Configuring mTLS authentication

Learn how to enable mTLS authentication on broker listeners with or without an external certificate.

To enable mTLS authentication on any of the broker listeners, set the spec.kafka.listeners[n].authentication.type property to tls.

#...
kind: Kafka
metadata:
  name: my-cluster
spec:
  kafka:
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls

To use mTLS authentication using an external certificate, you need to set the type field in the KafkaUser resource to tls-external. A secret and credentials are not created for the user:

#...
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls-external