Create SuperUser with JKS key

To create an additional SuperUser that authenticates with a JKS key (for example, for the development team), you have to create a Kafka user that authenticates with a certificate. Use one of the following methods to do this.

Use our CSR operator
Use cert-manager

Use our CSR operator

Run the following command to create a new KafkaUser.

kubectl apply -f - <<EOF
apiVersion: kafka.banzaicloud.io/v1alpha1
kind: KafkaUser
metadata:
  name: dev-jks-kafkauser
  namespace: default
spec:
  clusterRef:
    name: kafka
    namespace: kafka
   secretName: dev-jks-kafkauser-secret
  includeJKS: true
  pkiBackendSpec:
    pkiBackend: k8s-csr
    signerName: csr.banzaicloud.io/privateca
EOF

Add a new superuser to your KafkaCluster custom resource.
```
kubectl edit kafkacluster kafka -n kafka
```
Add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.

The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.

Use cert-manager

Install cert-manager

Install cert-manager on the cluster. The cert-manager application will issue the client certificates for the client applications. If you already have cert-manager installed and configured on the cluster, skip this step.
```
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.yaml
```

Specify a cluster issuer for cert-manager that has the same CA or root certificate as the Istio mesh, otherwise, the application’s client certificate won’t be valid for the mTLS enforced by Istio.

Note: Streaming Data Manager uses CSR operator as an external CA to provide certificate to Istio

Create a new secret from the CA certificate used by Istio in a format that works for cert-manager.

kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: cert-manager
data:
  tls.crt: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_crt\.pem}')
  tls.key: $(kubectl --namespace csr-operator-system get secret csr-operator-cacerts -o 'jsonpath={.data.ca_key\.pem}')
EOF

Use the secret to create a ClusterIssuer (a Kubernetes resource that represents CAs that are able to generate signed certificates)

kubectl create -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ca-key-pair
EOF

Create the KafkaUser

Run the following command to create a new KafkaUser.

kubectl create -f - <<EOF
apiVersion: kafka.banzaicloud.io/v1alpha1
kind: KafkaUser
metadata:
  name: dev-jks-kafkauser
  namespace: default
spec:
  clusterRef:
    name: kafka
    namespace: kafka
  secretName: dev-jks-kafkauser-secret
  includeJKS: true
  pkiBackendSpec:
    pkiBackend: "cert-manager"
    issuerRef:
      name: "ca-issuer"
      kind: "ClusterIssuer"
EOF

The created secret should contain a jks file with the required password.

Add a new superuser to your KafkaCluster custom resource.
```
kubectl edit kafkacluster kafka -n kafka
```
- If you are using cert-manager version 0.15.2 or newer, add User:CN=dev-jks-kafkauser to the super.users readOnly configuration.
- If you are using an older cert-manager version, add User:CN=dev-jks-kafkauser,O=cert-manager to the super.users readOnly configuration.
The CN must match the name of the KafkaUser you created in the previous step. Don’t forget to use the proper separator between users.