Configuring mTLS authentication

To enable mTLS authentication on any of the broker listeners, set the spec.kafka.listeners[n].authentication.type property to tls.

#...
kind: Kafka
metadata:
  name: my-cluster
spec:
  kafka:
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls

To use mTLS authentication using an external certificate, you need to set the type field in the KafkaUser resource to tls-external. A secret and credentials are not created for the user:

#...
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls-external