strimzi
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java‎
Lines changed: 40 additions & 0 deletions b/‎api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java‎
Lines changed: 56 additions & 58 deletions b/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java‎
Lines changed: 56 additions & 58 deletions
diff --git a/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java‎
Lines changed: 80 additions & 50 deletions b/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java‎
Lines changed: 80 additions & 50 deletions
@@ -6,6 +6,7 @@
 * Add support for Kafka 3.9.1
 * Fixed MirrorMaker 2 client rack init container override being ignored.
 * Support for Kubernetes Image Volumes to mount custom plugins
+* Kafka nodes are now configured with PEM certificates instead of P12/JKS for keystore and truststore.
 
 ### Major changes, deprecations and removals
 
 
@@ -49,6 +49,46 @@ public static String clientsCaKeySecretName(String clusterName) {
         return clusterName + "-clients-ca";
     }
 
+    /**
+     * Get the name of the Kafka role binding given the name of the {@code cluster}.
+     *
+     * @param clusterName  The cluster name.
+     *
+     * @return The name of Kafka role binding.
+     */
+    public static String kafkaRoleBindingName(String clusterName) {
+        return kafkaComponentName(clusterName) + "-role";
+    }
+
+    /**
+     * Get the name of the internal secret that contains TLS trusted certificates
+     * for connecting to Authorization server.
+     * The operator copies user specified secrets for Authorization server
+     * trusted certificates into a single secret with this name.
+     * It is then used when configuring Authorization server for Kafka cluster.
+     *
+     * @param clusterName The cluster name.
+     *
+     * @return Name of the internal secret that contains trusted certificates for Authz.
+     */
+    public static String internalAuthzTrustedCertsSecretName(String clusterName) {
+        return kafkaComponentName(clusterName) + "-authz-trusted-certs";
+    }
+
+    /**
+     * Get the name of the internal secret that contains TLS trusted certificates for OAuth server.
+     * The operator copies user specified secrets for OAuth trusted certificates into
+     * a single secret with this name.
+     * It is then used when configuring Kafka listeners with OAuth server.
+     *
+     * @param clusterName The cluster name.
+     *
+     * @return Name of the internal secret that contains OAuth trusted certificates.
+     */
+    public static String internalOauthTrustedCertsSecretName(String clusterName) {
+        return kafkaComponentName(clusterName) + "-oauth-trusted-certs";
+    }
+
     ////////
     // Kafka methods
     ////////
 
@@ -32,6 +32,10 @@
 import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
+import io.fabric8.kubernetes.api.model.rbac.PolicyRule;
+import io.fabric8.kubernetes.api.model.rbac.PolicyRuleBuilder;
+import io.fabric8.kubernetes.api.model.rbac.Role;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
 import io.fabric8.kubernetes.api.model.rbac.RoleRef;
 import io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder;
 import io.fabric8.kubernetes.api.model.rbac.Subject;
@@ -52,7 +56,6 @@
 import io.strimzi.api.kafka.model.kafka.Kafka;
 import io.strimzi.api.kafka.model.kafka.KafkaAuthorization;
 import io.strimzi.api.kafka.model.kafka.KafkaAuthorizationKeycloak;
-import io.strimzi.api.kafka.model.kafka.KafkaAuthorizationOpa;
 import io.strimzi.api.kafka.model.kafka.KafkaClusterSpec;
 import io.strimzi.api.kafka.model.kafka.KafkaClusterTemplate;
 import io.strimzi.api.kafka.model.kafka.KafkaResources;
@@ -144,6 +147,7 @@ public class KafkaCluster extends AbstractModel implements SupportsMetrics, Supp
     private static final String ENV_VAR_KAFKA_JMX_EXPORTER_ENABLED = "KAFKA_JMX_EXPORTER_ENABLED";
     private static final String ENV_VAR_STRIMZI_OPA_AUTHZ_TRUSTED_CERTS = "STRIMZI_OPA_AUTHZ_TRUSTED_CERTS";
     private static final String ENV_VAR_STRIMZI_KEYCLOAK_AUTHZ_TRUSTED_CERTS = "STRIMZI_KEYCLOAK_AUTHZ_TRUSTED_CERTS";
+    private static final String ENV_VAR_KAFKA_CLUSTER_NAME = "KAFKA_CLUSTER_NAME";
 
