Open lenglet-k opened 10 months ago
scholzj
commented
10 months ago Discussed on the community call on 30.11.2023: Seems like a reasonable feature. But we should have a proposal to clarify how it will be configured and how will it work. Would you be interested in contributing this @lenglet-k? It does not look like something anyone from the core team will work on anytime soon.
lenglet-k
commented
10 months ago Hello, Why not, but I've never done java, so I don't know if I'll be able to produce something quickly.
scholzj
commented
10 months ago @lenglet-k You do not have to do it if you don't want to. I can understand it especially if you have never done Java. We can also wait until someone from the core team finds time or someone else wants to implement it. I basically just wanted to handle the expectations and clarify it.
steffen-karlsson
commented
5 months ago I've created a proposal for solution that the community can discuss: https://github.com/strimzi/proposals/pull/119 If needed, I can also help with implementation when its decided.
@lenglet-k if you can, please check if it makes sense for your scenario as well.
lenglet-k
commented
5 months ago @steffen-karlsson it looks good to me
Related problem
My need
I have security needs that require the use of an ECDSA certificate allowing key exchange based on an elliptic curve algorithm.
The problem
I have used my own ECDSA CA but the servers and users keys stil in RSA keypair format because it's hardcoded here: https://github.com/strimzi/strimzi-kafka-operator/blob/main/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertAndKeyBuilder.java#L65
Suggested solution
Solution
One solution would be to allow the end user to manage via the
kafkacrds the algorithms used to generate servers and users certificates.This solutions must permit to set theses options:
256,521, etcecdsaecdsa-with-SHA512, etcSo the end user can use RSA jeypair or ECDSA, the default value will be RSA.
Alternatives
No response
Additional context
No response