[Enhancement]: Allow to import custom CA via operator to be used instead of auto-generated CA

[yalattas]

Related problem

Currently the operator is generating a CA to secure communication across brokers
Operator is generating clusterCA certificate and clientsCA certificate

Suggested solution

Introduce an ability in the operator Chart values.yaml to take a custom CA generate by the user which be used to generate certificates for brokers within the cluster or for clients

Basically, as a user, I am going to generate a root CA and going to provide it to the operator for it to use it and generate certificates for its managed components.
Also, certificates should renewed every while based on the same CA

One of use cases, I am going to sign a CSR for a client and allow it to use his certificate to authenticate to KAFKA cluster

Alternatives

Basic way to prevent auto-generation of CA and scope auto-renewal to the certificate themselves

Currently its being done by suspending reconciliation of operator, change root CA in secrets and resume reconciliation.
I haven't tested yet, but I saw a person who did it that way

Additional context

No response

[scholzj]

Before opening a new issue, please make sure you:

• Read the docs to make sure what you are asking for doesn't already exist
• Search the previous issues to see if there aren't any pre-existing issues and discussions

If you did the first, you would know that you could use your own CA certificates already.

[wangyouguang123]

Hi, scholzj,
I also have a question about certificate. Currently, I have deployed the strimzi cluster. It is working well.

Our requirement is :

• Replace the leaf-certificate that generated automaticly to the leaf-certificate issued by our own CA. I just get the leaf-cert, because I am not allowed get the intermidiate-certificate from our company's CA due to security policy.

for the requirement, I do not find the solution from the document of strimzi. I just found the solution that replace strimzi's CA-certificate with our own CA's intermediate-certificate. Maybe, there is a suitable solution that I have not found.
So, my question is whether there is solution to satisfy my requriement?
If it is possible that share me some material about this.

Thank you very much!

BR.

[scholzj]

I do not think there is any suitable solution. You can probably use your own leaf certificates by pre-creating the Strimzi-managed Secrets and storing them there. But Kafka is a multitiered application with many internal connections. So the certificates need to have the exact Subjects and SANs as required by Strimzi (to see what they are, best create a test cluster with the Strimzi-based certificates and check their subjects and SANs). You cannot use a random certificate provided by your CA which does not have the same Subject and SANs. That is often a problem that our CA will anyway not give you the certificates with the correct settings.