To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), complete the following steps.

  1. Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.2/cert-manager.yaml
    
  2. Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.

    1. Get the CA certificate used by Istio:

      kubectl get secrets -n istio-system istio-ca-secret -o yaml
      

      This secret has different fields than what cert-manager expects.

    2. Create a new secret from this in a format that works for cert-manager.

      kubectl create -f - <<EOF
      apiVersion: v1
      kind: Secret
      metadata:
        name: ca-key-pair
        namespace: cert-manager
      data:
        tls.crt: <tls-crt-from-istio-ca-secret>
        tls.key: <your-tls-key-from-istio-ca-secret>
      EOF
      
      kubectl create -f - <<EOF
      apiVersion: cert-manager.io/v1alpha2
      kind: ClusterIssuer
      metadata:
        name: ca-issuer
        namespace: cert-manager
      spec:
        ca:
          secretName: ca-key-pair
      EOF
      
  1. Create a Kafka user that authenticates with a certificate.

    kubectl create -f - <<EOF
    apiVersion: kafka.banzaicloud.io/v1alpha1
    kind: KafkaUser
    metadata:
      name: dev-jks-kafkauser
      namespace: default
    spec:
      clusterRef:
        name: kafka
        namespace: kafka
      secretName: dev-jks-kafkauser-secret
      includeJKS: true
      pkiBackendSpec:
        pkiBackend: "cert-manager"
        issuerRef:
          name: "ca-issuer"
          kind: "ClusterIssuer"
    EOF
    

    The created secret should contain a jks file with the required password.

  2. Add a new superuser to your KafkaCluster custom resource.

    kubectl edit kafkacluster kafka
    
    • If you are using cert-manager version 0.15.2 or newer, add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.
    • If you are using an older cert-manager version, add User:CN=dev-jks-kafkauser,O=cert-manager to the super.users readOnly configuration.

    The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.