Integration with cert manager for cert rotation

[alinadonisa]

Hi,

We are using strimzi and want to use it with cert manager. We have a couple of questions related to this:

1. Is this feature already implemented, work in progress or at least in the roadmap of the operator? I found some issues on this subject that were older, but without any confirmation that someone is working on this feature.

2. If there is no implementation of this feature do you have a webhook or some other workflow that can help us do the integration ourselves?

Regards,
Alina

[scholzj]

Is this feature already implemented, work in progress or at least in the roadmap of the operator? I found some issues on this subject that were older, but without any confirmation that someone is working on this feature.

I think it depends what do you want to use it for. Strimzi takes the certificates from secrets and using cert-manager should be for example fairly easy with the listener certificates used only for a particular component (https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str). It might be similarly easy to use cert-manager to handle user certificates through the Clients CA.

It is a bit more complicated if you would want to use it for the Cluster CA - mainly because of renewals / replacing the certificates. Cert-manager on its own does not provide any real support for moving from one CA to another. So this would need to be orchestrated by Strimzi and that is for sure missing today. It is on the roadmap, but so far, nobody got to work on it.

If there is no implementation of this feature do you have a webhook or some other workflow that can help us do the integration ourselves?

I'm not sure what exactly you mean by this - maybe you can provide some more details of how did you meant it?

[alinadonisa]

1. We want to use the cert rotation feature from cert manager. I've seen now from your link that if the certificate from the secret it is changed a rolling update will be triggered. This solves our problem for the brokers.

2. I asked about webhooks in the context of cert renewal and reload of the the new certificate.I wanted to know if you support an extension point so we can run our logic in case you did not have it :)

Thank you,

[scholzj]

We want to use the cert rotation feature from cert manager. I've seen now from your link that if the certificate from the secret it is changed a rolling update will be triggered. This solves our problem for the brokers.

Rotating the server certs should not be a big issue ... but CA rotation is. The problem with CA rotation is that Kafka is multi-layered application. So roll-out of new CA certs would need to be done in multiple phases => first to establish a trust and only then to move the server certs.

I asked about webhooks in the context of cert renewal and reload of the the new certificate.I wanted to know if you support an extension point so we can run our logic in case you did not have it :)

I'm still not completely clear how would you imagine it and in which direction they would go ... but we do not support anything like that right now - so that answers it as well.