Channel encryption (TLS)

Learn how to configure channel encryption (TLS) for Kafka clusters. You have multiple options for configuring TLS. You can use auto-generated and self-signed certificates, use a custom external certificates, or use an external certificate authority (CA) certificate, but have broker certificates automatically generated by the Strimzi Cluster Operator.

Using auto-generated self-signed certificates

When the tls property is set to true on one of the Kafka listeners, the Strimzi Cluster Operator creates self-signed certificates. In this case, the Strimzi Cluster Operator automatically sets up and renews certificates.

You can add a TLS-enabled listener by configuring spec.kafka.listeners in your Kafka resource.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true

Using external certificates

It is possible to pass externally issued certificates as secrets to the Strimzi Cluster Operator, however there’s no way to request new certificates automatically, they have to be prepared ahead of time.

The spec.kafka.listeners[n].configuration.brokerCertChainAndKey.secretName property specifies to the secret containing the broker certificate.

#...
kind: Kafka
spec:
  clusterCa:
    generateCertificateAuthority: false
  clientsCa:
    generateCertificateAuthority: false
  kafka:
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true
        configuration:
          brokerCertChainAndKey:
            secretName: cluster-cert
            certificate: tls.crt
            key: tls.key

When using externally created certificates, the spec.clusterCa.generateCertificateAuthority and spec.clientsCa.generateCertificateAuthority properties have to be set to false to avoid generating self-signed CAs.

The Strimzi Cluster Operator expects the CA certificates to be in specific Kubernetes secrets and specific structure. For a cluster with name my-cluster, the following commands can be used to create those secrets for the Strimzi Cluster Operator when the CA is provided externally.

kubectl create secret generic my-cluster-cluster-ca-cert -n kafka \
  --from-file="ca.p12" \
  --from-file="ca.crt" \
  --from-file="ca.password"
kubectl create secret generic my-cluster-clients-ca-cert -n kafka \
  --from-file="ca.p12" \
  --from-file="ca.crt" \
  --from-file="ca.password"
kubectl create secret generic my-cluster-cluster-ca -n kafka \
  --from-file="ca.key"
kubectl create secret generic my-cluster-clients-ca -n kafka \
  --from-file="ca.key"
kubectl label secret my-cluster-cluster-ca-cert -n kafka \
  "strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster
kubectl label secret my-cluster-clients-ca-cert -n kafka \
  "strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"
kubectl label secret my-cluster-cluster-ca -n kafka \
  "strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"
kubectl label secret my-cluster-clients-ca -n kafka \
  "strimzi.io/kind=Kafka" "strimzi.io/cluster=my-cluster"

It is also possible to only create the CA and let the Strimzi Cluster Operator use that to provision certificates. In that case skip the broker and client certificate creation and do not specify the brokerCertChainAndKey” field on the listeners.