Skip to content

feat: add Kafka user password configuration solution#142

Merged
sinbadonline merged 4 commits intomainfrom
feat/kafka-user-password-configuration
Apr 20, 2026
Merged

feat: add Kafka user password configuration solution#142
sinbadonline merged 4 commits intomainfrom
feat/kafka-user-password-configuration

Conversation

@sinbadonline
Copy link
Copy Markdown
Contributor

@sinbadonline sinbadonline commented Apr 20, 2026
edited by coderabbitai bot
Loading

Summary

  • New KB entry docs/en/solutions/Kafka_User_Password_Configuration.md covering the end-to-end flow for configuring a custom SCRAM-SHA-512 password on an RdsKafkaUser and rotating it via the changePasswordTimestamp annotation.
  • Includes an OCP Parity section comparing ACP RdsKafkaUser to upstream Strimzi / Red Hat AMQ Streams KafkaUser, with a field-by-field migration table.

Source of truth

  • Alauda rds-operator source (middleware/rds-operator) — verified RdsKafkaUserSpec shape, the copier.Copy reconcile to downstream Strimzi KafkaUser, and changePasswordTimestamp handling.
  • Confluence page KafkaUser 支持配置密码 (ID 184353383) — used as the starting point; the YAML example in that page has known errors (uses kind: KafkaUser + strimzi.io/cluster label), which are corrected here.

Verification

End-to-end validated on ACP 4.2.x (rds-operator v4.2.0, Kafka 4.1.1):

  • Deployed a minimal RdsKafka (1 controller+broker, KRaft mode) with listeners.plain.authentication.type: scram-sha-512 and authorization.type: simple.
  • Created a password Secret + RdsKafkaUser; confirmed status.phase=Active, downstream KafkaUser Ready=True, and the auto-published sasl.jaas.config Secret contained the custom password.
  • Ran a Kafka client Job that exercised four scenarios:
    • correct password — list topics, produce, consume all succeed
    • wrong password — SaslAuthenticationException
    • rotated password (secret updated + changePasswordTimestamp annotation bumped) — list topics succeed
    • previous password after rotation — SaslAuthenticationException

Rotation reconcile completed within ~10 seconds.

Test plan

  • Reviewer confirms KB format matches docs/en/solutions/ conventions.
  • Reviewer confirms OCP parity section accuracy against current AMQ Streams docs.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Added a comprehensive guide for configuring Kafka user passwords with SCRAM-SHA-512, covering cluster prerequisites, creating and sourcing password Secrets, verifying user readiness, and rotating passwords (including expected failure/success behavior).
    • Notes on garbage collection, supported authentication types, non-blocking warnings, and an OCP/AMQ Streams parity comparison for migration guidance.

feat: add Kafka user password configuration solution
a6b5b8f 
Document the end-to-end flow for configuring a custom SCRAM-SHA-512
password on an RdsKafkaUser and rotating it via the
changePasswordTimestamp annotation. Includes an OCP / AMQ Streams
parity section for migration.

Verified on ACP 4.2.x with rds-operator v4.2.0 and Kafka 4.1.1.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 20, 2026
edited
Loading

Warning

Rate limit exceeded

@sinbadonline has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 31 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 49 minutes and 31 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0960e5f5-43f5-49e3-ae7e-b8707edf296a

📥 Commits

Reviewing files that changed from the base of the PR and between 185fce2 and b645b04.

📒 Files selected for processing (1)
  • docs/en/solutions/Kafka_User_Password_Configuration.md

Walkthrough

Added a new documentation page that explains how to configure SCRAM-SHA-512 passwords for an ACP RdsKafkaUser using a Kubernetes Secret, including prerequisites, secret creation, user manifest with ACLs, verification, password rotation, garbage collection notes, and OCP/AMQ Streams parity details.

Changes

Cohort / File(s) Summary
Kafka User Password Configuration Documentation
docs/en/solutions/Kafka_User_Password_Configuration.md		 New solution doc describing how to source SCRAM-SHA-512 passwords from a user-managed Secret (spec.authentication.password.valueFrom.secretKeyRef), cluster prerequisites, imperative and declarative secret creation (base64), RdsKafkaUser manifest with authorization.type: simple and ACLs, verification via status/Strimzi readiness, password rotation procedure using secret update + changePasswordTimestamp, OwnerReference/GC notes, accepted auth types, Strimzi ACL schema warnings, and OCP/AMQ Streams parity with example and comparison table.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through docs with a nibble and wink,

Secrets encoded, no need to overthink,
ACLs in order, users set to play,
Rotate the key, then hop away,
A rabbit’s stamp: the config's okay!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title 'feat: add Kafka user password configuration solution' directly and clearly summarizes the main change: adding documentation for Kafka user password configuration, which matches the core objective of introducing a new KB entry detailing SCRAM-SHA-512 password configuration for RdsKafkaUser.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/kafka-user-password-configuration

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

docs: correct feature-introduction version from 3.15 to v3.16.0
185fce2 
The Confluence source said "3.15增加配置密码功能" but rds-operator
rdskafkauser_types.go at tag v3.15.10 (last v3.15.x patch,
2023-12-25) has no Password field. The commit adding the field
(e289ccab "MIDDLEWARE-18371 add kafka admin and kafkauser set
password") landed on 2024-01-31, and the earliest tag containing
the field is v3.16.0.

