Manage Security

Update Kafka SASL/Plain users

To add users to the authenticated users list, you need to update the list in the text file and update the secret.

  1. In a text file, named creds-kafka-sasl-users.json, add the following content:

    {
    "kafka_client": "kafka_client-secret",
    "c3": "c3-secret",
    "kafka": "kafka-secret",
    "new_user": "password"
    }
    
  2. Update the Kubernetes secret. In the following command, you are generating the YAML for the secret, and applying it as an update to the existing secret credential.

    For --from-file, you must use the plain-users.json key, as --from-file=plain-users.json.

    kubectl create secret generic credential \
      --from-file=plain-users.json=creds-kafka-sasl-users.json \
      --save-config --dry-run=client -oyaml | \
      kubectl apply -f -
    

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

Rotate user-provided server certificates

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the server certificates by updating the contents of the Kubernetes Secret.

For example, if you’ve used .pem files to provide certificates, then update the server.pem certificate and server-key.pem certificate private key and update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.

Rotate certificate authority

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the certificate authority used through a two-step process.

In this section, we’ll assume you’ve used .pem files to provide certificates.

1. Append new certificate authority

Append the new intermediate/root CA to the ca.pem. It will co-exist with the old intermediate/root CA.

file name: ca.pem
content:
-----BEGIN CERTIFICATE-----
<old root CA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<new root CA certificate>
-----END CERTIFICATE-----

Update the secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new root CA for use alongside the old root CA.

2. Generate server certs with new certificate authority

Generate new server certs with the new CA, and replace the server.pem certificate and server-key.pem certificate private key.

Then update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.