Uploaded image for project: 'FlightPath'
  1. FlightPath
  2. FLPATH-3318

CoP - Add Kafka SASL/TLS authentication support to Helm chart

XMLWordPrintable

      Add support for Kafka SASL/TLS authentication in the cost-onprem Helm chart for secure connections to enterprise Kafka clusters (AMQ Streams, MSK, Confluent).

      Background

      PR #99 (FLPATH-2685) added BYOI support for Kafka but scoped it to PLAINTEXT connections only. During implementation, we discovered that neither Koku nor ROS applications support Kafka SASL/TLS authentication from environment variables in non-Clowder (on-premise) mode. Chart-level wiring of SASL/TLS values would have no effect without upstream application changes.

      Prerequisites (upstream)

      Both Koku and ROS need to be updated to read Kafka SASL/TLS configuration from environment variables when running in on-prem mode (non-Clowder):
      - Koku: KAFKA_SASL_MECHANISM, KAFKA_SASL_USERNAME, KAFKA_SASL_PASSWORD, KAFKA_SECURITY_PROTOCOL, KAFKA_SSL_CA_LOCATION
      - ROS: equivalent Go-side configuration via environment variables or config file

      Until those upstream changes land, chart-level SASL/TLS support cannot be implemented.

      Scope

      Once upstream support is available:
      - Add kafka.sasl.mechanism, kafka.sasl.existingSecret, kafka.tls.enabled, kafka.tls.caCertSecret to values.yaml
      - Wire these values into Koku and ROS deployment environment variables via _helpers-koku.tpl and _helpers.tpl
      - Mount TLS CA certificate from the referenced secret if kafka.tls.enabled
      - Update documentation in docs/operations/configuration.md (External Kafka section)
      - Add E2E test coverage for SASL_SSL connections

      Acceptance Criteria

      • Chart renders correct SASL/TLS environment variables and volume mounts when configured
      • helm template and helm lint pass with SASL_SSL configuration
      • Documented in the External Kafka section of configuration.md
      • Tested against a SASL_SSL-enabled Kafka cluster

              Unassigned Unassigned
              jgil@redhat.com Jordi Gil
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: