Looking for more clarity on the SSL certs of kafka and kafka user

[stuartm21]

Hi @scholzj ,

We know we can enable validity of the kafka clusterca and clientcs like this way, and this is working fine for us.

  clusterCa:
    renewalDays: 30
    validityDays: 3650
    generateCertificateAuthority: true
  clientsCa:
    renewalDays: 30
    validityDays: 1095
    generateCertificateAuthority: true

But our problem is, we have a lot of customers and consider each customer as each Kafka-user. Also, each kafka-user need to communicate to Kafka cluster. So that we using the following commands to make the trustore and keystore files, because we are using MTLS.

$ kubectl -n kafka get secret strimzi-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
$ kubectl -n kafka get secret kafka-user -o jsonpath='{.data.user\.password}' | base64 -d > user.password
$ kubectl -n kafka get secret kafka-user -o jsonpath='{.data.user\.p12}' | base64 -d > user.p12

$ keytool -keystore user-truststore.jks -alias CARoot -import -file ca.crt -storepass PASSWORD -noprompt
$ keytool -importkeystore -srckeystore user.p12 -srcstoretype pkcs12 -destkeystore user-keystore.jks -deststoretype jks

clusterca and clientca will renew automatically based on our values provided in the kafka cluster.

But our question is:

1. How to specify auto-renewal for kafka-user certs?
   1.1. If auto renewal is not able to enable, how can we renew this kafkauser certs.?
   1.2. Can we prevent the renewal of the kafka-user certs anyways?
2. If the kafka-user is renewed, is there any way to use notice the consumer and producer here? Otherwaise it will broke the MTLS connectivity?

[scholzj]

The values from the configuration apply both to the CAs as well as for the certificates signed by them. The renewal of the user certificates happens automatically and does not necessarily disrupt the existing clients -> the old certificates will keep working as long as the CA is still the same and neither the CA nor the user certificate is expired.