strimzi-kafka-operator icon indicating copy to clipboard operation
strimzi-kafka-operator copied to clipboard

Published 20 hours ago verified publisher icon strimzi

[Doc] Improve docs for setting up TLS clients

Open tombentley opened this issue 4 years ago • 4 comments

We already have a procedure for how to configure clients to trust the cluster CA https://strimzi.io/docs/0.14.0/#configuring-internal-clients-to-trust-cluster-ca-str but this doesn't completely address the typical user story where they have a KafkaUser for their app and need to create both keystores and truststores for it. So there's no single place in the docs for users to look when setting this stuff up.

We probably need two variants of this:

  1. One for within-Kube usage which describes how to set up their Pod to mount the secrets and provides a script that creates the stores that they can copy+paste which would be included in their image.
  2. One for usage in apps that are outside Kube which provides a script for creating the stores "by hand".

The difference is that the first one should be able to cope with certificate renewal simply via pod restart.

tombentley avatar Oct 10 '19 03:10 tombentley

Hello @tombentley. I think we might still have a gap. We currently have the following procedures:

We also have:

This could all move to a new client dev guide that's being investigated. But what else would you like to see in terms of documented procedures?

PaulRMellor avatar Dec 09 '21 09:12 PaulRMellor

Triaged on 18.8.2022: The keystore / truststore creation should not be needed anymore. The KAfka clients can use the PEM files directly + the secrets now have PKCS12 stores inside which can be used wth Java. @PaulRMellor will double check with @tombentley if there is something else what should be done.

scholzj avatar Aug 18 '22 14:08 scholzj

@PaulRMellor it looks like we need to refresh the docs on this to cover the newer features that @scholzj mentioned. Specifically:

  1. 'Setting up access for clients outside of Kubernetes' seems like a poor choice of section title right now (since we're using it even for the in-cluster case).
  2. We should update the content to use PEM certs now that Kafka clients support them.
  3. For the in-cluster case we should have examples for Pod specs which mount the Secrets
  4. But in addition to 3 @katheris is working on the access operator which provide an alternative way of getting the stuff to client applications.

tombentley avatar Aug 25 '22 09:08 tombentley

Thanks @tombentley I'll look into the changes we need to make to the docs. @katheris - let me know if you have ideas on how the access operator should be positioned in the docs

PaulRMellor avatar Aug 26 '22 13:08 PaulRMellor