Is enabling TLS necessary for initiating scram-sha-512 authentication?

[melin]

The following YAML code removes the line "authentication: type: scram-sha-512", which enables the creation of a Kafka cluster. Has the deletion failed? Just want to use scram-sha-512 and not enable TLS

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: prod-cluster
  namespace: kafka
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      default.replication.factor: 3
      min.insync.replicas: 2
    authorization:
      type: simple
    listeners:
        - name: plain
          port: 9092
          type: internal
          tls: false
        - name: tls
          port: 9093
          type: internal
          tls: false
        - name: external1
          port: 9094
          type: nodeport
          tls: false
          authentication:
            type: scram-sha-512
          configuration:
            bootstrap:
              nodePort: 32309
    version: 4.1.1
    metadataVersion: 4.1-IV1
  entityOperator:
    userOperator: {}
    topicOperator: {}
  jvmOptions:
    -Xms: "512m"
    -Xmx: "1g"

[scholzj]

Using SCRAM-SHA without encryption is normally not recommended as it allows possible replay attacks etc. But technically, niothing prevents it and you can configure Strimzi / Kafka that way.