Configuration of certificates outside Kafka cluster namespace

[trietsch]

Currently, when specifying the certificate secret (through brokerCertChainAndKey and it's respective child properties), Strimzi assumes that the certificate is deployed in the same namespace as the Kafka cluster.
This is less convenient in situations where certificates are reused (i.e. wildcard certificates). I'd like to propose to add an option to the brokerCertChainAndKey block, called namespace, to refer to the namespace in which the secret is deployed.

Let me know what you think, I can create a feature request issue for this idea.

[scholzj]

This is not just about adding a new option. Kubernetes do not allow you to mount secrets outside your namespace. So apart from the new option in the API, you would also need to copy the secret into the right namespace to be able to mount it. So at the end you would anyway end up with a copy of the secret, just done by the operator.

[trietsch]

I was unaware of the fact that Kubernetes does not allow that. Then something like https://github.com/mittwald/kubernetes-replicator would be a valid option that solves this issue.

[scholzj]

Yeah ... I guess in general it is still something what could be done in Strimzi directly. But using some other tool to do the copying would do the same with less code in Strimzi.

[trietsch]

If you want, I can create an issue for this. Not really high priority though imo.

[scholzj]

TBH, as you want ... if you are happy with using something like the Kubernetes Replicator, I don't think you have to open anything. If you would prefer to have this built directly into Strimzi, you can of course open an enhancement issue.

[trietsch]

I've used the Kubernetes replicator, which works great so I don't see the need to add this to Strimzi.