Loosen the restrictions for TLS options in type: custom listener authentication to enable new features

[scholzj]

Type of change

• Enhancement / new feature

Description

There are some feature requests that pop-up from time to time related to type: tls authentication. For example:

• Trusting custom CA without providing the full custom Clients CA because the user wants to sign its own certificates (currently, this is possible by passing a dummy value as the private key in custom Clients CA)
• Trusting multiple different clients CAs at the same time
• Being able to override the ssl.principal.mapping.rules when using a custom CA with more complex subjects

Right now, when using the type: custom authentication, we do not allow to configure any options starting with ssl.. This makes it impossible to use type custom authentication for the features described above.

This PR loosens the restriction and forbids only the keystore configuration options - i.e. starting with ssl.keystore.. But let's the users configure other TLS options. That means that the TLS keystore will be still configured by Strimzi based on the listener configuration. But users could for example freely:

• Enable TLS authentication
• Pass custom truststore
• Configure detailed TLS options such as ssl.principal.mapping.rules for given listener

For example, the 3 feature requests listed above can be done with following configuration:

spec:
  kafka:
    listeners:
      - name: tls
        port: 9093
        tls: true
        type: internal
        authentication:
          type: custom
          sasl: false
          listenerConfig:
            ssl.client.auth: required
            ssl.principal.mapping.rules: RULE:^CN=(.*?),(.*)$/CN=$1/
            ssl.truststore.location: /opt/kafka/custom-authn-secrets/custom-listener-tls-9093/custom-truststore/ca.crt
            ssl.truststore.type: PEM
          secrets:
            - key: ca.crt
              secretName: custom-truststore

This:

• Configures custom principal mapping rules to use only the certificate CN for the username
• Uses custom PEM file as truststore with one or more trusted CAs

This should resolve #2900 and resolve #6566

Checklist

• Write tests
• Make sure all tests pass
• Update documentation
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md

[scholzj]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[PaulRMellor]

Thanks Jakub.
Would it make sense to mention this with the config exceptions in KafkaClusterSpec schema reference, as with allowed ssl config for cipher suites?

[scholzj]

Would it make sense to mention this with the config exceptions in KafkaClusterSpec schema reference, as with allowed ssl config for cipher suites?

Those are different than this. This does not apply to the .spec.kafka.config section but only tot he type: custom authentication. So I would probably avoid mising those together as I think it might confuse people.