Standalone User Operator authentication options

[pablofontanilla]

Hello!

We're very excited to use Strimzi clusters in production (currently only dev and stage), but our organization is not mature enough to administer critical Kafka clusters yet. Meanwhile we're using Confluent Cloud as the production cluster, but we'd like to keep using Strimzi as much as we can so our resources are defined in code, so we're looking at the standalone user and topic operators.

We're already using the topic operator as it can connect to the Confluent Cloud cluster via user/password, but after a few hours of looking at the documentation and code I have determined that for the user operator mTLS authentication is the only option. Am I right in thinking this? User/password authentication would need additional code, right?

Cheers,

Pablo

[scholzj]

I think you should be able to connect using username and password with User Operator as well because there were users needing it in the past who added support for things like that. But it is not used within Strimzi itself. So I'm afraid I cannot give you any detailed guide. I guess if nothing else, the STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION should allow you to configure some parts of the Admin client directly. You just need to make sure to not activate mTLS with the other options.

[pablofontanilla]

Thanks for the very quick answer! That's exactly what they seem to be doing here, I'll try it.
Would a PR to update the documentation and add this detail be something desirable?

[pablofontanilla]

For someone who might find this answer in the future, this is the reference for the properties of the admin client:
https://docs.confluent.io/platform/current/installation/configuration/admin-configs.html

And they are used in env variable STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION as scholzj says, (19 here) https://strimzi.io/docs/operators/0.36.1/deploying.html#deploying-the-user-operator-standalone-str

[scholzj]

I'm not sure to be honest. I think before documenting it, it would make sense to make it work a bit more reasonable -> for example for not force the users to set some dummy names for certificate secrets etc. So maybe that is what you can look into if you want to contribute something (or maybe at least open an issue for it so that someone can look into it).

[pablofontanilla]

Makes sense, that would've been my proposal if the Admin client configuration had not been an option. I'll try to convince my company to give some hours to this, as we are really happy with Strimzi. Worst case scenario, I'll create the issue like you propose.
Thanks for all the help!

[scholzj]

I think using the Admin client configuration alone would be fine. But the things with the secrets wich need to be configured etc. should be addressed before documenting it:

[pablofontanilla]

Not an answer, but a comment for future viewers. Standalone user operator does NOT work with Confluent Cloud (but it's Confluent's fault ;)).
Yes, you can configure authentication as above, but you will not be able to provision users because it doesn't let you create users the Kafka way, only through the Web UI. Also, no access to quotas anyway