Create SuperUser with JKS key

To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), complete the following steps.

1. Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.

   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
   

2. Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.

   1. Get the CA certificate used by Istio:

      kubectl get secrets -n istio-system istio-ca-secret -o yaml
      

      This secret has different fields than what cert-manager expects.

   2. Create a new secret from this in a format that works for cert-manager.

      kubectl create -f - <<EOF
      apiVersion: v1
      kind: Secret
      metadata:
        name: ca-key-pair
        namespace: cert-manager
      data:
        tls.crt: <tls-crt-from-istio-ca-secret>
        tls.key: <your-tls-key-from-istio-ca-secret>
      EOF
      

      kubectl create -f - <<EOF
      apiVersion: cert-manager.io/v1alpha2
      kind: ClusterIssuer
      metadata:
        name: ca-issuer
        namespace: cert-manager
      spec:
        ca:
          secretName: ca-key-pair
      EOF
      

1. Create a Kafka user that authenticates with a certificate.

   kubectl create -f - <<EOF
   apiVersion: kafka.banzaicloud.io/v1alpha1
   kind: KafkaUser
   metadata:
     name: dev-jks-kafkauser
     namespace: default
   spec:
     clusterRef:
       name: kafka
       namespace: kafka
     secretName: dev-jks-kafkauser-secret
     includeJKS: true
     pkiBackendSpec:
       pkiBackend: "cert-manager"
       issuerRef:
         name: "ca-issuer"
         kind: "ClusterIssuer"
   EOF
   

   The created secret should contain a jks file with the required password.

2. Add a new superuser to your KafkaCluster custom resource.

   kubectl edit kafkacluster kafka
   

   • If you are using cert-manager version 0.15.2 or newer, add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.
   • If you are using an older cert-manager version, add User:CN=dev-jks-kafkauser,O=cert-manager to the super.users readOnly configuration.

   The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.