Tls kafka strimzi

2025-12-172025-12-17

🔒 TLS Configuration for Kafka with Strimzi

This guide explains how to enable TLS and mTLS for Kafka clients and applications using Strimzi in Kubernetes.

---

🔗 Reference Links

• Strimzi Security Documentation
• Strimzi Operator Docs v0.8.1

---

⚙️ Basic TLS Client Configuration

Configure your Kafka client to use SSL:

bootstrap.servers=my-cluster-kafka-bootstrap:9093
security.protocol=SSL
ssl.truststore.location=/etc/kafka/certs/cluster-ca.crt
ssl.truststore.type=PEM

Mount the CA certificate in your pod:

volumes:
  - name: cluster-ca
    secret:
      secretName: my-cluster-cluster-ca-cert
containers:
  - name: my-app
    volumeMounts:
      - name: cluster-ca
        mountPath: /etc/kafka/certs
        readOnly: true

---

📝 Spring Boot Application Properties (TLS)

spring.kafka.bootstrap-servers=cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
spring.kafka.security.protocol=SSL
spring.kafka.ssl.trust-store-type=PEM
spring.kafka.ssl.trust-store-location=${KAFKA_CA_FILE_PATH:}
spring.kafka.properties.sasl.mechanism=PLAIN
spring.kafka.properties.security.protocol=SSL
spring.kafka.ssl.protocol=TLSv1.3
spring.kafka.ssl.enabled-protocols=TLSv1.3

---

🔐 mTLS (Mutual TLS) Configuration

Client configuration for mTLS:

bootstrap.servers=my-cluster-kafka-bootstrap:9093
security.protocol=SSL
ssl.truststore.location=/etc/kafka/certs/cluster-ca.crt
ssl.truststore.type=PEM
ssl.keystore.location=/etc/kafka/certs/user.p12
ssl.keystore.password=my-password
ssl.keystore.type=PKCS12

Mount both CA and client certificates:

volumes:
  - name: cluster-ca
    secret:
      secretName: my-cluster-cluster-ca-cert
  - name: client-certs
    secret:
      secretName: my-app-kafka-user
containers:
  - name: my-app
    volumeMounts:
      - name: cluster-ca
        mountPath: /etc/kafka/certs/cluster-ca
        readOnly: true
      - name: client-certs
        mountPath: /etc/kafka/certs/client
        readOnly: true

---

🌐 Example: Mounting Kafka CA Cert in a Web Application

volumes:
  - name: kafka-certs
    secret:
      secretName: my-cluster-cluster-ca-cert
      namespace: kafka

---

🚀 ArgoCD Helm Values Example

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: web-app
spec:
  destination:
    namespace: web-page
    server: https://kubernetes.default.svc
  source:
    helm:
      values: |
        volumes:
          - name: kafka-certs
            secret:
              secretName: my-cluster-cluster-ca-cert
              namespace: kafka
        volumeMounts:
          - name: kafka-certs
            mountPath: /etc/kafka/certs
            readOnly: true

---

Best Practice

Always use the latest CA and client certificates, and restrict access to secrets using Kubernetes RBAC