$ oc create secret -n knative-eventing generic <secret_name> \
--from-literal=protocol=SSL \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pem- Documentation
- OpenShift Dedicated
- Serverless
- Eventing
- Brokers
- Security configuration for Knative Kafka history bug_report picture_as_pdf
- About
- Introduction to OpenShift Dedicated
- Red Hat OpenShift Cluster Manager
- Planning your environment
- Getting started
- Installing, accessing, and deleting OpenShift Dedicated clusters
- Cluster administration
- Security and compliance
- Authentication and authorization
- Upgrading
- CI/CD
- Add-on services
- Storage
- Registry
- Networking
- Applications
-
Logging
- Release notes
- About Logging
- Installing Logging
- Accessing the service logs
-
Configuring your Logging deployment
- About the Cluster Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring Logging storage
- Configuring CPU and memory limits for Logging components
- Using tolerations to control Logging pod placement
- Moving the Logging resources with node selectors
- Maintenance and support
- Logging with the LokiStack
- Viewing logs for a specific resource
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Enabling JSON logging
- Collecting and storing Kubernetes events
- Updating Logging
- Viewing cluster dashboards
- Troubleshooting Logging
- Uninstalling Logging
- Exported fields
- Monitoring user-defined projects
-
Serverless
- Release notes
- About Serverless
- Installing Serverless
- Knative Serving
-
Eventing
- Knative Eventing
- Event sources
- Event sinks
- Brokers
-
Triggers
- Triggers overview
- Creating triggers from the web console
- Creating triggers from the command line
- Creating a trigger from the Administrator perspective
- List triggers from the command line
- Describe triggers from the command line
- Connecting a trigger to a sink
- Filtering triggers from the command line
- Updating triggers from the command line
- Deleting triggers from the command line
- Channels
- Subscriptions
- Event discovery
- Tuning eventing configuration
- kn-event plugin
-
Functions
- Setting up OpenShift Serverless Functions
- Getting started with functions
- Developing Quarkus functions
- Developing Node.js functions
- Developing TypeScript functions
- Using functions with Knative Eventing
- Function project configuration in func.yaml
- Accessing secrets and config maps from functions
- Adding annotations to functions
- Functions development reference guide
- Knative CLI
- Administer
- Security
- Observability
- Removing Serverless
- Serverless support
- Troubleshooting
×
Security configuration for Knative Kafka
Kafka clusters are generally secured by using the TLS or SASL authentication methods. You can configure a Kafka broker or channel to work against a protected Red Hat AMQ Streams cluster by using TLS or SASL.
|
Red Hat recommends that you enable both SASL and TLS together. |
Configuring TLS authentication for Kafka brokers
Transport Layer Security (TLS) is used by Apache Kafka clients and servers to encrypt traffic between Knative and Kafka, as well as for authentication. TLS is the only supported method of traffic encryption for Knative Kafka.
Prerequisites
-
You have cluster or dedicated administrator permissions on OpenShift Dedicated.
-
The OpenShift Serverless Operator, Knative Eventing, and the
KnativeKafkaCR are installed on your OpenShift Dedicated cluster. -
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Dedicated.
-
You have a Kafka cluster CA certificate stored as a
.pemfile. -
You have a Kafka cluster client certificate and a key stored as
.pemfiles. -
Install the OpenShift CLI (
oc).
Procedure
-
Create the certificate files as a secret in the
knative-eventingnamespace:Use the key names
ca.crt,user.crt, anduser.key. Do not change them. -
Edit the
KnativeKafkaCR and add a reference to your secret in thebrokerspec:apiVersion: operator.serverless.openshift.io/v1alpha1 kind: KnativeKafka metadata: namespace: knative-eventing name: knative-kafka spec: broker: enabled: true defaultConfig: authSecretName: <secret_name> ...
Configuring SASL authentication for Kafka brokers
Simple Authentication and Security Layer (SASL) is used by Apache Kafka for authentication. If you use SASL authentication on your cluster, users must provide credentials to Knative for communicating with the Kafka cluster; otherwise events cannot be produced or consumed.
Prerequisites
-
You have cluster or dedicated administrator permissions on OpenShift Dedicated.
-
The OpenShift Serverless Operator, Knative Eventing, and the
KnativeKafkaCR are installed on your OpenShift Dedicated cluster. -
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Dedicated.
-
You have a username and password for a Kafka cluster.
-
You have chosen the SASL mechanism to use, for example,
PLAIN,SCRAM-SHA-256, orSCRAM-SHA-512. -
If TLS is enabled, you also need the
ca.crtcertificate file for the Kafka cluster. -
Install the OpenShift CLI (
oc).
Procedure
-
Create the certificate files as a secret in the
knative-eventingnamespace:$ oc create secret -n knative-eventing generic <secret_name> \ --from-literal=protocol=SASL_SSL \ --from-literal=sasl.mechanism=<sasl_mechanism> \ --from-file=ca.crt=caroot.pem \ --from-literal=password="SecretPassword" \ --from-literal=user="my-sasl-user"-
Use the key names
ca.crt,password, andsasl.mechanism. Do not change them. -
If you want to use SASL with public CA certificates, you must use the
tls.enabled=trueflag, rather than theca.crtargument, when creating the secret. For example:$ oc create secret -n <namespace> generic <kafka_auth_secret> \ --from-literal=tls.enabled=true \ --from-literal=password="SecretPassword" \ --from-literal=saslType="SCRAM-SHA-512" \ --from-literal=user="my-sasl-user"
-
-
Edit the
KnativeKafkaCR and add a reference to your secret in thebrokerspec:apiVersion: operator.serverless.openshift.io/v1alpha1 kind: KnativeKafka metadata: namespace: knative-eventing name: knative-kafka spec: broker: enabled: true defaultConfig: authSecretName: <secret_name> ...