[Bug]: Cluster CA should not be generated, but the secrets were not found.

[Siradjedd]

Bug Description

Hello !
I am deploying Strimzi Kafka (version 0.39.0) with Kafka 3.6.0 and I want to use an external Certificate Authority (CA) managed by Cert-Manager instead of Strimzi’s self-signed CA.
I disabled Strimzi’s built-in CA by setting:

clusterCa:
  generateCertificateAuthority: false
clientsCa:
  generateCertificateAuthority: false

I manually created TLS certificates using Cert-Manager and provided the secret (wildcard-mycompany-com-tls) to Kafka:

    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
         configuration: 
          brokerCertChainAndKey:
              secretName: wildcard-labadeiz-com-tls
              certificate: tls.crt
              key: tls.key
      brokerCertChainAndKey:
              secretName: wildcard-labadeiz-com-tls
              certificate: tls.crt
              key: tls.key

When deploying Kafka, Strimzi fails with the following error:
.strimzi.operator.common.model.InvalidResourceException: Cluster CA should not be generated, but the secrets were not found.
This indicates that Strimzi is expecting the Cluster CA and Clients CA secrets, but they are missing.

However, I am providing my own TLS certificates via Cert-Manager, so I do not want Strimzi to generate these secrets.

Steps to reproduce

No response

Expected behavior

Strimzi running with cert-manager certificate and external-clients able to connect to it.

Strimzi version

0.39.0

Kubernetes version

1.26.7

Installation method

Helm chart

Infrastructure

Baremetal

Configuration files and logs

No response

Additional context

No response

[scholzj]

This is not a bug. You are mixing two completely different things - using custom Cluster and Client CAs ... and using a custom listener certificate. Please check the docs to understand the difference and how to use one or the other.

[Siradjedd]

thanks for your reply and suggestion. i'am new to Strimzi Kafka and i just found this:
Cluster CA: Signs broker certificates
Client CA: Signs client certificates
Listener Certificate: Presents identity to connecting clients.

But i am confused what is the differnce between the client CA created by strimzi and the ca created when deploying KafkaUser ? and what do the external users need to check to connect to the cluster ? thanks in advance

[scholzj]

• Cluster CA is used to secure all the internal communication within the cluster and between the cluster and the operators. By default it is also used to issue server certificates used by the user-defined listeners
• Clients CA is used to manage the user certiicates for mTLS
• The listener certificate allows you to provide your own server certificate for a particular user-defined Kafka listener

You do not need to do any of this. By default Strimzi will issue its own CAs and use them for everything.

If you do not know why you are doing it, don't touch these APIs. You should use them only if you have some reason for it.

But i am confused what is the differnce between the client CA created by strimzi and the ca created when deploying KafkaUser ?

There is no CA created when deploying KafkaUser.