Basic TLS setup

[LDTips]

Hi, I am trying to do a basic Strimzi Kafka TLS setup on my local machine single node microk8s. The issue I see that compared to automatic strimzi generation of CA and keys is that there is ca.key created which I do not want to use in a normal environment.

So my question is if there is a possibility to just use the CA public key and user keys signed by that CA private key, without explicitly including the CA private key. The current configuration I use is based on the quickstart example:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaNodePool
metadata:
  name: dual-role
  labels:
    strimzi.io/cluster: my-cluster
spec:
  replicas: 1
  roles:
    - controller
    - broker
  storage:
    type: ephemeral

---
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: my-cluster
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    version: 3.7.0
    metadataVersion: 3.7-IV4
    authorization:
      type: simple
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        tls: true
        type: nodeport
        authentication:
          type: tls
        configuration:
          bootstrap:
            nodePort: 32100
          brokers:
          - broker: 0
            nodePort: 32000
          brokerCertChainAndKey:
            secretName: kafka-broker-cert
            certificate: broker.crt
            key: broker.key
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      default.replication.factor: 1
      min.insync.replicas: 1
  entityOperator:
    topicOperator: {}
    userOperator: {}

And the user

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls-external
  authorization:
    type: simple
    acls:
      # Example consumer Acls for topic my-topic using consumer group my-group
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operations:
          - Describe
          - Read
        host: "*"
      - resource:
          type: group
          name: my-group
          patternType: literal
        operations:
          - Read
        host: "*"
      # Example Producer Acls for topic my-topic
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operations:
          - Create
          - Describe
          - Write
        host: "*"

My understand of SSL and strimzi is still limited, so sorry for any incorrectness.
Also what is the difference between adding the TLS for the user mTLS auth vs adding the broker cert chain and key?

[scholzj]

I'm not sure what exactly is the question - I do not think it is clear from what you wrote. I would suggest to read the docs. Ot covers the Strimzi CA, bringing custom CAs, as well as using custom listener (server) certificates for a particular listener.

[LDTips]

Sorry, let me explain

A similar situation as in #1291
Meaning that:

Certificates must origin from a trusted CA
Certificate Key must not be stored in a secret
Vault/intermediate CA are currently not an option

The issue is that with the default Strimzi generated keys and CA, I can't setup this scenario because even when using generateCertificateAuthority: false for clusterCa and clientsCa and creating my-cluster-clients-ca-cert and my-cluster-broker-ca-cert secrets manually the cluster still has issues that I can't start it because there are no secrets that should be there. Which means probably the cluster has issues that there is no private key of the CA, which based on the assumptions from the referenced issue is not an option.

So the question is how using my ca.crt and multiple generated keys from the ca.key to setup mTLS for clients, without using ca.key anywhere other than externally? Should just setting the ca.crt in my-cluster-cluster-ca-cert and my-cluster-clients-ca-cert secrets and then setting the auth for the user to tls-external?

PS: Bringing custom CAs is currently under https://strimzi.io/docs/operators/latest/full/deploying.html#installing-your-own-ca-certificates-str and https://strimzi.io/docs/operators/latest/full/deploying.html#proc-replacing-your-own-private-keys-str ?

[scholzj]

It is important to distinguish between the Cluster CA and Clients CA:

• For Cluster CA, we need to generate the server certificates with a specific CNs and SANs. So in general, you always have to provide a private and public key for the operator to do that. Providing your own server certs is super hard because the CNs and SANs are environment and configuration specific. As an alternative, you can use the listener certificate I mentioned which is just a server certificates that will be used in your communication with the Kafka clients. But will not be used for the replication etc.
• For Clients CA, you can provide only a public key (you have to provide some dummy file as the private key) and then you can sign your certificates yourself and store them where ever you want. You still need to follow the subject for the user certificates, but for users it is much easier.

Both CAs are passed as Kubernetes Secrets.

[LDTips]

Okay so if I understand correctly - cluster certificates are pretty much untouchable unless I can generate the specific CNs and SANs, so in that case it's better to leave it alone with self-generated.

But for the client, mm I thinking correctly that the steps are:

• Set generateCertificateAuthority: false for the clusterCa, but true for clientCa
• Add dummy private key in the my-cluster-clients-ca secret and then add the public in my-cluster-clients-ca-cert
• For the user secret add the ca.crt, user.crt and user.key
  ?

[scholzj]

• Set generateCertificateAuthority: false for the clusterCa, but true for clientCa

If you want to use it for clients, than you don't want to generate the clientsCa => so it is the other way around?

• For the user secret add the ca.crt, user.crt and user.key

Actually, it is the CA public key that establishes the trust. So you do not need to provide the user certs in any form. As long as they are signed by the Clients CA (the public key you provide), the will be able to connect (but if you provide only the public key, you have to use the type: tls-external in the KafkaUSer resources and generate the keys on your own obviously).

[LDTips]

Alright I think you explained my case, thanks you very much for the help and explanations.

I think I was confused by the presence of the ca.key files and how that related to using external CA without including the private CA key.

[LDTips]

@scholzj sorry for bumping but can you please explain how does CertAndKeySecretSource work exactly for brokers? If I want a broker to only have a specific public cert to present upon establishing a TLS connection, why is there some private key needed? Do I set it to some dummy private key as well or am I misunderstanding things?

[scholzj]

You probably need to provide some more context? I'm not sure what do you mean with CertAndKeySecretSource and brokers.

[LDTips]

Nevermind, I think it was just my misunderstanding of TLS encryption vs mutual TLS authentication. TLS keys for the broker connection and TLS keys to authenticate as a user are different things. When I reread my question again I realised my question was invalid