Client Can Connect to Kafka Without TLS Certificate Even When TLS is Enforced

[inderanz]

A client running on a different GKE cluster is able to connect to a Strimzi-managed Kafka cluster without providing a client-side certificate, despite TLS authentication being enabled on the external listener.

Expected vs. Actual Behavior

Expected: When a client without a valid certificate attempts to connect, the connection should fail with an SSL authentication error.
Actual: Clients are able to connect even without a certificate, despite TLS and client authentication being enabled.

The expectation is that connections without valid TLS client certificates should be rejected with an SSL handshake failure. However, the client is able to establish a connection and send/receive messages without authentication.

Kafka version: 3.6.2
Strimzi Operator version: 0.42.0
Deployment: Kraft mode with external listener using TLS
Cluster Type: GKE

Kafka Cluster Definition:

---

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: cluster-prod-kafka-sit
  namespace: ns-cluster-prod-integration-sit
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    version: 3.6.2
    logging:
      type: inline
      loggers:
        kafka.root.logger.level: DEBUG
        org.apache.kafka.common.network: TRACE
        org.apache.kafka.common.security.auth: TRACE
        org.apache.kafka.common.security.ssl: TRACE
    metadataVersion: 3.6-IV0
    image: "team1-cnc-docker.registry.gcp.com/strimzi/kafka:0.42.0-kafka-3.6.2-amd64"
    authorization:
      type: simple
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: true
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
        configuration:
          brokerCertChainAndKey:
            secretName: kafka-chain-tls
            certificate: tls.crt
            key: tls.key
          bootstrap:
            loadBalancerIP: 100.65.56.224
            annotations:
              networking.gke.io/internal-load-balancer-allow-global-access: "true"
              networking.gke.io/load-balancer-type: Internal
          brokers:
          - broker: 0
            loadBalancerIP: 100.65.56.225
            advertisedHost: 100.65.56.225
            annotations:
              networking.gke.io/internal-load-balancer-allow-global-access: "true"
              networking.gke.io/load-balancer-type: Internal
          - broker: 1
            loadBalancerIP: 100.65.56.226
            advertisedHost: 100.65.56.226
            annotations:
              networking.gke.io/internal-load-balancer-allow-global-access: "true"
              networking.gke.io/load-balancer-type: Internal
          - broker: 2
            loadBalancerIP: 100.65.56.227
            advertisedHost: 100.65.56.227
            annotations:
              networking.gke.io/internal-load-balancer-allow-global-access: "true"
              networking.gke.io/load-balancer-type: Internal
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      default.replication.factor: 3
      min.insync.replicas: 2
      socket.request.max.bytes: 400000000 # 400 MB
      ssl.cipher.suites: TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
      ssl.enabled.protocols: TLSv1.3, TLSv1.2
      ssl.protocol: TLSv1.3 
  entityOperator:
    topicOperator:
      image: "team1-cnc-docker.registry.gcp.com/strimzi/operator:0.42.0-amd64"
      resources:
        requests:
          memory: 512Mi
          cpu: "1"
        limits:
          memory: 512Mi
          cpu: "1"
    userOperator:
      image: "team1-cnc-docker.registry.gcp.com/strimzi/operator:0.42.0-amd64"
      resources:
        requests:
          memory: 512Mi
          cpu: "1"
        limits:
          memory: 512Mi
          cpu: "1`

Reproduction Steps

Deploy Strimzi Kafka with TLS authentication enforced on the external listener (type: loadbalancer with authentication: tls).
Start a client pod in a different GKE cluster without any Kafka TLS certificates.
Run the Kafka producer without specifying any client-side certificate:

Inside the client pod

bash kafka-console-producer.sh
--bootstrap-server kafka-bootstrap-sit.cluster1-np.gcpnp.com:9094
--topic sit.v1.test.topic.01

]#
[root@kafka-producer-755fbc5bd8-n7zx9 bin]# bash kafka-console-producer.sh --bootstrap-server kafka-bootstrap-sit.cluster1-np.gcpnp.com:9094 --topic sit.v1.test.topic.
01

I am able to connect to bootstrap server, even when tls is enabled & for this pod am not using any client side cert & ideally it should fail with ssl error
Not failing to connect
exit

The producer is able to send messages without an SSL error, despite TLS authentication being enabled.

