Simple Authentication and Security Layer (SASL)
This authentication method is commonly used with an EventHub such as Kafka.
Synopsis
Section titled “Synopsis”apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: kafka-sasl-plain-credsspec: sasl: mechanism: PLAIN # or SCRAM-SHA-256 or SCRAM-SHA-512 usernameFrom: secretKeyRef: name: kafka-sasl-creds key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds key: password # sslConf below is optional. # If it is defined, then SASL_SSL will be configured sslConf: # Explicitly set, but assumed 'true' if not present. enabled: true # Optional. Configure an explicit CA for server authentication. caCertificatePemFrom: secretKeyRef: name: tls-secret key: ca.crt # Optional. Set a client certificate if the server requires it. certificatePemFrom: secretKeyRef: name: tls-secret key: tls.crt # Optional. Set a client key if the server requires it. PKCS#8 only. privateKeyPemFrom: secretKeyRef: name: tls-secret key: tls.key # Optional. Set the password to unlock the client's private key privateKeyPasswordFrom: secretKeyRef: name: tls-key-password key: passwordSASL/PLAIN
Section titled “SASL/PLAIN”To use the SASL/PLAIN authentication method,
set the mechanism field to PLAIN.
SASL/SCRAM
Section titled “SASL/SCRAM”To use the SASL/SCRAM authentication method,
set the mechanism field to SCRAM-SHA-256 or SCRAM-SHA-512.
Using SSL/TLS
Section titled “Using SSL/TLS”Using SASL for authentication alone doesn’t mean the resulting connection between Armory and the EventHub is encrypted.
To enable SSL/TLS, you need to define the sslConf property in accordance with your particular situation.
Using the default CA
Section titled “Using the default CA”In the most simple case, define sslConf with an enabled: true property:
apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: credsspec: sasl: mechanism: PLAIN # or SCRAM-SHA-256 or SCRAM-SHA-512 usernameFrom: secretKeyRef: name: kafka-sasl-creds key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds key: password sslConf: enabled: trueThis is enough when:
- the server doesn’t require additional authentication from the client (through a client certificate),
- the server’s certificate can be validated with the
ca-certificatespackage included in Kannika Armor’s image,
Server authentication
Section titled “Server authentication”If the server’s certificate needs to be validated with a custom CA (self-signed certificate),
then use the caCertificatePemFrom field to reference a secret in PEM format (PKCS#8 only):
apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: kafka-sasl-plain-credsspec: sasl: mechanism: PLAIN # or SCRAM-SHA-256 or SCRAM-SHA-512 usernameFrom: secretKeyRef: name: kafka-sasl-creds key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds key: password sslConf: enabled: true caCertificatePemFrom: secretKeyRef: name: tls-secret key: ca.crtClient authentication
Section titled “Client authentication”In some rare cases, the server may require TLS authentication from the client.
In this situation, load the certificate and key in a secret and configure sslConf accordingly:
apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: kafka-sasl-plain-credsspec: sasl: mechanism: PLAIN # or SCRAM-SHA-256 or SCRAM-SHA-512 usernameFrom: secretKeyRef: name: kafka-sasl-creds key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds key: password sslConf: enabled: true certificatePemFrom: secretKeyRef: name: tls-secret key: tls.crt privateKeyPemFrom: # PKCS#8 only secretKeyRef: name: tls-secret key: tls.key- explicitly set using a secret in PEM format with
caCertificatePemFrom.