strimzi-kafka-operator
strimzi-kafka-operator copied to clipboard
[Doc] Improve docs for setting up TLS clients
We already have a procedure for how to configure clients to trust the cluster CA https://strimzi.io/docs/0.14.0/#configuring-internal-clients-to-trust-cluster-ca-str but this doesn't completely address the typical user story where they have a KafkaUser
for their app and need to create both keystores and truststores for it. So there's no single place in the docs for users to look when setting this stuff up.
We probably need two variants of this:
- One for within-Kube usage which describes how to set up their Pod to mount the secrets and provides a script that creates the stores that they can copy+paste which would be included in their image.
- One for usage in apps that are outside Kube which provides a script for creating the stores "by hand".
The difference is that the first one should be able to cope with certificate renewal simply via pod restart.
Hello @tombentley. I think we might still have a gap. We currently have the following procedures:
- Securing access to Kafka brokers which has steps to secure brokers and clients. This references the next procedure...
-
Setting up access for clients outside of Kubernetes which has steps to add truststore and keystore config to
KafkaUser
We also have:
This could all move to a new client dev guide that's being investigated. But what else would you like to see in terms of documented procedures?
Triaged on 18.8.2022: The keystore / truststore creation should not be needed anymore. The KAfka clients can use the PEM files directly + the secrets now have PKCS12 stores inside which can be used wth Java. @PaulRMellor will double check with @tombentley if there is something else what should be done.
@PaulRMellor it looks like we need to refresh the docs on this to cover the newer features that @scholzj mentioned. Specifically:
- 'Setting up access for clients outside of Kubernetes' seems like a poor choice of section title right now (since we're using it even for the in-cluster case).
- We should update the content to use PEM certs now that Kafka clients support them.
- For the in-cluster case we should have examples for Pod specs which mount the Secrets
- But in addition to 3 @katheris is working on the access operator which provide an alternative way of getting the stuff to client applications.
Thanks @tombentley I'll look into the changes we need to make to the docs. @katheris - let me know if you have ideas on how the access operator should be positioned in the docs