openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/serverless-kafka-tls-channels.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

87 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * /serverless/admin_guide/serverless-kafka-admin.adoc
// * /serverless/security/serverless-config-tls.adoc
:_mod-docs-content-type: PROCEDURE
[id="serverless-kafka-tls-channels_{context}"]
= Configuring TLS authentication for Knative channels for Apache Kafka
_Transport Layer Security_ (TLS) is used by Apache Kafka clients and servers to encrypt traffic between Knative and Kafka, as well as for authentication. TLS is the only supported method of traffic encryption for the Knative broker implementation for Apache Kafka.
.Prerequisites
* You have cluster or dedicated administrator permissions on {product-title}.
* The {ServerlessOperatorName}, Knative Eventing, and the `KnativeKafka` CR are installed on your {product-title} cluster.
* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
* You have a Kafka cluster CA certificate stored as a `.pem` file.
* You have a Kafka cluster client certificate and a key stored as `.pem` files.
* Install the OpenShift CLI (`oc`).
.Procedure
. Create the certificate files as secrets in your chosen namespace:
+
[source,terminal]
----
$ oc create secret -n <namespace> generic <kafka_auth_secret> \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pem
----
+
[IMPORTANT]
====
Use the key names `ca.crt`, `user.crt`, and `user.key`. Do not change them.
====
. Start editing the `KnativeKafka` custom resource:
+
[source,terminal]
----
$ oc edit knativekafka
----
. Reference your secret and the namespace of the secret:
+
[source,yaml]
----
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: <kafka_auth_secret>
authSecretNamespace: <kafka_auth_secret_namespace>
bootstrapServers: <bootstrap_servers>
enabled: true
source:
enabled: true
----
+
[NOTE]
====
Make sure to specify the matching port in the bootstrap server.
====
+
For example:
+
[source,yaml]
----
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: tls-user
authSecretNamespace: kafka
bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9094
enabled: true
source:
enabled: true
----
View Git Blame Copy Permalink