strimzi-kafka-operator create a kafka ingress without set secretsName

[mug3n451]

Describe the bug
Kafka ingress TLS section not have secretName setted

To Reproduce
Steps to reproduce the behavior:
Install Kafka following this guide without use ExternalDNS:
kafka by cert-manager

Expected behavior
Kafka Ingress tls section has secretName setted:

spec:
  rules:
  - host: bootstrap-external.example-domain.local
    http:
      paths:
      - backend:
          service:
            name: strimzi-kafka-external-bootstrap
            port:
              number: 9094
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - bootstrap-external.example-domain.local
    secretName: kafka-cert

Environment (please complete the following information):

• Strimzi version: [0.27.1]
• Installation method: [Helm chart + manifest yaml]
• Kubernetes cluster: [Kubernetes 1.24]
• Infrastructure: [Azure AKS with Application Gateway Ingress-Controller]

Kafka cluster

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: strimzi-cl0
spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafka:
    authorization:
      superUsers:
      - kafka-user
      type: simple
    config:
      auto.create.topics.enable: "false"
      inter.broker.protocol.version: "2.8"
      log.message.format.version: "2.8"
      offsets.topic.replication.factor: 3
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    listeners:
    - name: plain
      port: 9092
      tls: false
      type: internal
	  - authentication:
        type: scram-sha-512
      configuration:
        brokerCertChainAndKey:
          certificate: tls.crt
          key: tls.key
          secretName: kafka-cert-cl0
      name: tls
      port: 9093
      tls: true
      type: internal
    - authentication:
        type: scram-sha-512
      configuration:
        bootstrap:
          annotations:
            appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: kafka-ca
            appgw.ingress.kubernetes.io/backend-hostname: bootstrap-external.example-domain.local
            appgw.ingress.kubernetes.io/backend-protocol: https
            appgw.ingress.kubernetes.io/use-private-ip: "true"
            kubernetes.io/ingress.class: azure/application-gateway
          host: bootstrap-external.example-domain.local
        brokerCertChainAndKey:
          certificate: tls.crt
          key: tls.key
          secretName: kafka-cert-cl0
        brokers:
        - annotations:
            appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: kafka-ca
            appgw.ingress.kubernetes.io/backend-hostname: kafka-0.example-domain.local
            appgw.ingress.kubernetes.io/backend-protocol: https
            appgw.ingress.kubernetes.io/use-private-ip: "true"
            kubernetes.io/ingress.class: azure/application-gateway
          broker: 0
          host: kafka-0.example-domain.local
        - annotations:
            appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: kafka-ca
            appgw.ingress.kubernetes.io/backend-hostname: kafka-1.example-domain.local
			appgw.ingress.kubernetes.io/backend-protocol: https
            appgw.ingress.kubernetes.io/use-private-ip: "true"
            kubernetes.io/ingress.class: azure/application-gateway
          broker: 1
          host: kafka-1.example-domain.local
        - annotations:
            appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: kafka-ca
            appgw.ingress.kubernetes.io/backend-hostname: kafka-2.example-domain.local
            appgw.ingress.kubernetes.io/backend-protocol: https
            appgw.ingress.kubernetes.io/use-private-ip: "true"
            kubernetes.io/ingress.class: azure/application-gateway
          broker: 2
          host: kafka-2.example-domain.local
      name: external
      port: 9094
      tls: true
      type: ingress
    replicas: 3
    resources:
      limits:
        cpu: "1"
        memory: 3Gi
      requests:
        cpu: "1"
        memory: 3Gi
    storage:
      type: jbod
      volumes:
      - class: managed-csi-premium
        deleteClaim: false
        id: 0
        size: 300Gi
        type: persistent-claim
    template:
      pod:
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
			    matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - kafka-cl0
              topologyKey: kubernetes.io/hostname
        metadata:
          labels:
            app.kubernetes.io/name: kafka-cl0
    version: 2.8.0
  zookeeper:
    replicas: 3
    resources:
      limits:
        cpu: "1"
        memory: 1Gi
      requests:
        cpu: 300m
        memory: 512Mi
    storage:
      class: managed-csi-premium
      deleteClaim: false
      size: 9Gi
      type: persistent-claim
    template:
      pod:
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - zookeeper-cl0
              topologyKey: kubernetes.io/hostname
        metadata:
          labels:
            app.kubernetes.io/name: zookeeper-cl0

Kafka Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  annotations:
    meta.helm.sh/release-name: cl0
    meta.helm.sh/release-namespace: atacs-fnd
  creationTimestamp: "2023-02-15T10:16:47Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: kafka-cert-cl0
  namespace: atacs-fnd
  resourceVersion: "230685"
  uid: 66ce13c1-563b-41de-b723-25952e366556
spec:
  commonName: strimzi-cl0-kafka.atac.roma.it
  dnsNames:
  - bootstrap-external.example-domain.local
  - kafka-0.example-domain.local
  - kafka-1.example-domain.local
  - kafka-2.example-domain.local
  - strimzi-cl0-kafka-bootstrap
  - strimzi-cl0-kafka-0
  - strimzi-cl0-kafka-1
  - strimzi-cl0-kafka-2
  - strimzi-cl0-kafka-bootstrap.atacs-fnd
  - strimzi-cl0-kafka-0.atacs-fnd
  - strimzi-cl0-kafka-1.atacs-fnd
  - strimzi-cl0-kafka-2.atacs-fnd
  - strimzi-cl0-kafka-bootstrap.atacs-fnd.svc
  - strimzi-cl0-kafka-bootstrap.atacs-fnd.svc.cluster.local
  - strimzi-cl0-kafka-0.atacs-fnd.svc
  - strimzi-cl0-kafka-0.atacs-fnd.svc.cluster.local
  - strimzi-cl0-kafka-1.atacs-fnd.svc
  - strimzi-cl0-kafka-1.atacs-fnd.svc.cluster.local
  - strimzi-cl0-kafka-2.atacs-fnd.svc
  - strimzi-cl0-kafka-2.atacs-fnd.svc.cluster.local
  duration: 8760h0m0s
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: ca-issuer
  renewBefore: 360h0m0s
  secretName: kafka-cert-cl0
  subject:
    organizations:
    - kafka

Without the secretName inside the ingress, Azure Application Gateway doesn't open the 443 port.

Thanks for the support
Cristian

[scholzj]

Kafka is not HTTP protocol. So to use it with Ingress, you need to use TLS passthrough and TLS-SNI. So there is no need and no use for any secret configured on the Ingress level because the Ingress controller does not touch the TLS connection beyond the initial TLS-SNI handling. If your Ingress controller requires the secret, then I would suspect that it does not do TLS passthrough and will not work anyway.