Manage Security

Update Kafka SASL/Plain users

For jaasConfig

To add users to the authenticated users list, you need to update the list in the text file and update the secret.

  1. In a text file, named creds-kafka-sasl-users.json, add the following content:

    {
    "kafka_client": "kafka_client-secret",
    "c3": "c3-secret",
    "kafka": "kafka-secret",
    "new_user": "password"
    }
    
  2. Update the Kubernetes secret.

    In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

    For --from-file, you must use the plain-users.json key, as --from-file=plain-users.json.

    kubectl create secret generic credential \
      --from-file=plain-users.json=creds-kafka-sasl-users.json \
      --save-config --dry-run=client -oyaml | \
      kubectl apply -f -
    

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

For jaasConfigPassThrough

To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.

  1. In plain-jaas.conf, add the new user and its password.

    For example:

    sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
       username="admin" \
       password="admin-secret" \
       user_admin="admin-secret" \
       user_alice="alice-secret" \
       user_newuser="password";
    
  2. Update the secret with the new file contents as described in the section above.

  3. Roll the Kafka cluster.

Rotate user-provided server certificates

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the server certificates by updating the contents of the Kubernetes Secret.

For example, if you’ve used .pem files to provide certificates, then update the server.pem certificate and server-key.pem certificate private key and update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.

Rotate certificate authority

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the certificate authority used through a two-step process.

In this section, we’ll assume you’ve used .pem files to provide certificates.

1. Append new certificate authority

Append the new intermediate/root CA to the ca.pem. It will co-exist with the old intermediate/root CA.

file name: ca.pem
content:
-----BEGIN CERTIFICATE-----
<old root CA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<new root CA certificate>
-----END CERTIFICATE-----

Update the secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new root CA for use alongside the old root CA.

2. Generate server certs with new certificate authority

Generate new server certs with the new CA, and replace the server.pem certificate and server-key.pem certificate private key.

Then update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.