Skip to content
Kannika

mTLS

This authentication method is commonly used with an EventHub such as Kafka.

Synopsis

Section titled “Synopsis”
# TLS secret
apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
data:
  ca.crt: <PEM file base64-encoded>
  tls.crt: <PEM file base64-encoded>
  tls.key: <PEM file base64-encoded>
  password: <password base64-encoded>
# Credentials definition
apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: mtls
spec:
  mTls:
    # Optional description
    description: "mTLS credentials"
    # The certificate must be in PEM format.
    caCertificatePemFrom:
      secretKeyRef:
        name: tls-secret
        key: ca.crt
    # The certificate must be in PEM format.
    certificatePemFrom:
      secretKeyRef:
        name: tls-secret
        key: tls.crt
    # The private key must be in PEM format. Only PKCS#8 is supported.
    privateKeyPemFrom:
      secretKeyRef:
        name: tls-secret
        key: tls.key
    # Optional
    privateKeyPasswordFrom:
      secretKeyRef:
        name: tls-key-password
        key: password

Usage

Section titled “Usage”

When using mTLS, the client’s certificate and key must be loaded in one or more secrets, and then be used in the Credentials definition.

The CA’s certificate may either be:

  • unspecified, in which case OpenSSL will scan common directories;
  • explicitly set using a secret in PEM format with caCertificatePemFrom.

Note that all certificates and keys must be in PEM format, and only PKCS#8 is supported for private keys.

Schema Registries

Section titled “Schema Registries”

Schema Registries have a dedicated sslConf property to configure mTLS and other SSL/TLS options.

apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    sslConf:
      # Explicitly set, but assumed 'true' if not present.
      enabled: true
      # Optional. Configure an explicit CA for server authentication.
      caCertificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: ca.crt
      # Optional. Set a client certificate if the server requires it.
      certificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.crt
      # Optional. Set a client key if the server requires it. PKCS#8 only.
      privateKeyPemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.key
      # Optional. Set the password to unlock the client's private key
      privateKeyPasswordFrom:
        secretKeyRef:
          name: tls-key-password
          key: password