Fix conflicting claims ("ACP 3.15" in Background vs "rds-operator
3.15" in Applicable Version) by removing the unverified ACP version
claim and pinning to the verifiable rds-operator version.
coderabbitai[bot]
coderabbitai bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
docs/en/solutions/Kafka_User_Password_Configuration.md (1)

50-52: Clarify the base64 encoding comment.

The comment on line 50 states # base64 of 'Passw0rd123!' immediately before a kubectl create secret --from-literal command. This placement may confuse readers because --from-literal automatically base64-encodes the value; users should NOT pre-encode the password when using this flag.

📝 Suggested clarification 
-# base64 of 'Passw0rd123!'
 kubectl -n <ns> create secret generic my-user-password \
   --from-literal=password='Passw0rd123!'

Or make the comment more explicit:

-# base64 of 'Passw0rd123!'
+# kubectl handles base64 encoding automatically with --from-literal
 kubectl -n <ns> create secret generic my-user-password \
   --from-literal=password='Passw0rd123!'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/en/solutions/Kafka_User_Password_Configuration.md` around lines 50 - 52,
The comment "# base64 of 'Passw0rd123!'" is misleading next to the kubectl
command; update the comment near the kubectl -n <ns> create secret generic
my-user-password --from-literal=password='Passw0rd123!' to explicitly state that
--from-literal accepts a plaintext value and kubectl will handle base64
encoding, and remove any instruction that suggests pre-encoding the password so
users do not base64-encode before using --from-literal.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/en/solutions/Kafka_User_Password_Configuration.md`:
- Around line 50-52: The comment "# base64 of 'Passw0rd123!'" is misleading next
to the kubectl command; update the comment near the kubectl -n <ns> create
secret generic my-user-password --from-literal=password='Passw0rd123!' to
explicitly state that --from-literal accepts a plaintext value and kubectl will
handle base64 encoding, and remove any instruction that suggests pre-encoding
the password so users do not base64-encode before using --from-literal.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 691be8a5-b2d9-4eda-beac-f2c2f77ba740

📥 Commits

Reviewing files that changed from the base of the PR and between a6b5b8f and 185fce2.

📒 Files selected for processing (1)
  • docs/en/solutions/Kafka_User_Password_Configuration.md

docs: address senior review — tighten OCP parity and add cleanup step
b645b04 
Fixes from review of PR #142:

- Correct the ACL-shape row in the OCP Parity table. Strimzi v1beta2
  accepts both `acls[*].operation` (singular, deprecated) and
  `acls[*].operations` (plural array) — not either/or as previously
  implied. Same `resource` sub-fields in both.
- Correct the rotation trigger row. Upstream Strimzi User Operator
  watches the referenced source Secret natively; the no-op annotation
  dance is not a workaround users need to know about.
- Add a Supported `authentication.type` row surfacing that upstream
  Strimzi supports `tls-external` which RdsKafkaUser does not — a
  real migration gap for OCP users of that type.
- Drop the `resource.{name,patternType,type}` vs
  `resource.{type,name,patternType}` "difference" — the fields are
  identical, only the listing order differed.
- Broaden Notes on `tls-external` migration implication.
- Add a Prerequisites clarification that SCRAM auth can live on any
  listener (plain/tls/external), not only the one shown.
- Add a brief note after Step 3 explaining why RdsKafkaUser uses
  `status.phase` while the downstream KafkaUser uses
  `status.conditions`.
- Add a new Step 5 "Remove the user" covering delete + GC behavior.

Kafka 4.1.1 version claim in Applicable Version is now runtime-verified
via `kafka-topics.sh --version` against the kafka-4-1-x:v4.2.0 image.
@yuhaosdl
Copy link
Copy Markdown
Contributor

yuhaosdl commented Apr 20, 2026

/lgtm

@sinbadonline sinbadonline merged commit 0ee356a into main Apr 20, 2026
2 checks passed
@sinbadonline sinbadonline deleted the feat/kafka-user-password-configuration branch April 20, 2026 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sinbadonline @yuhaosdl