Channel encryption (TLS)
Learn how to configure channel encryption (TLS) for Kafka clusters. You have multiple options for configuring TLS. You can use auto-generated and self-signed certificates, use a custom external certificates, or use an external certificate authority (CA) certificate, but have broker certificates automatically generated by the Strimzi Cluster Operator.
Using auto-generated self-signed certificates
When the tls
property is set to true
on one of the
Kafka listeners, the Strimzi Cluster Operator creates self-signed certificates. In this case, the
Strimzi Cluster Operator automatically sets up and renews certificates.
You can add a TLS-enabled listener by configuring spec.kafka.listeners
in your
Kafka resource.
#...
kind: Kafka
spec:
kafka:
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
Using external certificates
It is possible to pass externally issued certificates as secrets to the Strimzi Cluster Operator, however there’s no way to request new certificates automatically, they have to be prepared ahead of time.
The spec.kafka.listeners[n].configuration.brokerCertChainAndKey.secretName
property specifies to the secret containing the broker certificate.
#...
kind: Kafka
spec:
clusterCa:
generateCertificateAuthority: false
clientsCa:
generateCertificateAuthority: false
kafka:
listeners:
- name: tls
port: 9093
type: internal
tls: true
configuration:
brokerCertChainAndKey:
secretName: cluster-cert
certificate: tls.crt
key: tls.key
When using externally created certificates, the
spec.clusterCa.generateCertificateAuthority
and
spec.clientsCa.generateCertificateAuthority
properties have to be set to
false
to avoid generating self-signed CAs.
The Strimzi Cluster Operator expects the CA certificates to be in specific Kubernetes secrets
and specific structure. For a cluster with name my-cluster
, the following
commands can be used to create those secrets for the Strimzi Cluster Operator when the CA is
provided externally.
kubectl create secret generic my-cluster-cluster-ca-cert -n kafka \
--from-file="ca.p12" \
--from-file="ca.crt" \
--from-file="ca.password"
kubectl create secret generic my-cluster-clients-ca-cert -n kafka \
--from-file="ca.p12" \
--from-file="ca.crt" \
--from-file="ca.password"
kubectl create secret generic my-cluster-cluster-ca -n kafka \
--from-file="ca.key"
kubectl create secret generic my-cluster-clients-ca -n kafka \
--from-file="ca.key"
kubectl label secret my-cluster-cluster-ca-cert -n kafka \
"strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster
kubectl label secret my-cluster-clients-ca-cert -n kafka \
"strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"
kubectl label secret my-cluster-cluster-ca -n kafka \
"strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"
kubectl label secret my-cluster-clients-ca -n kafka \
"strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"
It is also possible to only create the CA and let the Strimzi Cluster Operator use that to
provision certificates. In that case skip the broker and client certificate creation and do not
specify the brokerCertChainAndKey
” field on the listeners.