Details
-
Story
-
Resolution: Done
-
Major
-
1.7.0.GA
-
None
Description
- Add steps for creating ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert when to use own CA certificates
- The cluster operator creates ca.crt, ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert in case of using auto-generated CA certificates as default.
- However, on the other hand, even if installing own CA certificate following the document (1), ca.p12 and ca.password will not be included in ${KAFKA_CLUSTER}-cluster-ca-cert.
- As far as I've tested, the following command can create ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert
PASSWORD=password KAFKA_CLUSTER=my-cluster CA_CERTIFICATE_SECRET=${KAFKA_CLUSTER}-cluster-ca-cert CA_KEY_SECRET=${KAFKA_CLUSTER}-cluster-ca # If you lost ca.crt and ca.key, you can get it from the current secret using following commands. # oc get secret ${CA_CERTIFICATE_SECRET} -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt # oc get secret ${CA_KEY_SECRET} -o jsonpath='{.data.ca\.key}' | base64 -d > ca.key # genarate ca.p12 from ca.crt openssl pkcs12 -export -in ca.crt --nokeys -out ca_com.p12 -password pass:${PASSWORD} -caname ca.crt oc delete secret ${CA_CERTIFICATE_SECRET} oc create secret generic ${CA_CERTIFICATE_SECRET} \ --from-file=ca.crt=ca.crt \ --from-file=ca.p12=ca.p12 \ --from-literal=ca.password=${PASSWORD} \ && oc label secret my-cluster-cluster-ca-cert \ strimzi.io/kind=Kafka \ strimzi.io/cluster=${KAFKA_CLUSTER}
- And our service registry doesn't work without this procedure, because it uses ca.p12 and ca.password in my-cluster-cluster-ca-cert(2)
(1) Using AMQ Streams on OpenShift > 11.1.2. Installing your own CA certificates
https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q2/html-single/using_amq_streams_on_openshift/index#installing-your-own-ca-certificates-str
(2) Installing and Deploying Service Registry on OpenShift > 3.3. Configuring Kafka storage with TLS security
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/installing_and_deploying_service_registry_on_openshift/index#registry-persistence-kafkasql-tls
~~~
If you create the secrets manually, they must contain the following key-value pairs:
my-cluster-ca-cert
ca.p12 - truststore in PKCS12 format
ca.password - truststore password
~~~