     // For port names in services, a 'tcp-' prefix is added to support Istio protocol selection
     // This helps Istio to avoid using a wildcard listener and instead present IP:PORT pairs which effects
@@ -169,12 +173,6 @@ public class KafkaCluster extends AbstractModel implements SupportsMetrics, Supp
     public static final int INGRESS_PORT = 443;
 
     protected static final String KAFKA_NAME = "kafka";
-    protected static final String CLUSTER_CA_CERTS_VOLUME = "cluster-ca";
-    protected static final String BROKER_CERTS_VOLUME = "broker-certs";
-    protected static final String CLIENT_CA_CERTS_VOLUME = "client-ca-cert";
-    protected static final String CLUSTER_CA_CERTS_VOLUME_MOUNT = "/opt/kafka/cluster-ca-certs";
-    protected static final String BROKER_CERTS_VOLUME_MOUNT = "/opt/kafka/broker-certs";
-    protected static final String CLIENT_CA_CERTS_VOLUME_MOUNT = "/opt/kafka/client-ca-certs";
     protected static final String TRUSTED_CERTS_BASE_VOLUME_MOUNT = "/opt/kafka/certificates";
     protected static final String CUSTOM_AUTHN_SECRETS_VOLUME_MOUNT = "/opt/kafka/custom-authn-secrets";
     private static final String LOG_AND_METRICS_CONFIG_VOLUME_NAME = "kafka-metrics-and-logging";
@@ -1377,9 +1375,6 @@ private List<Volume> getNonDataVolumes(boolean isOpenShift, NodeRef node, PodTem
         List<Volume> volumeList = new ArrayList<>();
 
         volumeList.add(VolumeUtils.createTempDirVolume(templatePod));
-        volumeList.add(VolumeUtils.createSecretVolume(CLUSTER_CA_CERTS_VOLUME, AbstractModel.clusterCaCertSecretName(cluster), isOpenShift));
-        volumeList.add(VolumeUtils.createSecretVolume(BROKER_CERTS_VOLUME, node.podName(), isOpenShift));
-        volumeList.add(VolumeUtils.createSecretVolume(CLIENT_CA_CERTS_VOLUME, KafkaResources.clientsCaCertificateSecretName(cluster), isOpenShift));
         volumeList.add(VolumeUtils.createConfigMapVolume(LOG_AND_METRICS_CONFIG_VOLUME_NAME, node.podName()));
         volumeList.add(VolumeUtils.createEmptyDirVolume("ready-files", "1Ki", "Memory"));
 
@@ -1413,7 +1408,10 @@ private List<Volume> getNonDataVolumes(boolean isOpenShift, NodeRef node, PodTem
 
                 if (ListenersUtils.isListenerWithOAuth(listener)) {
                     KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
-                    CertUtils.createTrustedCertificatesVolumes(volumeList, oauth.getTlsTrustedCertificates(), isOpenShift, "oauth-" + ListenersUtils.identifier(listener));
+                    String oauthTrustedCertsSecret = KafkaResources.internalOauthTrustedCertsSecretName(cluster);
+                    if (oauth.getTlsTrustedCertificates() != null && !oauth.getTlsTrustedCertificates().isEmpty() && volumeList.stream().noneMatch(v -> v.getName().equals(oauthTrustedCertsSecret))) {
+                        volumeList.add(VolumeUtils.createSecretVolume(oauthTrustedCertsSecret, oauthTrustedCertsSecret, isOpenShift));
+                    }
                 }
 
                 if (ListenersUtils.isListenerWithCustomAuth(listener)) {
@@ -1423,14 +1421,6 @@ private List<Volume> getNonDataVolumes(boolean isOpenShift, NodeRef node, PodTem
             }
         }
 
-        if (authorization instanceof KafkaAuthorizationOpa opaAuthz) {
-            CertUtils.createTrustedCertificatesVolumes(volumeList, opaAuthz.getTlsTrustedCertificates(), isOpenShift, "authz-opa");
-        }
-
-        if (authorization instanceof KafkaAuthorizationKeycloak keycloakAuthz) {
-            CertUtils.createTrustedCertificatesVolumes(volumeList, keycloakAuthz.getTlsTrustedCertificates(), isOpenShift, "authz-keycloak");
-        }
-
         TemplateUtils.addAdditionalVolumes(templatePod, volumeList);
 
