CA certificate for truststore when TLS is enabled for listener

[eroji]

I'm trying to test enabling TLS for listeners while using SCRAM-SHA-512 password authentication. However, I'm having some issues with the client connecting and I cannot figure out why.

Here is my listener definition for the cluster.

    listeners:
    - authentication:
        type: scram-sha-512
      name: ui
      port: 9092
      tls: false
      type: internal
    - authentication:
        type: scram-sha-512
      name: tls
      port: 9093
      tls: true
      type: internal
    - authentication:
        type: scram-sha-512
      configuration:
        bootstrap:
          host: test-kafka.example.com
        brokers:
        - broker: 0
          host: test-kafka-0.example.com
        - broker: 1
          host: test-kafka-1.example.com
        - broker: 2
          host: test-kafka-2.example.com
        - broker: 3
          host: test-kafka-3.example.com
        - broker: 4
          host: test-kafka-4.example.com
      name: external
      port: 9094
      tls: true
      type: ingress

I also have a test-user created with all permissions.

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: test-user
  labels:
    strimzi.io/cluster: test-kafka
spec:
  authentication:
    type: scram-sha-512
  authorization:
    type: simple
    acls:
      # Topic
      - operation: Create
        resource:
          type: topic
          name: "*"
      - operation: Write
        resource:
          type: topic
          name: "*"
      - operation: Read
        resource:
          type: topic
          name: "*"
      - operation: Describe
        resource:
          type: topic
          name: "*"
      # Consumer Group
      - operation: Read
        resource:
          type: group
          name: "*"
      - operation: Describe
        resource:
          type: group
          name: "*"

With the above configuration, I can see that the cluster is created and the user is also created with the password auto-generated. I tried using kafka-ui to connect to the cluster. First on port 9092, which is plain text, I can authenticate with the username/password without issue. I can view the brokers and create/modify topics. However, if I try to use either the TLS enabled port 9093, or ingess on port 443, I cannot get kafka-ui to connect without getting a cert validation error. I tried exporting ca.crt from test-kafka-cluster-ca-cert secret and creating a truststore then importing that to kafka-ui, but the result is the same. What exactly am I missing here?

[eroji]

Ok I found out what the issue is. The nginx ingress must have SSL passthrough enabled. I'm using Rancher so to do this I had to add the following to the cluster definition.

ingress:
  provider: nginx
  extra_args:
    enable-ssl-passthrough: true

[scholzj]

Yeah. If the Ingress controller tries to decode the traffic, it will find out that the Kafka protocol is not HTTP and would fail. So it has to be wrapped in the TLS passthrough to basically make the Ingres controller not care about the content and just forward the traffic.