Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kafka: split SASL and TLS config #242

Merged
merged 1 commit into from
Sep 10, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions content/docs/2.0/migration.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,9 @@ spec:
**Example of v2 ScaledJob**

TODO

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change


### Scalers

**Kafka**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit : Should we use a list?

- `authMode` property was replaced with `sasl` and `tls` properties. Please refer [documentation](../scalers/apache-kafka/#authentication-parameters) for Kafka Authentication Parameters details.
33 changes: 20 additions & 13 deletions content/docs/2.0/scalers/apache-kafka.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ triggers:

**Parameter list:**

- `brokerList`: comma separated list of Kafka brokers "hostname:port" to connect to for bootstrap (DEPRECATED).
- `bootstrapServers`: comma separated list of Kafka brokers "hostname:port" to connect to for bootstrap.
- `consumerGroup`: consumer group used for checking the offset on the topic and processing the related lag.
- `topic`: topic on which processing the offset lag.
Expand All @@ -34,21 +33,25 @@ triggers:

### Authentication Parameters

You can use `TriggerAuthentication` CRD to configure the authenticate by providing authMode, username, password. If your kafka cluster does not have sasl authentication turned on, you will not need to pay attention to it.
You can use `TriggerAuthentication` CRD to configure the authenticate by providing `sasl`, `username` and `password`, in case your Kafka cluster has SASL authentication turned on. If TLS is required you should set `tls` to `enabled` and provide `ca`, `cert` and `key`.

**Credential based authentication:**

- `authMode` Kafka sasl auth mode. Optional. The default value is none. For now, it must be one of none, sasl_plaintext, sasl_ssl, sasl_ssl_plain, sasl_scram_sha256, sasl_scram_sha512.
- `username` Optional. If authmode is not none, this is required.
- `password` Optional.If authmode is not none, this is required.
- `ca` Certificate authority file for TLS client authentication. Optional. If authmode is sasl_ssl, this is required.
- `cert` Certificate for client authentication. Optional. If authmode is sasl_ssl, this is required.
- `key` Key for client authentication. Optional. If authmode is sasl_ssl, this is required.
SASL:
- `sasl`: Kafka SASL auth mode. Optional. If not set, SASL for Kafka is not used. If set, it must be one of `plaintext`, `scram_sha256` or `scram_sha512`.
- `username`: Optional. If `sasl` is set, this is required.
- `password`: Optional. If `sasl` is set, this is required.

TLS:
- `tls`: Optional. To enable SSL auth for Kafka, set this to `enable`. If not set, TLS for Kafka is not used.
zroubalik marked this conversation as resolved.
Show resolved Hide resolved
- `ca`: Certificate authority file for TLS client authentication. Optional. If `tls` is enabled, this is required.
- `cert`: Certificate for client authentication. Optional.If `tls` is enabled, this is required.
- `key`: Key for client authentication. Optional. If `tls` is enabled, this is required.


### Example

Your kafka cluster no sasl auth:
Your kafka cluster no SASL/TLS auth:

```yaml
apiVersion: keda.sh/v1alpha1
Expand All @@ -71,7 +74,7 @@ spec:
offsetResetPolicy: latest
```

Your kafka cluster turn on sasl auth
Your kafka cluster turn on SASL/TLS auth:

```yaml
apiVersion: v1
Expand All @@ -80,9 +83,10 @@ metadata:
name: keda-kafka-secrets
namespace: default
data:
authMode: "sasl_plaintext"
sasl: "plaintext"
username: "admin"
password: "admin"
tls: "enable"
ca: <your ca>
cert: <your cert>
key: <your key>
Expand All @@ -94,15 +98,18 @@ metadata:
namespace: default
spec:
secretTargetRef:
- parameter: authMode
- parameter: sasl
name: keda-kafka-secrets
key: authMode
key: sasl
- parameter: username
name: keda-kafka-secrets
key: username
- parameter: password
name: keda-kafka-secrets
key: password
- parameter: tls
name: keda-kafka-secrets
key: tls
- parameter: ca
name: keda-kafka-secrets
key: ca
Expand Down