Authentication

The communication between nodes (server to server) is encrypted TLS by default. In order to enforce TLS authentication for client-to-server communication, you can set an AuthenticationClass reference in the custom resource provided by the Commons Operator.

Currently it is possible to configure a single form of authentication (of type TLS) by adding one (and only one) entry in the authentication sequence as shown in the example below. Additional authentication methods, such as Kerberos, are not yet supported.

---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
  name: simple-zk
spec:
  image:
    productVersion: 3.8.3
  clusterConfig:
    authentication:
      - authenticationClass: zk-client-tls (1)
  servers:
    roleGroups:
      default:
        replicas: 3
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: zk-client-tls (2)
spec:
  provider:
    tls:
      clientCertSecretClass: zk-client-auth-secret (3)
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: zk-client-auth-secret (4)
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-tls-zk-client-ca
          namespace: default
        autoGenerate: true
1 The clusterConfig.authentication.authenticationClass can be set to use TLS for authentication. This is optional.
2 The referenced AuthenticationClass that references a SecretClass to provide certificates.
3 The reference to a SecretClass.
4 The SecretClass that is referenced by the AuthenticationClass in order to provide certificates.

If both spec.clusterConfig.tls.server.secretClass and spec.clusterConfig.authentication.authenticationClass are set, the authentication class will take precedence over the secret class. The cluster will be encrypted and authenticate only against the authentication class.

Due to a bug in ZooKeeper, the clientPort property in combination with client.portUnification=true is used instead of the secureClientPort. This means that unencrypted and unauthenticated access to the ZooKeeper cluster is still possible.