question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support multiple CAs in the Clients CA secret

See original GitHub issue

Today, we officially support only a single Clients CA (=> since public CA in the Kafka truststore). However, sometimes, users are interested in using multiple CAs at the same time. We never designed for it. But it works when you just add multiple CRT files into the Clients CA secret. E.g. ca.crt and ca-2.crt. This of course does not work with User Operator and type: tls authentication. But it works fine for users with type: tls-external. We should consider if we want to support this officially. In that case, we should document it and add STs to make sure we keep this working. And decide if we need something more with regards to rolling etc.

One of the examples where this was discussed is #6559

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
scholzjcommented, Sep 1, 2022

There is no update on this. I do not think this issue depends on the existing proposal about CA abstraction, I think it can be worked on separately as well.

0reactions
scholzjcommented, Sep 3, 2022

The start for this would be to write a proposal of how it could be implemented. You can check some of the existing proposals to see how the look like and what they contain: https://github.com/strimzi/proposals … you can basically just open the PR there with the proposal.

I would be a bit careful about mixing a custom CA with Strimzi managed CA. I think that in general increase the risks of things breaking, overwriting each other etc. I also wonder if it matches any use-cases for this. What would be the use case for the mixed CAs like that? But if you think it ia possible, then it can be of course part of the proposal.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using Multiple Root Certificates | Couchbase Docs
Couchbase Server supports use of multiple CA (or 'root') certificates, for a single cluster.
Read more >
X.509 Certificate Management with Vault - HashiCorp
Vault only allows one CA certificate per secrets engine. If you want to issue certificates from multiple CAs, mount the PKI secrets engine ......
Read more >
Chapter 73. Restricting an application to trust only a subset of ...
By configuring other services to accept certificates only issued by sub-CA B, you prevent them from accepting certificates issued by sub-CA A, the...
Read more >
Kubernetes certificate based mutual auth with different CAs
You can have the client and the server certificates issued by the same CA or as shown below by different CAs. mutual-auth.png. Configuring...
Read more >
Managing TLS and trusted CA certificates - Pexip Infinity Docs
However, many CAs do not sign with their root certificate, ... Web browsers and other clients typically have a list of CA certificates...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found