SSL communication between broker and cruise control

[kspmmitt]

Hello,

Is below understanding is correct w.r.t strimzi operator based kafka cruise control?

In the SSL connection between Kafka brokers and Cruise Control pods, Kafka brokers act as the SSL servers, and Cruise Control acts as the SSL client. Cruise Control connects to Kafka brokers over SSL/TLS to securely communicate for tasks such as monitoring, metrics gathering, and triggering rebalances. During the SSL handshake, Cruise Control (client) verifies the broker's (server) certificate to establish trust, and if mutual TLS authentication is enabled, brokers also verify Cruise Control's client certificate. This ensures encrypted, authenticated communication between them, protecting data in transit and preventing unauthorized access. Proper SSL configuration involves setting up keystores and truststores on both sides and configuring Cruise Control's client SSL settings to match the Kafka brokers' server SSL configuration.

Are there any properties to give certificates or how certificates created/given?

Rgds,
Kamal

[kyguy]

Questions regarding the Strimzi Kafka Operator’s specific configuration of Cruise Control would be better addressed by the Strimzi community directly. That said, I’ll do my best to answer here.

Is below understanding is correct w.r.t strimzi operator based kafka cruise control?

Yes, that understanding is correct. The Strimzi Kafka Operator automatically configures Cruise Control with the necessary settings, including TLS certificates and security properties, to communicate securely with the Kafka cluster.

Are there any properties to give certificates or how certificates created/given?

In Strimzi, certificate management for Cruise Control is fully automated. These configurations are managed internally by Strimzi and are not exposed for manual user modification. For more details feel free check out the documentation here [1] or follow up with the Strimzi community on Slack or Strimzi GitHub discussions .

[1] https://strimzi.io/docs/operators/latest/deploying#security-str

[rahulbapumore]

Hi @kyguy
One question here -
We have requirement to support hot reloading for cruisecontrol , we use same strimzi certs for webserver interface of cruisecontrol.
In kafka we have kafka-config.sh script to update kafka config in order to load keystore/truststore, I dont see same config update is supported for cruise control
Could you please confirm on this?
Also is there any way to update cruise control configuration related to keystore/truststore dynamically?

Thanks in advance

[kyguy]

To make sure I understand the question properly:

(1) What does "hot loading" mean in this context? Does it mean changing the Cruise Control server configurations without restarting the Cruise Control server?

Also is there any way to update cruise control configuration related to keystore/truststore dynamically?

At this time, there is no way to update the Cruise Control keystore/trustore configurations dynamically, it requires restarting the Cruise Control server.

In kafka we have kafka-config.sh script to update kafka config in order to load keystore/truststore, I dont see same config update is supported for cruise control
Could you please confirm on this?

There is no such script for the Cruise Control server. That being said, there are other configurations can be dynamically updated via the REST API, they are listed here [1]

[1] https://github.com/linkedin/cruise-control/wiki/REST-APIs#change-cruise-control-configuration