Support multiple CAs in the Clients CA secret

[scholzj]

trafficstars

Today, we officially support only a single Clients CA (=> since public CA in the Kafka truststore). However, sometimes, users are interested in using multiple CAs at the same time. We never designed for it. But it works when you just add multiple CRT files into the Clients CA secret. E.g. ca.crt and ca-2.crt. This of course does not work with User Operator and type: tls authentication. But it works fine for users with type: tls-external. We should consider if we want to support this officially. In that case, we should document it and add STs to make sure we keep this working. And decide if we need something more with regards to rolling etc.

One of the examples where this was discussed is #6559

[scholzj]

Triaged on 21st June: This seems to be something users are asking for fairly often. So this would be good to have and in combination with custom CA certificates and tls-external authentication in User Operator this should work. But it still seems complex enough to need a proposal first describing how it will be implemented, configured etc.

[dttung2905]

Hello @scholzj,

May I know whether there is any further update on this issue ? I also saw another proposal about CA abstraction and I'm not sure whether this proposal is a dependency for the support of multiple CAs?

[scholzj]

There is no update on this. I do not think this issue depends on the existing proposal about CA abstraction, I think it can be worked on separately as well.

[dttung2905]

Hello @scholzj , thanks for the reply. I did give some thoughts and play around with it.

• I created a POC strimzi cluster that trust multiple CAs ( one is auto generated by strimzi itself and one is generated offline by me ) . I also created a Kafka User with spec.authentication.type=tls in the CRD. So far I have been able to run kafkacat command in both scenarios : using cert created by Kafka User crd and using cert signed by my own CA

This of course does not work with User Operator and type: tls authentication. But it works fine for users with type: tls-external

• From my test locally, it does work with Kafka User Operator type:tls, as long as the metadata.name field in the Kafka User CRD is the same as the CName of the externally generated TLS cert. The only different between type type: tls and type: tls-external would just be the former will auto create a set of certificate in K8s secret for you, while the latter does not

What do you think we need to do in this case, to "officially" support Strimzi trusting multiple Clients CA? I think we just need some extra documentations, one of which would be

If you want to have a single Kafka User that can benefit from multiple client CAs, please use type:tls in the CRD and set the CName of the externally generated certificate to be the same as the value in metadata.name field. Another way is to create 2 different Kafka Users with type type:tls and type: tls-external separately

Another concern I have is strimzi behavior when doing Client CAs rotation , as now we have ( one strimzi generated client CA or one own client CA) and (one or more self-managed CAs). I'm really happy to help on this issue but will probably need some guidance from the expert here :smile:

[scholzj]

The start for this would be to write a proposal of how it could be implemented. You can check some of the existing proposals to see how the look like and what they contain: https://github.com/strimzi/proposals ... you can basically just open the PR there with the proposal.

I would be a bit careful about mixing a custom CA with Strimzi managed CA. I think that in general increase the risks of things breaking, overwriting each other etc. I also wonder if it matches any use-cases for this. What would be the use case for the mixed CAs like that? But if you think it ia possible, then it can be of course part of the proposal.