To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), complete the following steps.
-
Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.2/cert-manager.yaml
-
Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.
-
Get the CA certificate used by Istio:
kubectl get secrets -n istio-system istio-ca-secret -o yaml
This secret has different fields than what cert-manager expects.
-
Create a new secret from this in a format that works for cert-manager.
kubectl create -f - <<EOF apiVersion: v1 kind: Secret metadata: name: ca-key-pair namespace: cert-manager data: tls.crt: <tls-crt-from-istio-ca-secret> tls.key: <your-tls-key-from-istio-ca-secret> EOF
kubectl create -f - <<EOF apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: ca-issuer namespace: cert-manager spec: ca: secretName: ca-key-pair EOF
-
-
Create a Kafka user that authenticates with a certificate.
kubectl create -f - <<EOF apiVersion: kafka.banzaicloud.io/v1alpha1 kind: KafkaUser metadata: name: dev-jks-kafkauser namespace: default spec: clusterRef: name: kafka namespace: kafka secretName: dev-jks-kafkauser-secret includeJKS: true pkiBackendSpec: pkiBackend: "cert-manager" issuerRef: name: "ca-issuer" kind: "ClusterIssuer" EOF
The created secret should contain a jks file with the required password.
-
Add a new superuser to your KafkaCluster custom resource.
kubectl edit kafkacluster kafka
- If you are using cert-manager version 0.15.2 or newer, add
User:CN=dev-jks-kafkauser
to the super.users readOnly configuration. - If you are using an older cert-manager version, add
User:CN=dev-jks-kafkauser,O=cert-manager
to the super.users readOnly configuration.
The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.
- If you are using cert-manager version 0.15.2 or newer, add