Custom Client CA Not Recognized in Strimzi Kafka Cluster

[inderanz]

I am trying to use our own Client CA (Root CA + Intermediate CA) as part of the client-ca-cert instead of the Strimzi-managed CA. The goal is to enable external Kafka clients (outside the Kubernetes cluster) to authenticate using TLS certificates signed by our Root CA. However, after applying the required configuration, the Kafka cluster is stuck in a NotReady state.

Issue:

The Kafka cluster fails to become healthy, with the following error message:

The operator logs show an InvalidResourceException, indicating that the required secrets were not found, despite them being created manually.

Steps taken for implementation:

1)Updated the Kafka CRD to disable Strimzi’s certificate generation:

spec:
clientsCa:
generateCertificateAuthority: false

2. Deleted the existing Strimzi-managed secrets:

kubectl delete secret pspnpp-kafka-sit-clients-ca
kubectl delete secret pspnpp-kafka-sit-clients-ca-cert

3)Created new secrets with our custom CA certificates:

kubectl create secret generic pspnpp-kafka-sit-clients-ca-cert --from-file=ca.crt=our-root-ca.pem
kubectl create secret generic pspnpp-kafka-sit-clients-ca --from-file=ca.key=dummy-key.pem

4. Kafka status stuck in NotReady state with the following error:

Status:
Cluster Id: _3ik9qIVR3-ydoDWAe9bHw
Conditions:
Last Transition Time: 2025-03-20T14:22:41.160295604Z
Message: Clients CA should not be generated, but the secrets were not found.
Reason: InvalidResourceException
Status: True
Type: NotReady
Kafka Metadata State: KRaft
Kafka Metadata Version: 3.6-IV0
Kafka Version: 3.6.2
Observed Generation: 23
Operator Last Successful Version: 0.42.0
Events:

Clients CA should not be generated, but the secrets were not found.

Logs from the Strimzi Operator

io.strimzi.operator.common.model.InvalidResourceException: Clients CA should not be generated, but the secrets were not found.
at io.strimzi.operator.cluster.operator.assembly.CaReconciler.checkCustomCaSecret(CaReconciler.java:334)

[sreejesh123]

Read “Hybird CERTIFICATE AUTHORITY Certs with Strimzi KAFKA“ by Sreejesh (Sree) Radhakrishnan on Medium: https://medium.com/@sreejeshr/hybird-certificate-authority-certs-with-strimzi-kafka-278a179a3f02 We had a similar usecase , and this is how we made it work, have a read , my model donot change the strimzi internal certificate management , i.e from operator to cluster broker and zk.