Custom CA with type: kubernetes.io/tls secret

[DavidMachacek]

When I want to use my own CA with external TLS authentication, i required to create my own secrets:
i.e.

apiVersion: v1
kind: Secret
metadata:
  annotations:
    strimzi.io/ca-key-generation: "0"
  name: b01-cluster-ca
  labels:
    strimzi.io/cluster: b01
    strimzi.io/kind: Kafka
type: Opaque
data:
  ca.key: xxx

This is completly fine until I want this key to be used by cert-manager that requires tls-type of secrets. So I tried to change the secret type from Opaque to kubernetes.io/tls and duplicated the ca.key and tls.key to conain the same value.

apiVersion: v1
kind: Secret
metadata:
  annotations:
    purpose: "source TLS for cluster issuer"
  name: b01-cluster-tls
  labels:
    strimzi.io/cluster: b01
    strimzi.io/kind: Kafka
type: kubernetes.io/tls
data:
  tls.key: xxx
  ca.key: xxx
  tls.crt: yyy

But when I do that, the strimzi cluster does not start anymore with NullPointerException:

$ oc describe kafka b01

Name:         b01
Namespace:    infra-kafka
Labels:       app.kubernetes.io/instance=infra-kafka
Annotations:  argocd.argoproj.io/tracking-id: infra-kafka:kafka.strimzi.io/Kafka:infra-kafka/b01
API Version:  kafka.strimzi.io/v1beta2
Kind:         Kafka
Metadata:
  Creation Timestamp:  2024-12-17T10:02:07Z
  Generation:          1
  Resource Version:    8802109
  UID:                 d5a2b500-bb85-4a33-8227-6623d3b87a24
Spec:
  Clients Ca:
    Generate Certificate Authority:  false
  Cluster Ca:
    Generate Certificate Authority:  false
...
Status:
  Conditions:
    Last Transition Time:  2024-12-17T10:02:07.506847840Z
    Message:               Cannot invoke "String.getBytes(java.nio.charset.Charset)" because "src" is null
    Reason:                NullPointerException
    Status:                True
    Type:                  NotReady
  Observed Generation:     1
Events:                    <none>

It seems Strimzi accepts only Opaque secrets, but I would prefer to use tls types instead. Workaround is to create multiple secrets (one opaque and one type: kubernetes.io/tls), but this just doesnt feel right. I would prefer to have just one. Is this desired behavior? Can I create pull-secret to fix this? Or what is the decision behind this behavior?

[scholzj]

Sorry, I'm not sure I follow it. This repository is an example of how you can use custom CAs with Strimzi. the custom CAs are generated with the CFSSL utility. It has nothing to do with CertManager.

[DavidMachacek]

Desired state: Strimzi uses secrets of type: kubernetes.io/tls
Current state: Strimzi uses secrets of type: Opaque

Trying to use kubernetes.io/tls secrets results in NullPointerException.

[scholzj]

So, I do not think this is the right place to raise this issue. This is just an example repo used for testing and to show how to use the custom CAs. Opening an issue here will not change anything in Strimzi - for that you would need to open an issue there.

That said, the Custom CA functionality in Strimzi right now does not integrate with Cert Manager. If you want to use a custom CA created by Cert Manager, you need to copy it to the Strimzi secrets and set proper generation annotations that are used to drive renewals etc. So this goes way beyond some Secret type. Also, I'm not sure what value would you get out of it because Strimzi would not use Cert Manager for anything. It would take the CA and use it to issue its own server certificates on its own. I do not expect that this will change in anyway outside of the strimzi/proposals#135 proposal that focuses on integration with external certificate managers. So probably the best/only thing you can do right now is to review that proposal.

[DavidMachacek]

I agree.
I raised this issue in wrong repository (should have been in the Strimzi main repo).
I would appreciate if Strimzi would be able to use (Cluster)Issuers to manage certificates - I just wanted to point out, that if you could use your own secret with the corret type, you could also use the same secrets as a source for cert-manager (Cluster)Issuer. Now we need to copy paste them with different type.

I.e. I have this Strimzi cert:
apiVersion: v1 kind: Secret metadata: annotations: strimzi.io/ca-key-generation: "0" name: b01-clients-ca-cert labels: strimzi.io/cluster: b01 strimzi.io/kind: Kafka type: Opaque data: ca.crt: xxx ca.p12: xxx ca.password: xxx

But as of now i need to copy paste it like this
apiVersion: v1 kind: Secret metadata: annotations: purpose: "source TLS for cluster issuer" name: b01-clients-tls labels: strimzi.io/cluster: b01 strimzi.io/kind: Kafka type: kubernetes.io/tls data: tls.crt: xxx tls.key: xxx

In order to use it as source for ClusterIssuer
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: b01-clients-issuer spec: ca: secretName: b01-clients-tls

But as you said, this should be discussed in strimzi/proposals#135.

Thanks, lets close this issue.

[scholzj]

I just wanted to point out, that if you could use your own secret with the corret type, you could also use the same secrets as a source for cert-manager (Cluster)Issuer. Now we need to copy paste them with different type.

Yeah, but as I said, it is not so simple. You need to maintain the generations, older versions of the CA etc. So it is a bit more complicated.