Integrating your organization’s Certificate Authority (CA) with Strimzi Kafka is essential for enforcing user-level authentication and authorization (AUTH/Z) in corporate environments. Strimzi’s default self-signed certificates may not align with corporate security policies that require internal CAs. To address this, you can implement a custom principal builder to validate user certificates against your corporate CA.
Steps to Integrate Corporate CA with Strimzi Kafka:
- Develop a Custom Principal Builder Class:
• Create a class that overrides Kafka’s default Common Name (CN) validation logic, ensuring user certificates are validated against your corporate CA. - Create a Custom Kafka Docker Image:
• Incorporate the compiled custom principal builder class into a Kafka Docker image. This ensures the custom class is available within the Kafka brokers. -
Configure Strimzi Kafka Manifest:
• Modify the Strimzi Kafka resource definition to specify the custom principal builder class by adding:
principal.builder.class: CustomCNPrincipalBuilder
Replace CustomCNPrincipalBuilder with your actual class name. -
Generate Corporate User Certificates:
• Use your organization’s CA to generate client certificates for Kafka consumers and producers. Ensure these certificates are distributed appropriately. -
Deploy and Verify:
• Deploy the modified Strimzi Kafka cluster. Configure Kafka clients to use the corporate-signed certificates. Verify that only users with valid corporate-signed certificates can connect and perform operations.
For a practical implementation, refer to the GitHub repository:
This repository provides:
• Source code for the custom principal builder class.
• A Dockerfile for building the custom Kafka image.
• An example Strimzi Kafka manifest with the principal.builder.class configuration.
• Instructions on applying the manifests and verifying the setup.
Using the Repository:
Prerequisites:
• Kubernetes cluster
• Strimzi installation
• Docker environment
Steps:
-
Clone the repository:
git clone https://github.com/sreejesh123/custom_certificate_strimzi_kafka.git
cd custom_certificate_strimzi_kafka -
Build the custom Kafka image following the instructions in the README.md file.
-
Apply the necessary Kubernetes manifests as detailed in the README.md.
-
Verify the setup by configuring Kafka clients with the corporate-signed certificates and ensuring proper AUTH/Z enforcement.
Conclusion
By following these steps, you can integrate your corporate CA with Strimzi Kafka, ensuring compliance with organizational security policies and enhancing user authentication and authorization mechanisms.