TLS support should allow a CA to be set for broker certificates #57
Labels
enhancement
New feature or request
Comments
|
Since trust bundles do not contain anything secret, I think we should load trust roots from configmaps instead of secrets. WDYT? It would allow users to use something like https://cert-manager.io/docs/trust/trust-manager/ to manage trust. |
|
@jutley Until this feature is implemented, it is possible to inject trust on the provider level - if that suits your use case. I just made the provider trust a private CA by configuring the provider runtime: apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: provider-kafka
spec:
deploymentTemplate:
spec:
selector: {}
template:
spec:
containers:
- name: package-runtime
volumeMounts:
- name: ca-bundle
mountPath: /etc/ssl/certs
volumes:
- name: ca-bundle
configMap:
name: my-private-ca-bundleGo looks for system trust stores in multiple locations: https://go.dev/src/crypto/x509/root_linux.go |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What problem are you facing?
When connecting to a Kafka cluster using TLS, there doesn't seem to be any way to set the CA used to verify the Kafka broker's certificates. This forces the user to use
insecureSkipVerify: true, which is not ideal for obvious reasons.How could Crossplane help solve your problem?
Provide a new field under TLS configuration allowing the CA certificate to be set. It can be similar to the clientCertificate and look something like this:
{ "tls": { "serverCertificateAuthoritySecretRef": { "namespace": "crossplane", "name": "private-ca", "caField": "ca.crt", } } }The text was updated successfully, but these errors were encountered: