Related problem
Strimzis auto-generated cluster CA and clients CA currently use a hardcoded RSA key size of 2048 bits, with no way to configure it via the CRD. This is below current cryptographic recommendations for newly deployed systems see for example:
- BSI TR-02102-1 (DE): >= 3000 bit since 2023
- BSI TR-03116-4 (DE, mandatory for public procurement): >= 3072 bit
- ANSSI RGS B1 (FR): >= 3072 bit since 2023
- NIST SP 800-57 Part 1 Rev 5 (US): 2048 acceptable through 2030, >= 3072 from 2031
Operators in regulated environments (banking, healthcare, EU/DE public sector, defence-adjacent industries) cannot use Strimzis builtin CA without falling outside these recommendations. The only current workaround is disabling the builtin CA entirely, which has significant operational cost
Suggested solution
Implement cert-manager support:
cert-manager is the defacto standard for certificate management in Kubernetes. Today, integrating it with Strimzi requires bridging a secret-layout gap by hand. Strimzi expects the CA key in one secret -cluster-ca and the certificate in a separate one -cluster-ca-cert, while cert-manager produces a single kubernetes.io/tls secret with tls.crt/tls.key/ca.crt. Accepting kubernetes.io/tls secrets directly or supporting a Certificate reference would let users delegate the entire CA lifecycle (arbitrary key sizes, rotation, renewal) to cert-manager.
Implement configurable certs:
spec:
clusterCa:
keySize: 4096 # default: 2048 (backwards compatible)
clientsCa:
keySize: 4096 # default: 2048 (backwards compatible)Alternatives
Unsupported way with a 3rd party cert-manager controller: https://github.com/sebastiangaiser/ca-controller-for-strimzi
Additional context
No response
Related problem
Strimzis auto-generated cluster CA and clients CA currently use a hardcoded RSA key size of 2048 bits, with no way to configure it via the CRD. This is below current cryptographic recommendations for newly deployed systems see for example:
Operators in regulated environments (banking, healthcare, EU/DE public sector, defence-adjacent industries) cannot use Strimzis builtin CA without falling outside these recommendations. The only current workaround is disabling the builtin CA entirely, which has significant operational cost
Suggested solution
Implement cert-manager support:
cert-manager is the defacto standard for certificate management in Kubernetes. Today, integrating it with Strimzi requires bridging a secret-layout gap by hand. Strimzi expects the CA key in one secret -cluster-ca and the certificate in a separate one -cluster-ca-cert, while cert-manager produces a single kubernetes.io/tls secret with tls.crt/tls.key/ca.crt. Accepting kubernetes.io/tls secrets directly or supporting a Certificate reference would let users delegate the entire CA lifecycle (arbitrary key sizes, rotation, renewal) to cert-manager.
Implement configurable certs:
Alternatives
Unsupported way with a 3rd party cert-manager controller: https://github.com/sebastiangaiser/ca-controller-for-strimzi
Additional context
No response