Authentication
The communication between nodes (server to server) is encrypted TLS by default. In order to enforce TLS authentication
for client-to-server communication, you can set an AuthenticationClass reference in the custom resource provided by
the Commons Operator.
Currently it is possible to configure a single form of authentication (of type TLS) by adding one (and only one) entry
in the authentication sequence as shown in the example below. Additional authentication methods, such as Kerberos, are
not yet supported.
---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
  name: simple-zk
spec:
  image:
    productVersion: 3.8.3
  clusterConfig:
    authentication:
      - authenticationClass: zk-client-tls (1)
  servers:
    roleGroups:
      default:
        replicas: 3
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: zk-client-tls (2)
spec:
  provider:
    tls:
      clientCertSecretClass: zk-client-auth-secret (3)
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: zk-client-auth-secret (4)
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-tls-zk-client-ca
          namespace: default
        autoGenerate: true| 1 | The clusterConfig.authentication.authenticationClasscan be set to use TLS for authentication. This is optional. | 
| 2 | The referenced AuthenticationClassthat references aSecretClassto provide certificates. | 
| 3 | The reference to a SecretClass. | 
| 4 | The SecretClassthat is referenced by theAuthenticationClassin order to provide certificates. | 
If both spec.clusterConfig.tls.server.secretClass and spec.clusterConfig.authentication.authenticationClass are set,
the authentication class will take precedence over the secret class. The cluster will be encrypted and authenticate only
against the authentication class.
| Due to a bug in ZooKeeper, the clientPortproperty in
combination withclient.portUnification=trueis used instead of thesecureClientPort. This means that unencrypted
and unauthenticated access to the ZooKeeper cluster is still possible. |