         return volumeList;
@@ -1469,9 +1459,6 @@ private List<Volume> getPodSetVolumes(NodeRef node, Storage storage, PodTemplate
     private List<VolumeMount> getVolumeMounts(Storage storage, ContainerTemplate containerTemplate, boolean isBroker) {
         List<VolumeMount> volumeMountList = new ArrayList<>(VolumeUtils.createVolumeMounts(storage, false));
         volumeMountList.add(VolumeUtils.createTempDirVolumeMount());
-        volumeMountList.add(VolumeUtils.createVolumeMount(CLUSTER_CA_CERTS_VOLUME, CLUSTER_CA_CERTS_VOLUME_MOUNT));
-        volumeMountList.add(VolumeUtils.createVolumeMount(BROKER_CERTS_VOLUME, BROKER_CERTS_VOLUME_MOUNT));
-        volumeMountList.add(VolumeUtils.createVolumeMount(CLIENT_CA_CERTS_VOLUME, CLIENT_CA_CERTS_VOLUME_MOUNT));
         volumeMountList.add(VolumeUtils.createVolumeMount(LOG_AND_METRICS_CONFIG_VOLUME_NAME, LOG_AND_METRICS_CONFIG_VOLUME_MOUNT));
         volumeMountList.add(VolumeUtils.createVolumeMount("ready-files", "/var/opt/kafka"));
 
@@ -1493,8 +1480,8 @@ private List<VolumeMount> getVolumeMounts(Storage storage, ContainerTemplate con
                 }
 
                 if (ListenersUtils.isListenerWithOAuth(listener))   {
-                    KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
-                    CertUtils.createTrustedCertificatesVolumeMounts(volumeMountList, oauth.getTlsTrustedCertificates(), TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/oauth-" + identifier + "-certs/", "oauth-" + identifier);
+                    String oauthTrustedCertsSecret = KafkaResources.internalOauthTrustedCertsSecretName(cluster);
+                    volumeMountList.add(VolumeUtils.createVolumeMount(oauthTrustedCertsSecret, TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/" + oauthTrustedCertsSecret));
                 }
 
                 if (ListenersUtils.isListenerWithCustomAuth(listener)) {
@@ -1503,15 +1490,7 @@ private List<VolumeMount> getVolumeMounts(Storage storage, ContainerTemplate con
                 }
             }
         }
-
-        if (authorization instanceof KafkaAuthorizationOpa opaAuthz) {
-            CertUtils.createTrustedCertificatesVolumeMounts(volumeMountList, opaAuthz.getTlsTrustedCertificates(), TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/authz-opa-certs/", "authz-opa");
-        }
-
-        if (authorization instanceof KafkaAuthorizationKeycloak keycloakAuthz) {
-            CertUtils.createTrustedCertificatesVolumeMounts(volumeMountList, keycloakAuthz.getTlsTrustedCertificates(), TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/authz-keycloak-certs/", "authz-keycloak");
-        }
-
+        
         TemplateUtils.addAdditionalVolumeMounts(volumeMountList, containerTemplate);
 
         return volumeMountList;
@@ -1635,6 +1614,7 @@ private  List<EnvVar> getEnvVars(KafkaPool pool) {
         varList.add(ContainerUtils.createEnvVar(ENV_VAR_KAFKA_JMX_EXPORTER_ENABLED,
                 String.valueOf(metrics instanceof JmxPrometheusExporterModel)));
         varList.add(ContainerUtils.createEnvVar(ENV_VAR_STRIMZI_KAFKA_GC_LOG_ENABLED, String.valueOf(pool.gcLoggingEnabled)));
+        varList.add(ContainerUtils.createEnvVar(ENV_VAR_KAFKA_CLUSTER_NAME, cluster));
 
         JvmOptionUtils.heapOptions(varList, 50, 5L * 1024L * 1024L * 1024L, pool.jvmOptions, pool.resources);
         JvmOptionUtils.jvmPerformanceOptions(varList, pool.jvmOptions);
@@ -1646,29 +1626,13 @@ private  List<EnvVar> getEnvVars(KafkaPool pool) {
                 if (ListenersUtils.isListenerWithOAuth(listener)) {
                     KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
 
-                    if (oauth.getTlsTrustedCertificates() != null && !oauth.getTlsTrustedCertificates().isEmpty()) {
-                        varList.add(ContainerUtils.createEnvVar("STRIMZI_" + ListenersUtils.envVarIdentifier(listener) + "_OAUTH_TRUSTED_CERTS", CertUtils.trustedCertsEnvVar(oauth.getTlsTrustedCertificates())));
-                    }
-
                     if (oauth.getClientSecret() != null) {
                         varList.add(ContainerUtils.createEnvVarFromSecret("STRIMZI_" + ListenersUtils.envVarIdentifier(listener) + "_OAUTH_CLIENT_SECRET", oauth.getClientSecret().getSecretName(), oauth.getClientSecret().getKey()));
                     }
                 }
             }
         }
 
-        if (authorization instanceof KafkaAuthorizationOpa opaAuthz
-                && opaAuthz.getTlsTrustedCertificates() != null
-                && !opaAuthz.getTlsTrustedCertificates().isEmpty()) {
-            varList.add(ContainerUtils.createEnvVar(ENV_VAR_STRIMZI_OPA_AUTHZ_TRUSTED_CERTS, CertUtils.trustedCertsEnvVar(opaAuthz.getTlsTrustedCertificates())));
-        }
-
-        if (authorization instanceof KafkaAuthorizationKeycloak keycloakAuthz
-                && keycloakAuthz.getTlsTrustedCertificates() != null
-                && !keycloakAuthz.getTlsTrustedCertificates().isEmpty()) {
-            varList.add(ContainerUtils.createEnvVar(ENV_VAR_STRIMZI_KEYCLOAK_AUTHZ_TRUSTED_CERTS, CertUtils.trustedCertsEnvVar(keycloakAuthz.getTlsTrustedCertificates())));
-        }
-
         varList.addAll(jmx.envVars());
 
         // Add shared environment variables used for all containers
@@ -1708,6 +1672,54 @@ public ClusterRoleBinding generateClusterRoleBinding(String assemblyNamespace) {
         }
     }
 
+    /**
+     * Creates a Role for reading TLS certificate secrets in the same namespace as the resource.
+     * This is used for loading certificates from secrets directly.
+     **
+     * @return role for the Kafka Cluster
+     */
+    public Role generateRole() {
+        List<String> certSecretNames = new ArrayList<>();
+        certSecretNames.add(KafkaResources.clusterCaCertificateSecretName(cluster));
+        certSecretNames.add(KafkaResources.internalAuthzTrustedCertsSecretName(cluster));
+        certSecretNames.add(KafkaResources.internalOauthTrustedCertsSecretName(cluster));
+        certSecretNames.addAll(nodes().stream().map(NodeRef::podName).toList());
+
+        List<PolicyRule> rules = List.of(new PolicyRuleBuilder()
+                .withApiGroups("")
+                .withResources("secrets")
+                .withVerbs("get")
+                .withResourceNames(certSecretNames)
+                .build());
+
+        Role role = RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null);
+        return role;
+    }
+
+    /**
+     * Generates the Kafka Cluster Role Binding
+     *
+     * @return  Role Binding for the Kafka Cluster
+     */
+    public RoleBinding generateRoleBindingForRole() {
+        Subject subject = new SubjectBuilder()
+                .withKind("ServiceAccount")
+                .withName(componentName)
+                .withNamespace(namespace)
+                .build();
+
+        RoleRef roleRef = new RoleRefBuilder()
+                .withName(componentName)
+                .withApiGroup("rbac.authorization.k8s.io")
+                .withKind("Role")
+                .build();
+
+        RoleBinding rb = RbacUtils
+                .createRoleBinding(KafkaResources.kafkaRoleBindingName(cluster), namespace, roleRef, List.of(subject), labels, ownerReference, null);
+
+        return rb;
+    }
+
     /**
      * Generates the NetworkPolicies relevant for Kafka brokers
      *
@@ -1778,6 +1790,13 @@ public List<GenericKafkaListener> getListeners() {
         return listeners;
     }
 
+    /**
+     * @return The authorization
+     */
+    public KafkaAuthorization getAuthorization() {
+        return authorization;
+    }
+
     /**
      * Returns true when the Kafka cluster is exposed to the outside using NodePort type services
      *
@@ -1837,7 +1856,6 @@ private String generatePerBrokerConfiguration(NodeRef node, KafkaPool pool, Map<
                 .withKRaftMetadataLogDir(VolumeUtils.kraftMetadataPath(pool.storage))
                 .withLogDirs(VolumeUtils.createVolumeMounts(pool.storage, false))
                 .withListeners(cluster,
-                        kafkaVersion,
                         namespace,
                         listeners,
                         listenerId -> advertisedHostnames.get(node.nodeId()).get(listenerId),
@@ -1902,6 +1920,18 @@ public List<ConfigMap> generatePerBrokerConfigurationConfigMaps(MetricsAndLoggin
         return configMaps;
     }
 
+    /**
+     * Generates a Secret with the given name and data in Kafka Cluster's namespace
+     *
+     * @param secretData    Secret data
+     * @param secretName    Secret name
+     *
+     * @return Secret that is generated
+     */
+    public Secret generateSecret(Map<String, String> secretData, String secretName) {
+        return ModelUtils.createSecret(secretName, namespace, labels, ownerReference, secretData, Map.of(), Map.of());
+    }
+
     /**
      * @return  Kafka version
      */