Verify the same behavior for a consumer:

bash kafka-console-consumer.sh
--bootstrap-server kafka-bootstrap-sit.cluster1-np.gcpnp.com:9094
--topic sit.v1.test.topic.01 --from-beginning

^C[root@kafka-producer-755fbc5bd8-n7zx9 bin]#

bash kafka-console-consumer.sh --bootstrap-server kafka-bootstrap-sit.cluster1-np.gcpnp.com:9094 --topic sit.v1.test.topic.01 --from-beginning

hi
{"paymentUid":21,"userId":"user1","amount":100.0,"status":null}
{"paymentUid":21,"userId":"user1","amount":100.0,"status":null}
{"paymentUid":21,"userId":"user1","amount":100.0,"status":null}
I am able to connect to bootstrap server, even when tls is enabled & for this pod am not using any client side cert & ideally it should fail with ssl error
Not failing to connect

The consumer is able to receive messages without authentication.

This is a critical security issue, as it allows unauthenticated access to the Kafka cluster even when TLS is explicitly configured. A fix or workaround is needed to prevent unauthorized clients from connecting.

Looking for
Confirmation if this is a known issue.
A fix or workaround to ensure proper TLS enforcement.
Any additional configurations required to enforce client authentication.

[inderanz]

[scholzj]

1. Please do not ping people directly. People will get notifications about the issues or discussions you open and can decide to react to it or not. You do not need to mention anyone!
2. If it is a critical security issue, you should not have opened a public discussion for it but followed the security policy. Too late for it now as it is public.
3. Please make sure that:
   • All code you shared is properly formatted to be readable
   • You share full custom resources including the status (e.g. do kubectl get strimzi -o yaml and share what you get)
   • Share the full logs from the operator and the Kafka brokers.
   • It is easy to reproduce by simplifying what you are doing. E.g.:
     • Can you reproduce it without the custom listener certificate (brokerCertChainAndKey)? If not, it might be the cause of the issue but also hard to reproduce
     • Can you reproduce it without your custom load balancer setup? E.g. with node ports or internal listener? Again, that would make it easier to reproduce things.

I obviously do not have the same environment as you have, the same loadbalancers and the same custom certificate. But without them, I cannot reproduce it with latest Strimzi build. So you should look into the above points and share more details and try to simplify it as suggested.

[inderanz]

• hopefully its readable.
• Apologies but because of restrictions, I can't able to Share the full logs from the operator and the Kafka brokers but I can't see any error related to 'tls' in both broker & operator.

happy to share any other output, if needed.

[inderanz]

Apologies but can I ask one more question:

1. I want to configure mTLS as part of KafkaUser CRD, where using our own CA & dummy key < as mentioned by you in discussion - https://github.com/orgs/strimzi/discussions/7846 & as well on AMQ documents - https://docs.redhat.com/en/documentation/red_hat_amq/2021.q2/html/using_amq_streams_on_openshift/security-str#installing-your-own-ca-certificates-str

• I have made the changes in Kafka CRD by adding. <generateCertificateAuthority: false for clientsCa> & Operator understand this config as well.
• Post this, I delete the existing secrets < clustername-client-ca > & clustername-client-ca-cert & created new one
• where clustername-client-ca-cert had my CA cert ( rootCA chain including intermediate) & clustername-client-ca - I added a dummy key as recommended by you.
• Added the labels on secret marked in AMQ document.

but I see in Operator logs, it not able to locate the new secrets & below are the logs

   at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
    at java.lang.Thread.run(Thread.java:840) ~[?:?]

