Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-3246

[DOC OCP] Add steps for creating ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert when to use own CA certificates

    XMLWordPrintable

Details

    • Enhancement
    • Status: Closed
    • Major
    • Resolution: Done
    • 1.7.0.GA
    • 2.0.0.GA
    • cluster-operator
    • None

    Description

      • Add steps for creating ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert when to use own CA certificates
        • The cluster operator creates ca.crt, ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert in case of using auto-generated CA certificates as default.
        • However, on the other hand, even if installing own CA certificate following the document (1), ca.p12 and ca.password will not be included in ${KAFKA_CLUSTER}-cluster-ca-cert.
      • As far as I've tested, the following command can create ca.p12 and ca.password in ${KAFKA_CLUSTER}-cluster-ca-cert
        • PASSWORD=password
          KAFKA_CLUSTER=my-cluster
          CA_CERTIFICATE_SECRET=${KAFKA_CLUSTER}-cluster-ca-cert
          CA_KEY_SECRET=${KAFKA_CLUSTER}-cluster-ca
          
          # If you lost ca.crt and ca.key, you can get it from the current secret using following commands.
          # oc get secret ${CA_CERTIFICATE_SECRET} -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
          # oc get secret ${CA_KEY_SECRET} -o jsonpath='{.data.ca\.key}' | base64 -d > ca.key
          
          # genarate ca.p12 from ca.crt 
          openssl pkcs12 -export -in ca.crt --nokeys -out ca_com.p12 -password pass:${PASSWORD} -caname ca.crt
          
          oc delete secret ${CA_CERTIFICATE_SECRET}
          oc create secret generic ${CA_CERTIFICATE_SECRET} \
            --from-file=ca.crt=ca.crt \
            --from-file=ca.p12=ca.p12 \
            --from-literal=ca.password=${PASSWORD} \
            && oc label secret my-cluster-cluster-ca-cert \
            strimzi.io/kind=Kafka \
            strimzi.io/cluster=${KAFKA_CLUSTER}
          
      • And our service registry doesn't work without this procedure, because it uses ca.p12 and ca.password in my-cluster-cluster-ca-cert(2)

      (1) Using AMQ Streams on OpenShift > 11.1.2. Installing your own CA certificates
      https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q2/html-single/using_amq_streams_on_openshift/index#installing-your-own-ca-certificates-str

      (2) Installing and Deploying Service Registry on OpenShift > 3.3. Configuring Kafka storage with TLS security
      https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/installing_and_deploying_service_registry_on_openshift/index#registry-persistence-kafkasql-tls
      ~~~

      If you create the secrets manually, they must contain the following key-value pairs:
          my-cluster-ca-cert
              ca.p12 - truststore in PKCS12 format
              ca.password - truststore password

      ~~~

      Attachments

        Activity

          People

            pmellor@redhat.com Paul Mellor
            rhn-support-tyamashi Tomonari Yamashita
            Michal Toth Michal Toth
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: