katheris
commented
2 years ago Open tombentley opened 5 years ago
katheris
commented
2 years ago 
scholzj
commented
2 years ago Triaged on 17.3.2022: Work in progress for encryption currently. See the proposal link above.
dadufour
commented
3 months ago Is there any progress on this issue? This was identified as a finding in our pentests campaign which is used for our PCI audits. Do you have a workaround to propose?
katheris
commented
3 months ago Unfortunately the proposal got blocked behind work to change how we manage certificates in Strimzi. I am actively working on the certificate changes, but it's taking time to find and implement the best approach, so I don't have any idea when I (or anyone else) would get back around to this.
The "workaround" is to make use of the KafkaConnector resources, that is the more Kubernetes native way of using Connect with Strimzi anyway. Then you can lock down the API with network policies.
dadufour
commented
3 months ago Thanks for the feedback. Yes, we are using MirrorMaker2 resources and we have network policies to restrict the access which is a mitigation. However, auditors don't like unauthenticated services running in the environment.
scholzj
commented
3 months ago I guess there are several general things influencing why this hasn't been done yet:
😞
Is your feature request related to a problem? Please describe. The KafkaConnect REST API does not support TLS and is not authenticated.
Describe the solution you'd like It should be possible to encrypt the REST API with TLS. It should be possible to have the REST API authenticated (TLS authn and/or other mechanisms) Ideally it should also be possible for an authenticated user to only be authorised for some operations (e.g. read-only access would equate to only allowing
GETmethods).