Create SuperUser with JKS key
To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), you have to create a Kafka user that authenticates with a certificate. Use one of the following methods to do this.
Use our CSR operator
-
Run the following command to create a new KafkaUser.
kubectl apply -f - <<EOF apiVersion: kafka.banzaicloud.io/v1alpha1 kind: KafkaUser metadata: name: dev-jks-kafkauser namespace: default spec: clusterRef: name: kafka namespace: kafka secretName: dev-jks-kafkauser-secret includeJKS: true pkiBackendSpec: pkiBackend: k8s-csr signerName: csr.banzaicloud.io/privateca EOF
-
Add a new superuser to your KafkaCluster custom resource.
kubectl edit kafkacluster kafka -n kafka
Add
User:CN=dev-jks-kafkauser
to the super.users readOnly configuration.The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.
Use cert-manager
Install cert-manager
-
Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.yaml
-
Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.
Note: Streaming Data Manager uses CSR operator as an external CA to provide certificate to Istio
-
Create a new secret from the CA certificate used by Istio in a format that works for cert-manager.
kubectl create -f - <<EOF apiVersion: v1 kind: Secret metadata: name: ca-key-pair namespace: cert-manager data: tls.crt: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_crt\.pem}') tls.key: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_key\.pem}') EOF
-
Use the secret to create a
ClusterIssuer
(a Kubernetes resource that represents CAs that are able to generate signed certificates)kubectl create -f - <<EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: ca-issuer namespace: cert-manager spec: ca: secretName: ca-key-pair EOF
-
Create the KafkaUser
-
Run the following command to create a new KafkaUser.
kubectl create -f - <<EOF apiVersion: kafka.banzaicloud.io/v1alpha1 kind: KafkaUser metadata: name: dev-jks-kafkauser namespace: default spec: clusterRef: name: kafka namespace: kafka secretName: dev-jks-kafkauser-secret includeJKS: true pkiBackendSpec: pkiBackend: "cert-manager" issuerRef: name: "ca-issuer" kind: "ClusterIssuer" EOF
The created secret should contain a jks file with the required password.
-
Add a new superuser to your KafkaCluster custom resource.
kubectl edit kafkacluster kafka -n kafka
- If you are using cert-manager version 0.15.2 or newer, add
User:CN=dev-jks-kafkauser
to the super.users readOnly configuration. - If you are using an older cert-manager version, add
User:CN=dev-jks-kafkauser,O=cert-manager
to the super.users readOnly configuration.
The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.
- If you are using cert-manager version 0.15.2 or newer, add