|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * serverless/admin_guide/serverless-kafka-admin.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="serverless-kafka-sasl-source_{context}"] |
| 7 | += Configuring SASL authentication for Kafka sources |
| 8 | + |
| 9 | +_Simple Authentication and Security Layer_ (SASL) is used by Apache Kafka for authentication. If you use SASL authentication on your cluster, users must provide credentials to Knative for communicating with the Kafka cluster, otherwise events cannot be produced or consumed. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +* You have cluster or dedicated administrator permissions on {product-title}. |
| 14 | +* The {ServerlessOperatorName}, Knative Eventing, and the `KnativeKafka` CR are installed on your {product-title} cluster. |
| 15 | +* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}. |
| 16 | +* You have a username and password for a Kafka cluster. |
| 17 | +* You have chosen the SASL mechanism to use, for example, `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`. |
| 18 | +* If TLS is enabled, you also need the `ca.crt` certificate file for the Kafka cluster. |
| 19 | +* You have installed the OpenShift (`oc`) CLI. |
| 20 | +
|
| 21 | +.Procedure |
| 22 | + |
| 23 | +. Create the certificate files as secrets in your chosen namespace: |
| 24 | ++ |
| 25 | +[source,terminal] |
| 26 | +---- |
| 27 | +$ oc create secret -n <namespace> generic <kafka_auth_secret> \ |
| 28 | + --from-file=ca.crt=caroot.pem \ |
| 29 | + --from-literal=password="SecretPassword" \ |
| 30 | + --from-literal=saslType="SCRAM-SHA-512" \ <1> |
| 31 | + --from-literal=user="my-sasl-user" |
| 32 | +---- |
| 33 | +<1> The SASL type can be `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`. |
| 34 | + |
| 35 | +. Create or modify your Kafka source so that it contains the following `spec` configuration: |
| 36 | ++ |
| 37 | +[source,yaml] |
| 38 | +---- |
| 39 | +apiVersion: sources.knative.dev/v1beta1 |
| 40 | +kind: KafkaSource |
| 41 | +metadata: |
| 42 | + name: example-source |
| 43 | +spec: |
| 44 | +... |
| 45 | + net: |
| 46 | + sasl: |
| 47 | + enable: true |
| 48 | + user: |
| 49 | + secretKeyRef: |
| 50 | + name: <kafka_auth_secret> |
| 51 | + key: user |
| 52 | + password: |
| 53 | + secretKeyRef: |
| 54 | + name: <kafka_auth_secret> |
| 55 | + key: password |
| 56 | + saslType: |
| 57 | + secretKeyRef: |
| 58 | + name: <kafka_auth_secret> |
| 59 | + key: saslType |
| 60 | + tls: |
| 61 | + enable: true |
| 62 | + caCert: <1> |
| 63 | + secretKeyRef: |
| 64 | + name: <kafka_auth_secret> |
| 65 | + key: ca.crt |
| 66 | +... |
| 67 | +---- |
| 68 | +<1> The `caCert` spec is not required if you are using a public cloud Kafka service, such as Red Hat OpenShift Streams for Apache Kafka. |
0 commit comments