Manage Authentication for Confluent Platform Using Confluent for Kubernetes

This topic describes post-deployment tasks for managing authentication in Confluent Platform, specifically updating user credentials for Kafka, KRaft, and MDS.

The process to rotate a user credential differs based on the types of users: internal client users and external client users.

• Internal users for authenticating between brokers and controllers

  1. Create secret for existing user to ensure old credentials remain valid for brokers not yet updated.

  2. Add new user/credentials to allow a gradual transition. Both credentials work during rolling update.

  3. Remove old user/secret only after all brokers can successfully use the new credentials.

• External client users for authenticating to Kafka

  Add new user/credentials.

This topic covers several common use cases for updating user credentials, but you can apply the same high-level workflow for other authentication types and use cases based on the type of user, internal users or external client users.

For the steps to configure credentials, see Configure authentication to access Kafka and KRaft.

Update Kafka or KRaft SASL/PLAIN external client users

To update the external client-facing SASL/PLAIN user credentials for Kafka or KRaft, follow the steps described below based on the method you use to provide required credentials, namely jaasConfig or jaasConfigPassThrough.

Update server-side SASL/PLAIN users

For jaasConfig

To add users to the authenticated users list, you need to update the list in the text file and update the secret.

1. Fetch the user credentials defined under the key plain-users.json from the clusters secret using the following command:

   kubectl get secret -n <namespace> <NAME_OF_SECRET_FROM_JAAS_CONFIG> \
     --template="{{index .data \"plain-users.json\" | base64decode }}"
   

   • <NAME_OF_SECRET_FROM_JAAS_CONFIG> is the value corresponding to the secret referenced in the affected listener spec.listeners.<listener-type>.authentication.jaasConfig.secretRef.name

   • <listener-type> can be external or custom based on the listener type you use for the external client users.

2. Copy the contents of the output and save it in a new file called creds-kafka-sasl-users.json.

3. In the creds-kafka-sasl-users.json file, add the new user and its password.

   For example:

   {
   "kafka_client": "kafka_client-secret",
   "c3": "c3-secret",
   "kafka": "kafka-secret",
   "new_user": "password"
   }
   

4. Update the Kubernetes secret.

   In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

   For --from-file, you must use the plain-users.json key, as --from-file=plain-users.json.

   kubectl create secret generic credential \
     --from-file=plain-users.json=creds-kafka-sasl-users.json \
     --save-config --dry-run=client -oyaml | \
     kubectl apply -f -
   

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

For jaasConfigPassThrough

To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.

1. In plain-jaas.conf, add the new user and its password.

   For example:

   sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
      username="admin" \
      password="admin-secret" \
      user_admin="admin-secret" \
      user_alice="alice-secret" \
      user_newuser="password";
   

2. Update the secret with the new file contents as described in the section above.

3. Update the Kubernetes secret.

   In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

   For --from-file, you must use the plain-jaas.conf key, as --from-file=plain-jaas.conf.

   kubectl create secret generic credential \
     --from-file=plain-jaas.conf=plain-jaas.conf \
     --save-config --dry-run=client -oyaml | \
     kubectl apply -f -
   

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

Update client-side SASL/PLAIN users using JAAS config

To update the user credentials, update the credentials in the text file and update the secret:

1. In a text file, named creds-kafka-sasl-users.txt, update the following content:

   username=<username>
   password=<password>
   

2. Create a Kubernetes secret.

   In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

   For --from-file, you must use the plain.txt key, as --from-file=plain.txt.

   kubectl create secret generic credential \
     --from-file=plain.txt=creds-kafka-sasl-users.txt \
     --save-config --dry-run=client -oyaml | \
     kubectl apply -f -
   

3. Restart the Confluent Platform components that depends on the plain.txt key so that the updated user is picked up by the services.

Update Kafka or KRaft OAuth/OIDC users

Update the external-facing OAuth/OIDC client user credentials for Kafka or KRaft by following the steps described in this section.

Update server-side OAuth/OIDC users

1. Create a secret that contains the new OIDC client ID and the client secret for authorization and token request to the identity provider (IdP).

   The secret should contain two keys with their respective values, clientId and clientSecret as follows:

   clientId=<client-id>
   clientSecret=<client-secret>
   

2. Update the Kafka or KRaft CR to use the new secret and apply the changes.

   kind: <Kafka or KRaftController>
   spec:
     listeners:
       internal / external:
         authentication:
           type: oauth
           jaasConfig/jaasConfigPassThrough:
             secretRef:
   

Update client-side OAuth/OIDC users

Important

The current/older OIDC client credential should be valid until the rotation is completed and the component is rolled.

1. Create a secret that contains the new OIDC client ID and the client secret for authorization and token request to the identity provider (IdP).

   The secret should contain two keys with their respective values, clientId and clientSecret as follows:

   clientId=<client-id>
   clientSecret=<client-secret>
   

2. Update the client component CR to use the new secret and apply the changes.

    kind: <Confluent component>
    spec:
      dependencies:
        kafka:
          authentication:
            type: oauth
            jaasConfig/jaasConfigPassThrough:
              secretRef:
   

Update MDS user

To update the MDS user credentials, follow these steps:

Important

The current/older MDS user should remain valid until rotation has been completed.

1. Add a new user to your LDAP server with the new password you want to use.

2. Update the .txt file that contains the old LDAP credentials and add the new credentials, in the following format:

   username=<bindDn_value>
   password=<bindPassword_value>
   

   For the password for bindDn, escape any restricted LDAP characters. For best results, avoid characters that require escaping.

3. Update the Kubernetes secret using the expected key (ldap.txt) and the value file you created in the previous step.

   kubectl create secret generic credential \
     --from-file=ldap.txt=./ldap.txt \
     --save-config --dry-run=client -oyaml | \
     kubectl apply -f -
   

   For more information, see Editing a secret.

4. Roll the Kafka clusters.

5. Once all Kafka clusters are successfully rolled, you can remove the old LDAP user from the secret and from the LDAP server.