Open sharafcmr opened 5 years ago
Yes to this :D
Strimzi should also support cert-manager as CA.
Triaged 22.02.2022: The new CA handling proposal https://github.com/strimzi/proposals/pull/46 addresses the general design. Once it is done and implemented, it should be possible to add a Vault adapter / use the Cert-Manager Vault integration.
Discussed on the community call on 18.4.2024: Updated to focus on Cert Manager instead of Vault as that seems to be the main request from users and that is also what can integrate to further services.
Should be able to retrieve or generate certs from vault rather then using self signed certificates for Kafka client. Can we utilise PKI secrets engine from vault for cert management Instead of using the self signed CA for broker pod key pair creation, cluster operator should have an option to request certificate from Vault PKI backend, so that i t can generate the key pair and get it signed by the CA configured in PKI backend. The authentication to vault can be performed by using kubernetes auth backend, Once the cert creation call is completed successfully, cluster operator should be able to pull the key pair using vault client libs and should mount it as an openshift secret to each broker pods.
This should be a completely automated process that happens as part of Kafka cluster provisioning.