Customer main issue is:
We need to change the server certificate used by Kafka such that it uses a our own Signed certificate that we sign using our official Bank CA, rather than the one that is automatically generated by the Operator and added to Kafka.
1. we cant get an intermediate CA from the Bank, the Bank security only uses locked downed CA's and will not provide a CA of any kind we can use.
2. Tried TCP with SNI: AMQ Streams engineering tried re-encrypt but it doesn't seem work. The Kafka client does not get through into the broker. So this is not an option for us unless OpenShift improves the Router capabilities.
With above 2 problems there is an alternate solution:
The possibility for users to configure the broker certificates just for the listeners. I.e. configure just the certificates used by brokers on the external interface for example, while the inter cluster communication would be still done through Strimzi CA. This is much easier for the users to configure since the listeners designed for their applications are not used for replication and the requirements would be much more relaxed (i.e. just a regular server certificate, no CAs).