...
Code Block |
---|
{{- if .Values.config.useStrimziKafka }} apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }} labels: strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: type: scram-sha-512 authorization: type: simple acls: - resource: type: group name: {{ .Values.config.dataUpdatedTopic.consumer.groupId }} operation: Read - resource: type: topic name: {{ .Values.config.dataUpdatedTopic.name }} operation: Read - resource: type: topic name: {{ .Values.config.dataUpdatedTopic.name }} operation: Write {{- end }} |
Note |
---|
The following KafkaUser specs must be: spec.authorization.type = simple |
and the relevant values in values.yaml:
Code Block |
---|
global: kafkaBootstrap: strimzi-kafka-bootstrap cpsKafkaUser: cps-kafka-user config: useStrimziKafka: true dataUpdatedTopic: name: cps.data-updated-events partitions: 10 retentionMs: 7200000 segmentBytes: 1073741824 consumer: groupId: cps-temporal-group |
Connecting to the kafka cluster
On OOM, Strimzi creates a kubernetes secret with the same name as the KafkaUser (in this case cps-kafka-user)
An example of the format is:
Code Block |
---|
apiVersion: v1 kind: Secret metadata: name: cps-kafka-user labels: strimzi.io/kind: KafkaUser strimzi.io/cluster: my-cluster type: Opaque data: password: Z2VuZXJhdGVkcGFzc3dvcmQ= sasl.jaas.config: b3JnLmFwYWNoZS5rYWZrYS5jb21tb24uc2VjdXJpdHkuc2NyYW0uU2NyYW1Mb2dpbk1vZHVsZSByZXF1aXJlZCB1c2VybmFtZT0ibXktdXNlciIgcGFzc3dvcmQ9ImdlbmVyYXRlZHBhc3N3b3JkIjsK |
To retrieve this secret we need to use the _secret template provided by OOM common.
In the case of cps-temporal for example we configure and externalSecret on the pod:
Code Block |
---|
cps-temporal:
enabled: true
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }}' |
Which is then setup in the secrets section of the components values.yaml.
In this example we are getting the sasl.jaas.config which provides the credentials to connect to the cluster in the form of org.apache.kafka.common.security.scram.ScramLoginModule required username="my-user" password="generatedpassword";
Code Block |
---|
secrets:
- uid: cps-kafka-user
externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}'
type: genericKV
envs:
- name: sasl.jaas.config
value: '{{ .Values.config.someConfig }}'
policy: generate |
We then pass the secret to the pod via an environment variable:
Code Block |
---|
...
env:
{{- if .Values.config.useStrimziKafka }}
- name: JAASLOGIN
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }}
{{- end }}
... |
In the case of cps-temporal, it then sets this config as part of it's application.yaml:
Code Block |
---|
{{- if .Values.config.useStrimziKafka }}
spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092
spring.kafka.security.protocol: SASL_PLAINTEXT
spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN}
{{ else }} |
Note |
---|
For your application, The security.protocol must be: SASL_PLAINTEXT The sasl.mechanism must be: SCRAM-SHA-512 |