$ oc create secret -n <namespace> generic <kafka_auth_secret> \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pemIn production, Kafka clusters are often secured using the TLS or SASL authentication methods. This section shows how to configure a Kafka channel to work against a protected Red Hat AMQ Streams cluster using TLS or SASL.
|
If you choose to enable SASL, Red Hat recommends to also enable TLS. |
You can use the following procedure to configure TLS authentication for a Kafka channel.
You have a Kafka cluster CA certificate stored as a .pem file.
You have a Kafka cluster client certificate and a key stored as .pem files.
Install the OpenShift CLI (oc).
Create the certificate files as secrets in your chosen namespace:
$ oc create secret -n <namespace> generic <kafka_auth_secret> \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pem|
Use the key names |
Start editing the KnativeKafka custom resource:
$ oc edit knativekafkaReference your secret and the namespace of the secret:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: <kafka_auth_secret>
authSecretNamespace: <kafka_auth_secret_namespace>
bootstrapServers: <bootstrap_servers>
enabled: true
source:
enabled: true|
Make sure to specify the matching port in the bootstrap server. |
For example:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: tls-user
authSecretNamespace: kafka
bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9094
enabled: true
source:
enabled: trueYou can use the following procedure to configure SASL authentication for a Kafka channel.
You have a username and password for the Kafka cluster.
You have chosen the SASL mechanism to use, for example PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
If TLS is enabled, you also need the ca.crt certificate file for the Kafka cluster.
Install the OpenShift CLI (oc).
|
Red Hat recommends to enable TLS in addition to SASL. |
Create the certificate files as secrets in your chosen namespace:
$ oc create secret --namespace <namespace> generic <kafka_auth_secret> \
--from-file=ca.crt=caroot.pem \
--from-literal=password="SecretPassword" \
--from-literal=saslType="SCRAM-SHA-512" \
--from-literal=user="my-sasl-user"|
Use the key names |
Start editing the KnativeKafka custom resource:
$ oc edit knativekafkaReference your secret and the namespace of the secret:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: <kafka_auth_secret>
authSecretNamespace: <kafka_auth_secret_namespace>
bootstrapServers: <bootstrap_servers>
enabled: true
source:
enabled: true|
Make sure to specify the matching port in the bootstrap server. |
For example:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: scram-user
authSecretNamespace: kafka
bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9093
enabled: true
source:
enabled: trueIf you want to use SASL with public CA certificates, you must use the tls.enabled=true flag, rather than the ca.crt argument, when creating the secret. For example:
$ oc create secret --namespace <namespace> generic <kafka_auth_secret> \
--from-literal=tls.enabled=true \
--from-literal=password="SecretPassword" \
--from-literal=saslType="SCRAM-SHA-512" \
--from-literal=user="my-sasl-user"