strimzi-kafka-operator icon indicating copy to clipboard operation
strimzi-kafka-operator copied to clipboard

Published 20 hours ago verified publisher icon strimzi

Add Support For Encrypted Private Keys

Open mr1716 opened this issue 2 years ago • 5 comments

Is your feature request related to a problem? Please describe. The tool should support the creation of TLS using encrypted private keys for Kafka listeners.

Describe the solution you'd like Support the use for Kafka listeners to use TLS using an encrypted private key.

Describe alternatives you've considered Yes, the alternative is to use a different tool or to add it myself. But by the time that I were to build the issue, I could implement another tool. This seems like it could be a great way for greater use of the Strimzi tool

mr1716 avatar Jun 14 '22 18:06 mr1716

Please explain what will be the use-case and the value of this!

scholzj avatar Jun 14 '22 18:06 scholzj

@scholzj the use case is that in the event that I am using Strimzi and Kafka for a large deployment and I have been given an encrypted private key. The goal is to manage Kafka with the listeners with the externally signed CA and encrypted key. But if this isnt a possibility, I will just use another tool. I would love to help improve Strimzi, which is why I am submitting this ticket, rather than just not using Strimzi.

mr1716 avatar Jun 14 '22 18:06 mr1716

You can just decrypt the key and then create the secret with the decrypted key. You do not need any special tool for it.

scholzj avatar Jun 14 '22 18:06 scholzj

@scholzj True, that is 1 option. But another option that would be a longer term option is to add the support for this in a few months, to provide complete coverage and cover the use cases so people would want to use, support, and contribute to the tool.

mr1716 avatar Jun 14 '22 18:06 mr1716

Every feature requires some effort to develop and also some on-going effort to maintain it - test it, update it, keep it working etc. So it is not always just about adding a new feature because someone asked about it. It has to make some sense and add some additional value which justifies the effort.

scholzj avatar Jun 14 '22 19:06 scholzj

Triaged on 18.8.2022: Having the encrypted key with the password stored next to it would not help security. And the ask for this support seems to be very rare compared to the expected effort. This issue should be closed. In the future, for improving security, the issues for better integration with certificate providers such as Vault might provide more secure way forstoring the keys.

scholzj avatar Aug 18 '22 14:08 scholzj