TLS support should allow a CA to be set for broker certificates

crossplane-contrib / provider-kafka

Crossplane provider for Kafka

Apache License 2.0

30 stars 32 forks source link

TLS support should allow a CA to be set for broker certificates #57

Open jutley opened 1 year ago

jutley commented 1 year ago

What problem are you facing?

When connecting to a Kafka cluster using TLS, there doesn't seem to be any way to set the CA used to verify the Kafka broker's certificates. This forces the user to use insecureSkipVerify: true, which is not ideal for obvious reasons.

How could Crossplane help solve your problem?

Provide a new field under TLS configuration allowing the CA certificate to be set. It can be similar to the clientCertificate and look something like this:

{
  "tls": {
    "serverCertificateAuthoritySecretRef": {
      "namespace": "crossplane",
      "name": "private-ca",
      "caField": "ca.crt",
    }
  }
}

erikgb commented 11 months ago

Since trust bundles do not contain anything secret, I think we should load trust roots from configmaps instead of secrets. WDYT? It would allow users to use something like https://cert-manager.io/docs/trust/trust-manager/ to manage trust.

erikgb commented 11 months ago

@jutley Until this feature is implemented, it is possible to inject trust on the provider level - if that suits your use case. I just made the provider trust a private CA by configuring the provider runtime:

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: provider-kafka
spec:
  deploymentTemplate:
    spec:
      selector: {}
      template:
        spec:
          containers:
            - name: package-runtime
              volumeMounts:
                - name: ca-bundle
                  mountPath: /etc/ssl/certs
          volumes:
            - name: ca-bundle
              configMap:
                name: my-private-ca-bundle

Go looks for system trust stores in multiple locations: https://go.dev/src/crypto/x509/root_linux.go