Setup custom gssapi listener

[jusch23]

As described in issue #3088 kerberos is currently not supported for strimzi. I saw the authentication type "custom" for a listener in the documentation and could imagine a setup like this:

---
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: strimzi-cluster-small
spec:
  kafka:
    version: 3.3.1
    replicas: 3
    listeners:
      - name: external
        port: 9093
        type: ingress
        tls: true
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            sasl.enabled.mechanisms: GSSAPI
            sasl.kerberos.service.name: kafka
            # Problems: Setting different listener config for each broker, keytab needs to be mounted
            #gssapi.sasl.jaas.config: com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/opt/kafka/cluster.keytab" principal="kafka/[email protected]";
        configuration:
          class: nginx
          bootstrap:
            host: bootstrap.myingress.com
          brokers:
            - broker: 0
              host: broker-0.myingress.com
            - broker: 1
              host: broker-1.myingress.com
            - broker: 2
              host: broker-2.myingress.com
    jvmOptions:
      javaSystemProperties:
        - name: java.security.krb5.realm
          value: MY.REALM.COM
        - name: java.security.krb5.kdc
          value: my.kdc.com
...

For each broker I would create a service principal (kafka/broker-X.myingress.com) and create a keytab which contains entries for all service principals. This "cluster.keytab" should then be mounted in each kafka pod, e.g. at /opt/kafka/.
The following problems I see, for which I have not found a solution yet:

1. It is not possible to configure broker-specific listener configuration. The gssapi.sasl.jaas.config parameter needs to set a principal which contains the broker external ingress hostname (different for each broker)
2. The keytab needs to be mounted in each kafka pod

As written above, I now kerberos is not supported at the moment. However, is there a way to solve this problems in the current strimzi version?

[scholzj]

I guess another problem is that the keytab needs to be renewed periodically as well? As said before, we do not support Kerberos and I do not think there is any easy way how to add support for it.

Out of curiosity ... what is your motivation for using Kerberos? It is not exactly Kubernetes-friendly technology.

[jusch23]

I guess another problem is that the keytab needs to be renewed periodically as well?

On bare-metal the kerberos ticket is (as far as I know) renewed by the kafka service, there is no need to renew the ticket from outside. In the documentation (https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_gssapi.html) there are also no additional configurations than the ones above mentioned.

Out of curiosity ... what is your motivation for using Kerberos? It is not exactly Kubernetes-friendly technology.

I'm working on a bare-metal kafka cluster with a kerberos listener and I was looking for alternatives based on kubernetes. I would like to check if a setup on kubernetes is possible. From my (maybe naive) point of view a setup should be possible with the listener configurations from above. But therefore I have to solve the problems described.

So I assume there is no possibility to configure broker-specific listener configurations isn't it? Is mounting a secret to each kafka pod possible?

[scholzj]

On bare-metal the kerberos ticket is (as far as I know) renewed by the kafka service, there is no need to renew the ticket from outside. In the documentation (https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_gssapi.html) there are also no additional configurations than the ones above mentioned.

Ok, I did not know that. Thanks for the explanation.

So I assume there is no possibility to configure broker-specific listener configurations isn't it? Is mounting a secret to each kafka pod possible?

No, there is no such possibility for either of those. Sorry.

[jusch23]

You're welcome. Thanks for your time and the information provided.