Adding configuration description for TLS/SASL for the KafkaChannel (#3067)

* Adding configuration description for TLS/SASL for the KafkaChannel Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * Updating based on feedback Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * 💄 a little more context and polishing Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * Fixing typo Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
2020-12-10 16:05:41 +01:00 · 2020-12-10 16:05:41 +01:00 · a7e66471ae
parent fc833e3b42
commit a7e66471ae
1 changed files with 70 additions and 0 deletions
--- a/docs/eventing/samples/kafka/channel/README.md
+++ b/docs/eventing/samples/kafka/channel/README.md
@ -151,3 +151,73 @@ Now you can see the events in the log of the `ksvc` using the command:
 ```
 kubectl logs --selector='serving.knative.dev/service=broker-kafka-display' -c user-container
 ```
+
+## Authentication against an Apache Kafka
+
+In production environments it is common that the Apache Kafka cluster is secured using [TLS](http://kafka.apache.org/documentation/#security_ssl) or [SASL](http://kafka.apache.org/documentation/#security_sasl). This section shows how to confiugure the `KafkaChannel` to work against a protected Apache Kafka cluster, with the two supported TLS and SASL authentication methods.
+
+### TLS authentication
+
+To use TLS authentication you must create:
+
+* A CA certificate
+* A client certificate and key
+
+**NOTE:** Kafka channels require these files to be in `.pem` format. If your files are in a different format, you must convert them to `.pem`.
+
+
+1. Create the certificate files as secrets in your chosen namespace:
+```
+$ kubectl create secret --namespace <namespace> generic <kafka-auth-secret> \
+  --from-file=ca.crt=caroot.pem \
+  --from-file=user.crt=certificate.pem \
+  --from-file=user.key=key.pem
+ ```
+
+*NOTE:* It is important to use the same keys (`ca.crt`, `user.crt` and `user.key`).
+
+Reference your secret and the namespace of the secret in the `config-kafka` ConfigMap:
+```
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-kafka
+  namespace: knative-eventing
+data:
+  bootstrapServers: <bootstrap-servers>
+  authSecretName: <kafka-auth-secret>
+  authSecretNamespace: <namespace>
+ ```
+
+### SASL authentication
+
+To use SASL authentication, you will need the following information:
+
+* A username and password.
+* The type of SASL mechanism you wish to use. For example; `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.
+
+**NOTE:** It is recommended to also enable TLS. If you enable this, you will also need the `ca.crt` certificate as described in the previous section.
+
+1. Create the certificate files as secrets in your chosen namespace:
+```
+$ kubectl create secret --namespace <namespace> generic <kafka-auth-secret> \
+  --from-file=ca.crt=caroot.pem \
+  --from-literal=password="SecretPassword" \
+  --from-literal=saslType="SCRAM-SHA-512" \
+  --from-literal=user="my-sasl-user"
+```
+
+*NOTE:* It is important to use the same keys; `user`, `password` and `saslType`.
+
+Reference your secret and the namespace of the secret in the `config-kafka` ConfigMap:
+```
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-kafka
+  namespace: knative-eventing
+data:
+  bootstrapServers: <bootstrap-servers>
+  authSecretName: <kafka-auth-Secret>
+  authSecretNamespace: <namespace>
+```