Re-use certificates and authentication method from old kafka setup

[vineethvijay7]

We have an old Kafka cluster (2.5.12) which has been not well maintained and we want to use the latest Kafka setup and to start using Strimzi. The migration part we can take care of using the MirrorMaker 2 configurations, thats all tested out.

But one of the condition of this migration is to reuse the certificates from the old Kafka cluster which is using the JKS configuration. I looked through out the documentation and cannot seem to make sense of how to re-use that with Strimzi.

Following is the snippet of the old Kafka configuration :

...
  "ssl.key.credentials": SSL_KEY_PASSWORD.txt
  "ssl.truststore.credentials": TRUST_STORE_PASSWORD.txt
  "ssl.keystore.credentials": KEYSTORE_PASSWORD.txt
  "ssl.keystore.filename": keystore.jks
  "ssl.truststore.filename": truststore.jks
  "ssl.endpoint.identification.algorithm": ''
  "inter.broker.listener.name": PLAINTEXT
  "ssl.client.auth": required
  "advertised.listeners": |-
    SSL://${LOAD_BALANCER_IP}:443
  "listener.security.protocol.map": |-
    PLAINTEXT:PLAINTEXT,SSL:SSL

And the client configuration is :

ssl.endpoint.identification.algorithm=
security.protocol=SSL
ssl.keystore.location=<PATH>/keystore.jks
ssl.keystore.password=<KEYSTORE_PASSWORD>
ssl.key.password=<SSL_KEY_PASSWORD>
ssl.truststore.location=<PATH>/truststore.jks
ssl.truststore.password=<TRUST_STORE_PASSWORD>

Just to note that the passwords used here are all different (mentioning since I have seen somewhere it is easier/mandatory to use common password - not sure this is going to be an issue).

@scholzj Would so appreciate if you can take a look here :)) So much thanks in advance <3

[scholzj]

I think you have to split this into two parts. You will certainly be unable to reuse the server certificates. Strimzi would need its own certificates with the right subjects and also the SANs which need to correspond to the DNS names used by Strimzi. However, if you have some CA that signed them, you might be able to reuse that as a custom Cluster CA. Strimzi will use it to issue new server certificates and use them. And on the client side, in the truststore, you would normally have the CA -> which will be the same and therefore it might have no impact on the clients.

For the user certificates for the client authentication in the keystores, you might be again able to use your CA which you used to issue them as the custom Clients CA. In that case, the certificates would keep working. But depending on what subjects do the user certificates use, you might not be able to use the User Operator in your Strimzi cluster (it can be easily disabled and you can then manage things such as ACLs yourself).

So, to sum it up, you cannot reuse all the certificates, but if you use some CA that can be reused, the impact on the clients might be minimal. But a lot depends on the various details.

[vineethvijay7]

Things are more clear now. Thanks @scholzj