This repository contains an example of how you can build and use a custom principal builder class in Strimzi-powered Apache Kafka clusters. It provides a custom principal builder that:
- It keeps the default mapping rules for mTLS users for the replication and control plane listeners used by internal Strimzi components such as the operators, Kafka nodes etc.. That is important to keep Strimzi working.
- But it allows to customize the mapping rules for the other listeners.
In the example in this repository, the users will be mapped to
<Certificate-CN>@my-cluster.
- Customize the mapping rules in any way you want.
The custom rule is currently stored inside the code in the
CUSTOM_SSL_PRINCIPAL_MAPPING_RULESconstant in theCustomPrincipalBuilderclass. The Apache Kafka documentation has more details on how the rules should look like. - Build the project with Maven:
mvn clean package - Edit the
Dockerfilefile and update theFROMdefintion to match the Strimzi and Kafka version you want to use. - Build a new custom container image with the JAR and push it into your container repository.
For example:
docker build -t quay.io/scholzj/kafka:0.38.0-kafka-3.6.0 . docker push quay.io/scholzj/kafka:0.38.0-kafka-3.6.0 - Use the image in your Kafka cluster and configure the custom principal builder class:
apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka metadata: name: my-cluster spec: # ... kafka: image: quay.io/scholzj/kafka:0.38.0-kafka-3.6.0 config: principal.builder.class: cz.scholz.customprincipalbuilder.CustomPrincipalBuilder # ...