2025-03-20 13:28:53 INFO AbstractOperator:536 - Reconciliation #11729(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): reconciled
2025-03-20 13:30:50 INFO ClusterOperator:140 - Triggering periodic reconciliation for namespace *
2025-03-20 13:30:50 INFO AbstractOperator:264 - Reconciliation #11730(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Kafka pspnpp-kafka-sit will be checked for creation or modification
2025-03-20 13:30:50 INFO AbstractOperator:264 - Reconciliation #11731(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): Kafka pspnpp-kafka will be checked for creation or modification
2025-03-20 13:30:50 ERROR AbstractOperator:283 - Reconciliation #11730(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): createOrUpdate failed
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]
2025-03-20 13:30:50 WARN AbstractOperator:556 - Reconciliation #11730(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Failed to reconcile
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]
2025-03-20 13:30:53 INFO AbstractOperator:536 - Reconciliation #11731(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:378 - Reconciliation #11732(watch) StrimziPodSet(ns-pspnpp-integration-sit/pspnpp-kafka-sit-controller): StrimziPodSet will be reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:414 - Reconciliation #11732(watch) StrimziPodSet(ns-pspnpp-integration-sit/pspnpp-kafka-sit-controller): reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:378 - Reconciliation #11733(watch) StrimziPodSet(ns-pspnpp-integration-sit/pspnpp-kafka-sit-broker): StrimziPodSet will be reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:414 - Reconciliation #11733(watch) StrimziPodSet(ns-pspnpp-integration-sit/pspnpp-kafka-sit-broker): reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:378 - Reconciliation #11734(watch) StrimziPodSet(pspnpp-kafka-np/pspnpp-kafka-broker): StrimziPodSet will be reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:414 - Reconciliation #11734(watch) StrimziPodSet(pspnpp-kafka-np/pspnpp-kafka-broker): reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:378 - Reconciliation #11735(watch) StrimziPodSet(pspnpp-kafka-np/pspnpp-kafka-controller): StrimziPodSet will be reconciled
2025-03-20 13:32:24 INFO StrimziPodSetController:414 - Reconciliation #11735(watch) StrimziPodSet(pspnpp-kafka-np/pspnpp-kafka-controller): reconciled
2025-03-20 13:32:50 INFO ClusterOperator:140 - Triggering periodic reconciliation for namespace *
2025-03-20 13:32:50 INFO AbstractOperator:264 - Reconciliation #11736(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Kafka pspnpp-kafka-sit will be checked for creation or modification
2025-03-20 13:32:50 INFO AbstractOperator:264 - Reconciliation #11737(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): Kafka pspnpp-kafka will be checked for creation or modification
2025-03-20 13:32:50 ERROR AbstractOperator:283 - Reconciliation #11736(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): createOrUpdate failed
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]
2025-03-20 13:32:50 WARN AbstractOperator:556 - Reconciliation #11736(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Failed to reconcile
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]
2025-03-20 13:32:53 INFO AbstractOperator:536 - Reconciliation #11737(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): reconciled
2025-03-20 13:34:50 INFO ClusterOperator:140 - Triggering periodic reconciliation for namespace *
2025-03-20 13:34:50 INFO AbstractOperator:264 - Reconciliation #11738(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Kafka pspnpp-kafka-sit will be checked for creation or modification
2025-03-20 13:34:50 INFO AbstractOperator:264 - Reconciliation #11739(timer) Kafka(pspnpp-kafka-np/pspnpp-kafka): Kafka pspnpp-kafka will be checked for creation or modification
2025-03-20 13:34:50 ERROR AbstractOperator:283 - Reconciliation #11738(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): createOrUpdate failed
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]
2025-03-20 13:34:50 WARN AbstractOperator:556 - Reconciliation #11738(timer) Kafka(ns-pspnpp-integration-sit/pspnpp-kafka-sit): Failed to reconcile
io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.lambda$reconcileCas$5(CaReconciler.java:275) ~[io.strimzi.cluster-operator-0.42.0.jar:0.42.0]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$0(ContextImpl.java:178) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:279) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.ContextImpl.lambda$internalExecuteBlocking$2(ContextImpl.java:210) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[io.vertx.vertx-core-4.5.8.jar:4.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.110.Final.jar:4.1.110.Final]
at java.lang.Thread.run(Thread.java:840) ~[?:?]

    >>>
    
    Can you please suggest, what is missing.
    
    Thanks in advance, for all your help.

but pos

[scholzj]

That seems unrelated to the original issue. So you should likely start a separate discussion. But the error seems pretty self-explanatory: Clients CA should not be generated, but the secrets were not found.

[inderanz]

sure, but .. the secret is present but the Operator not able to recognise it.

Let me open a new discussion.

[scholzj]

You should also:

• Share the exact steps and commands you did
• Use the Strimzi documentation corresponding to your Strimzi version

[inderanz]

@scholzj - Thanks, as per your recommendation created new 'discussion' for this issue.
https://github.com/orgs/strimzi/discussions/11278