Create SuperUser with JKS key

To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), you have to create a Kafka user that authenticates with a certificate. Use one of the following methods to do this.

Use our CSR operator

  1. Run the following command to create a new KafkaUser.

    kubectl apply -f - <<EOF
    apiVersion: kafka.banzaicloud.io/v1alpha1
    kind: KafkaUser
    metadata:
      name: dev-jks-kafkauser
      namespace: default
    spec:
      clusterRef:
        name: kafka
        namespace: kafka
       secretName: dev-jks-kafkauser-secret
      includeJKS: true
      pkiBackendSpec:
        pkiBackend: k8s-csr
        signerName: csr.banzaicloud.io/privateca
    EOF
    
  2. Add a new superuser to your KafkaCluster custom resource.

    kubectl edit kafkacluster kafka -n kafka
    

    Add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.

    The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.

Use cert-manager

Install cert-manager

  1. Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.yaml
    
  2. Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.

    Note: Streaming Data Manager uses CSR operator as an external CA to provide certificate to Istio

    1. Create a new secret from the CA certificate used by Istio in a format that works for cert-manager.

      kubectl create -f - <<EOF
      apiVersion: v1
      kind: Secret
      metadata:
        name: ca-key-pair
        namespace: cert-manager
      data:
        tls.crt: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_crt\.pem}')
        tls.key: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_key\.pem}')
      EOF
      
    2. Use the secret to create a ClusterIssuer (a Kubernetes resource that represents CAs that are able to generate signed certificates)

      kubectl create -f - <<EOF
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: ca-issuer
        namespace: cert-manager
      spec:
        ca:
          secretName: ca-key-pair
      EOF
      

Create the KafkaUser

  1. Run the following command to create a new KafkaUser.

    kubectl create -f - <<EOF
    apiVersion: kafka.banzaicloud.io/v1alpha1
    kind: KafkaUser
    metadata:
      name: dev-jks-kafkauser
      namespace: default
    spec:
      clusterRef:
        name: kafka
        namespace: kafka
      secretName: dev-jks-kafkauser-secret
      includeJKS: true
      pkiBackendSpec:
        pkiBackend: "cert-manager"
        issuerRef:
          name: "ca-issuer"
          kind: "ClusterIssuer"
    EOF
    

    The created secret should contain a jks file with the required password.

  2. Add a new superuser to your KafkaCluster custom resource.

    kubectl edit kafkacluster kafka -n kafka
    
    • If you are using cert-manager version 0.15.2 or newer, add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.
    • If you are using an older cert-manager version, add User:CN=dev-jks-kafkauser,O=cert-manager to the super.users readOnly configuration.

    The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.