How to enable encryption
Deploy a TLS Provider charm
To enable encryption, you should first deploy a TLS certificates Provider charm. The Kafka and ZooKeeper charms implements the Requirer side of the tls-certificates/v1 charm relation.
Therefore, any charm implementing the Provider side could be used.
One possible option, suitable for testing, could be to use the self-signed-certificates, although this setup is however not recommended for production clusters.
To deploy a self-signed-certificates charm:
# deploy the TLS charm
juju deploy self-signed-certificates --channel=edge
# add the necessary configurations for TLS
juju config self-signed-certificates ca-common-name="Test CA"
Please refer to this post for an overview of the TLS certificates Providers charms and some guidance on how to choose the right charm for your use-case.
Enable TLS on Kafka and ZooKeeper
juju relate <tls-certificates> zookeeper
juju relate <tls-certificates> kafka:certificates
where <tls-certificates> is the name of the TLS certificate provider charm deployed.
Note If Kafka and ZooKeeper are already related, they will start renegotiating the relation to provide each other certificates and enable/open to correct ports/connections. Otherwise relate them after the both relations with the
<tls-certificates>.
Manage keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action.
# Updates can be done with auto-generated keys with
juju run kafka/<unit_id> set-tls-private-key
Passing keys to external/internal keys should only be done with base64 -w0 not cat, as follows
# generate shared internal key
openssl genrsa -out internal-key.pem 3072
# apply keys on each unit
juju run kafka/<unit_id> set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
To disable TLS remove the relation
juju remove-relation kafka <tls-certificates>
juju remove-relation zookeeper <tls-certificates>
where <tls-certificates> is the name of the TLS certificate provider charm deployed.