Marko Strukelj

Thank you for a thorough description of your problem. Actually, could you open another issue in Strimzi Operator since it's an issue that also concerns KafkaUser CR, and a possibly...

> We do not plan to support any custom usernames in the `KafkaUser` resource. Ok, we can still add it in strimzi-kafka-oauth and expose extra config in Kafka CR `oauth`...

> As I said, the User Operator is optional. It might not be able to cover all usecases, but users don't have to use it. So in that case the...

That's the approach I had in mind when I said: > Ok, we can still add it in strimzi-kafka-oauth and expose extra config in Kafka CR `oauth` authentication section. It...

NPE is always a bug, so that should be fixed. It also makes sense to allow for passwordless truststore. Thanks for reporting it. Feel free to submit a PR with...

Looks like the example is broken. The REPLICATION listener's truststore certificates issue. Probably the certificates have expired. I'll look at it to find a fix.

> [2021-03-24 17:08:22,559] WARN [Producer clientId=console-producer] Bootstrap broker kafka:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient) [2021-03-24 17:08:22,987] ERROR [Producer clientId=console-producer] Connection to node -1 (kafka/172.18.0.4:9092) failed authentication due to: Authentication...

> This refresh will target a specific realm right? So if it is using the demo realm JWKS endpoint to fetch the public keys, to check a key from a...

Maybe you can provide more of the stacktrace where this happens? It looks like a truststore issue. As if connection to REPLICATION listener fails due to untrusted certificate. It should...

I'm afraid we don't have specific instructions for PingFederate. Generally, in order to integrate with an OAuth 2 authorization server you need to configure a client for Kafka broker as...