As anticipated in the “Additional notes” section of my previous article, starting from Red Hat AMQ Streams 1.4, it is finally possible to use your own custom certificate for encrypting communication between Kafka clients and brokers—without the requirement to provide a CA certificate. The auto-generated and -managed internal CAs will still remain, but only to protect inter-cluster communication.
The user-provided certificate can be used with all listeners that have TLS encryption enabled, such as the route, load balancer, ingress, and NodePort types. In this complete example, we will enable an external route listener for one-way TLS authentication.
You need to have the following in place before you can proceed:
- An OpenShift cluster up and running.
- A custom X.509 certificate in PEM format (with required SANs).
- An active Red Hat Customer Portal account.
- The Red Hat AMQ Streams 1.4.0 Installation and Example package.
- An OpenShift user with the
Continue reading “Set up Red Hat AMQ Streams custom certificates on OpenShift (update)”