Strimzi OAuth Authentication with mTLS

[houas6]

I'm trying to implement OAuth2 ( using azure active directory) with mTLS (already working) but the kafkaUser give me this error everytime ///////* spec.authorization.type: Unsupported value: "tls-external": supported values: "simple"

• spec.authentication.type: Unsupported value: "oauth": supported values: "tls", "tls-external", "scram-sha-512" /////// this is my kafka-cluster /////////// apiVersion: kafka.strimzi.io/v1beta2
  kind: Kafka
  metadata:
  name: mycluster
  namespace: kafka
  labels:
  app: mycluster
  annotations:
  cert-manager.io/cluster-issuer: "----letsencrypt-prod"
  spec:
  kafka:
  replicas: 3
  storage:
  type: jbod
  volumes:
  - id: 0
  type: persistent-claim
  size: 50Gi
  deleteClaim: true
  config:
  auto.create.topics.enable: "false"
  offsets.topic.replication.factor: 3
  transaction.state.log.replication.factor: 3
  transaction.state.log.min.isr: 2
  default.replication.factor: 3
  min.insync.replicas: 2
  ssl.client.auth: "required"
  authorizer.class.name: kafka.security.auth.SimpleAclAuthorizer
  listeners:
  - name: plain
  port: 9092
  type: internal
  tls: false
  - name: tls
  port: 9093
  type: internal
  tls: true
  authentication:
  type: tls
  - name: external
  port: 9094
  type: ingress
  tls: true
  authentication:
  type: oauth
  validIssuerUri: "https://login.microsoftonline.com/************/v2.0"
  jwksEndpointUri: "https://login.microsoftonline.com/***************/discovery/v2.0/keys"
  clientId: "*****************"
  clientSecret:
  secretName: kafka-oauth-secret
  key: secret
  userNameClaim: "preferred_username"
  configuration:
  class: nginx
  bootstrap:
  annotations:
  external-dns.alpha.kubernetes.io/hostname: bootstrap.---.
  external-dns.alpha.kubernetes.io/ttl: "60"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  nginx.ingress.kubernetes.io/ingress.class: "nginx" # Updated to match your IngressClass
  host: bootstrap.---
  brokers:
  - broker: 0
  annotations:
  external-dns.alpha.kubernetes.io/hostname: broker-0.---.
  external-dns.alpha.kubernetes.io/ttl: "60"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  nginx.ingress.kubernetes.io/ingress.class: "nginx" # Updated to match your IngressClass
  host: broker-0.---
  - broker: 1
  annotations:
  external-dns.alpha.kubernetes.io/hostname: broker-1.---.
  external-dns.alpha.kubernetes.io/ttl: "60"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  nginx.ingress.kubernetes.io/ingress.class: "nginx" # Updated to match your IngressClass
  host: broker-1.---
  - broker: 2
  annotations:
  external-dns.alpha.kubernetes.io/hostname: broker-2.---.
  external-dns.alpha.kubernetes.io/ttl: "60"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  nginx.ingress.kubernetes.io/ingress.class: "nginx" # Updated to match your IngressClass
  host: broker-2.---
  brokerCertChainAndKey:
  secretName: mycluster-lets-encrypt
  certificate: tls.crt
  key: tls.key

  zookeeper:
  replicas: 3
  storage:
  type: persistent-claim
  size: 20Gi
  deleteClaim: true

  entityOperator:
  topicOperator: {}
  userOperator: {}
  ///////// and this is my kafkaUser after trying to add the oauth///////////////////////////////////////////////////////////////////////////////// apiVersion: kafka.strimzi.io/v1beta2
  kind: KafkaUser
  metadata:
  name: my-user
  namespace: kafka
  labels:
  strimzi.io/cluster: mycluster
  spec:
  authentication:
  type: oauth
  authorization:
  type: tls
  acls:
  # Example consumer Acls for topic my-topic
  - resource:
  type: topic
  name: my-topic
  patternType: literal
  operations:
  - Describe
  - Read
  host: ""
  # Example Producer Acls for topic my-topic
  - resource:
  type: topic
  name: my-topic
  patternType: literal
  operations:
  - Create
  - Describe
  - Write
  host: ""
  any solution please ?

[kyguy]

Hi @houas6, the KafkaUser custom resource is not following the Strimzi API. We must update the KafkaUser resource to follow the Strimzi API as is is documented here. [1]

spec.authorization.type: Unsupported value: "tls-external": supported values: "simple"

As this error indicates, "tls-external" is not a valid configuration value for spec.authorization.type for the KafkaUser custom resource. We can only use a value of "simple" here. [2]

spec.authentication.type: Unsupported value: "oauth": supported values: "tls", "tls-external", "scram-sha-512"

As this error indicates, "oauth" is not a valid configuration value for spec.authentication.type for the KafkaUser custom resource. We can only use a value of "tls", "tls-external", "scram-sha-512" here.

[1] https://strimzi.io/docs/operators/latest/configuring#type-KafkaUserSpec-reference
[2] https://strimzi.io/docs/operators/latest/configuring#type-KafkaUserAuthorizationSimple-reference