Add TLS support for StrimziKafkaCLuster #193
Conversation
see-quick
force-pushed
the
tls-enchancement
branch
from
1ddb5ef to
3fedad5
Compare
|
^^ take a look @strimzi/maintainers thanks :) |
| * client certs during mTLS), while the client truststore | ||
| * contains the cluster CA (to verify the broker's identity). | ||
| * | ||
| * Manages three pairs of PKCS12 stores: |
There was a problem hiding this comment.
In Strimzi cluster-operator we have been moving away from PKCS12 stores to using PEM files, is it worth doing the same here?
There was a problem hiding this comment.
I wonder if it's worth doing ... as main purpose of this is for testing test-clients and the bridge repo. Moreover the Keytool natively generates to PKCS12. I didn't want to use OpenSSL here as it seems an overkill for such use case. Also I know more Keytool than OpenSSL so that was more like personal preference.
I think that currently Keytool cannot export private keys in the PEM format so that would need openssl so I am not sure I want this hybrid-approach or doing all steps only with OpenSSL.
But if you see a way that it would be beneficial to also test in operator repo when we would use PEM files I am open to change...
src/main/java/io/strimzi/test/container/StrimziKafkaContainer.java
Outdated
Show resolved
Hide resolved
src/test/java/io/strimzi/test/container/StrimziKafkaClusterIT.java
Outdated
Show resolved
Hide resolved
see-quick
force-pushed
the
tls-enchancement
branch
from
3d1c3a6 to
9bf7003
Compare
Signed-off-by: see-quick <maros.orsak159@gmail.com> # Conflicts: # src/test/java/io/strimzi/test/container/StrimziKafkaContainerMockTest.java
Signed-off-by: see-quick <maros.orsak159@gmail.com>
Signed-off-by: see-quick <maros.orsak159@gmail.com>
Signed-off-by: see-quick <maros.orsak159@gmail.com>
…outbound raft connections to controllers) Signed-off-by: see-quick <maros.orsak159@gmail.com>
Signed-off-by: see-quick <maros.orsak159@gmail.com>
Signed-off-by: see-quick <maros.orsak159@gmail.com>
see-quick
force-pushed
the
tls-enchancement
branch
from
bb9c0d4 to
174019b
Compare
2 participants
This PR adds support TLS to
StrimziKafkaClusterclass and exposing it via public API:It adds a internal classes (i.e., Keytool, CertAssembly). Keytool is fluent wrapper for operations executed inside container and CertAssembly orchestrates all certificates work and all operations is delegated to Keytool.
Note
Because the SANs include the broker network aliases (
broker-0,broker-1, ...), the advertised listeners use these DNS > names instead of dynamic container IPs.Moreover during implementation I tried to make as little as possible and so I would change some of the parts in the next PRs (refactors) but those parts are not related to TLS functionality at all for instance #192.