Add kafka signing_policy for client/server auth. Add kafka-client cert on manager so manager can interact with kafka using its own cert

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2026-01-24 17:03:27 +01:00 · 2024-04-04 16:21:29 -04:00
parent 40b08d737c
commit 436cbc1f06
2 changed files with 86 additions and 5 deletions
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -70,3 +70,17 @@ x509_signing_policies:
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
+  kafka:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "digitalSignature, keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: "serverAuth, clientAuth"
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/