Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #9372 Enhance Kafka Spec with cert algorithm management #119

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Issue #9372 Enhance Kafka Spec with cert algorithm management #119

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions 073-kafka-crd-certalg-option.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Enhance Kafka Spec with cert algorithm management

Allow the end user to manage cert configs, used to generate servers and users certificates, via the `Kafka` CRD.

## Current situation

Properties are not yet supported in the Strimzi Kafka CRD.

## Motivation

Requested by the community here: https://github.com/strimzi/strimzi-kafka-operator/issues/9372

## Proposal

The proposal will introduce cert configs for the cluster and client CA, this is so that it is possible to use other algorithms than the currently hardcoded RSA. The proposal will add three new attributes to the `clusterCa` and `clientsCa` specs:

* `keyAlgorithm`: The algorithm for generating the private key.
* `keySize`: The size of the private key generated.
* `signatureAlgorithm`: The hashing algorithm used for signing.
Comment on lines +17 to +19
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need more detail about these:

*Are they validated via the CRD Schema, or the Cluster Operator itself? Or do we just pass them to openssl and treat algorithms that are unknown to it as any other openssl failure?

  • Are we going to document some key algorithms which we guarantee will be available? How might we, in the future, go about deprecating and removing support for some combination of these parameters?
  • Documenting allowed key sizes is tricky because they depend on the key algorithm.
  • Do the same settings apply for both CA and end-entity certificates?
  • Are these settings only use for new certificates, or does changing them imply that certificates need to be immediately regenerated?


Suggestion:

```yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: my-kafka-cluster
spec:
# ...
clusterCa:
keyAlgorithm: rsa
keySize: 4096
signatureAlgorithm: SHA256
clientsCa:
keyAlgorithm: ecdsa
keySize: 521
signatureAlgorithm: ecdsa-with-SHA512
# ...
```

## Affected/not affected projects

No other projects affected than the Strimzi Operator.

## Compatibility

The three new attributes should default to the current defaults, to make sure that there are no compatibility issues. `keyAlgorithm` should default to rsa, `keySize` to 4096 and the `signatureAlgorithm` to sha256.

## Rejected alternatives

No rejected previous alternatives.