Related problem
Hey, we're running Strimzi clusters with 0.49 and 0.50 using KafkaUser with mTLS. We configured validityDays and renewalDays for our clientCa in Kafka.
Currently, it is not possible to configure these settings per KafkaUser resource.
Suggested solution
Make it possible to configure validityDays and renewalDays per KafkaUser resource. If configured, the specific KafkaUser configuration will overwrite the "default" being configured in the Kafka resource.
An idea would be to introduce .metadata.annotations for both values, e.g.:
apiVersion: kafka.strimzi.io/v1
kind: KafkaUser
metadata:
name: my-user
namespace: my-kafka
annotations:
strimzi.io/validityDays: 7d
strimzi.io/renewalDays: 36h
The configured values could be smaller or bigger than the value configure in the Kafka resource but the renewalDays must be smaller than validityDays of course.
Question discussed on Slack: Should it be configured per-user or per-user-operator?
Background: User-operator is configured via Kafka custom resource. When running user-operator as a standalone instance controlling a remote Kafka not managed by Strimzi, it's possible to just use the env vars that are used today to pass the values from the clientsCa section.
Suggestion: It is already configurable per-user-operator via environment variables, so I would only add this per-user.
Alternatives
Another idea would be to extend the KafkaUser custom resource.
Additional context
Cert-manager provides configuring the ingress-shim. This means the duration and renew-before of the certificate can be configured per Ingress resource. A similar setting could be introduced to KafkaUser resources.
Related problem
Hey, we're running Strimzi clusters with 0.49 and 0.50 using
KafkaUserwith mTLS. We configuredvalidityDaysandrenewalDaysfor ourclientCain Kafka.Currently, it is not possible to configure these settings per
KafkaUserresource.Suggested solution
Make it possible to configure
validityDaysandrenewalDaysperKafkaUserresource. If configured, the specificKafkaUserconfiguration will overwrite the "default" being configured in theKafkaresource.An idea would be to introduce
.metadata.annotationsfor both values, e.g.:The configured values could be smaller or bigger than the value configure in the
Kafkaresource but therenewalDaysmust be smaller thanvalidityDaysof course.Question discussed on Slack: Should it be configured per-user or per-user-operator?
Background: User-operator is configured via
Kafkacustom resource. When running user-operator as a standalone instance controlling a remote Kafka not managed by Strimzi, it's possible to just use the env vars that are used today to pass the values from the clientsCa section.Suggestion: It is already configurable per-user-operator via environment variables, so I would only add this per-user.
Alternatives
Another idea would be to extend the
KafkaUsercustom resource.Additional context
Cert-manager provides configuring the ingress-shim. This means the duration and renew-before of the certificate can be configured per
Ingressresource. A similar setting could be introduced toKafkaUserresources.