjaiswalsaumya]

Hi, i am trying to make strimzi Kafka use my CSR-created certificate as the client wants their certificate to use used for their use instead of one created by Strimzi. In our case, we have 3 products that want the same behavior for security reasons they do not want to share private key of theirs and want strimzi to use their cert. I initially thought that I will ask the Strimzi operator to create certs, pause reconciliation, sign the CSR with Strimzi-provided CA, and recreate the user secret, using this new Certificate.
The moment, I tried this and enabled reconciliation for the custom resource KafkaUser, we see that the secret was automatically modified by Strimzi and the key was added to the secret. I dont want to stop using KafkaUser CRD, as otherwise, i will have to manage ACL on my own.
Is there a better way to use a custom user cert with Strimzi?
PS: I am not trying to change CA, which is mentioned all across in Strimzi docs to use custom CA.

[scholzj]

If you want to manage your own TLS certificates for TLS client authentication, you can use the type: tls-external authentication. In such case, you have to generate a certificate signed by the Clients CA on your own (typically, this is used with a custom Clients CA since it makes not much sense to use it with the Strimzi Clients CA). The User OPerator will only manage your ACLs and Quotas.

[scholzj]

TBH, the steps you described make absolutely zero sense. What exactly are you trying to achieve with them? Why don't you simply stick with the first cluster and the user after the first step? You also need to be more specific -> what secret is deleted, how did you created it etc. You should share the exact commands and the exact YAMLs. If you don't make it clear:

• What exactly are you trying to do
• And how are you doing it

It is really hard to help.

[rajjaiswalsaumya]

I gave you steps with this in mind you have read above messages in the thread. Looks like you are just replying without reading the thread completely.

I have already told what i am trying to do and which secrets are getting deleted. Could you try rereading the thread before replying?

Your reply is purely meaningless as thread is about having custom user cert which strimzi is deleting.

[scholzj]

Which reply contains the actual steps? As in the specific commands and YAMLs you used?

[scholzj]

Also, which reply contains the explanation of what are you trying to do? You started with questions about using custom certificate. Now it seems you are just copying Strimzi certificates around for unclear reasons.

[rajjaiswalsaumya]

I have described i want to use custom user cert. For which i need to create a custom client ca and user cert. The step to get a cert using openssl manually or get it created by strimzi is equivalent to get a cert.

I deployed a cluster, where i asked strimzi to create a user cert and and client ca for me. I copied those secrets as yamls. Then i removed that cluster and redeployed without certs managed by strimzi instead i used old secrets that I copied earlier to have a client ca and created my user cert secret. This user cert secret is getting deleted by strimzi after a new reconciliation cycle. Just for clarity, new cluster uses tls-external for user as you pointed above

I didnot share yamls as that is part of user operator already. I just need to create a user cert.

So exact steps for you to reproduce is:

Create a cluster and try to create a custom user secret using a custom client ca and wait for reconciliation cycle to run and see if user secrets remains or gets deleted.