Cloud: mTLS support for Kafka API #520
Conversation
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| @@ -210,7 +210,6 @@ image::shared:byoc_apply.png[cloud_byoc_apply] | |||
|
|
|||
| Redpanda Cloud does not support the following self-hosted functionality: | |||
|
|
|||
| - mTLS | |||
There was a problem hiding this comment.
@paulzhang97 @micheleRP want to verify that we can make this change.
There was a problem hiding this comment.
Not clear about what self-hosted deployment can do. I will defer the question to @bpraseed.
modules/deploy/pages/deployment-option/cloud/security/cloud-authentication.adoc
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
@paulzhang97 is there anything we should document regarding rotating certificates? Not sure if we need to provide specific guidance there for users.
There was a problem hiding this comment.
Do you mean that rotating trusted client CA certificates or client certificates? I don't think we need to document how to rotate the certs since it is customer's responsibility to rotate the certs. If there is feedback later, we will add then.
modules/ROOT/nav.adoc
Outdated
| @@ -74,6 +74,7 @@ | |||
| **** xref:deploy:deployment-option/cloud/manage-billing/aws-commit.adoc[Use AWS Commits] | |||
| *** xref:deploy:deployment-option/cloud/security/index.adoc[Security] | |||
| **** xref:deploy:deployment-option/cloud/security/cloud-authentication.adoc[Authentication] | |||
| **** xref:deploy:deployment-option/cloud/security/cloud-enable-mtls-kafka-api.adoc[Enable mTLS for Kafka API] | |||
There was a problem hiding this comment.
@paulzhang97 @micheleRP would like to double check if this seems like an appropriate place in the navigation tree for this doc.
There was a problem hiding this comment.
@paulzhang97 This is an authentication option, and should appear as a subtopic under AuthN, no? Makes no sense to me that it is at the same level as AuthN.
There was a problem hiding this comment.
Right. It is AuthN. I didn't look at the content under Security/Authentication. Seems that it should be under Service authentication?
There was a problem hiding this comment.
@Feediver1 -- Security/Authentication in the nav tree is currently a conceptual doc https://docs.redpanda.com/current/deploy/deployment-option/cloud/security/cloud-authentication/ whereas this new content is a task-oriented topic, so I've added it as its own doc. I don't know if we would actually want to turn Security/Authentication as its own subsection, perhaps I'll defer to @micheleRP ?
There was a problem hiding this comment.
I don't have a strong opinion about where it lands right now, since we'll be changing so much soon with the Cloud docs reorg. @paulzhang97 or @Feediver1: would you prefer that this content be incorporated into the Authentication page as a nested section in the Service authentication section or kept as a standalone file but nested under Authentication?
There was a problem hiding this comment.
@paulzhang97 I found it odd that this is placed outside the scope of the authN heading/umbrella here--thoughts?
There was a problem hiding this comment.
I would like to put it under Service authentication section. It sounds better fit to me.
There was a problem hiding this comment.
Merge into the requested page.
modules/deploy/pages/deployment-option/cloud/security/cloud-enable-mtls-kafka-api.adoc
Outdated
Show resolved
Hide resolved
| :description: Use the Cloud API to enable mTLS for Kafka API connections on your Redpanda cluster. | ||
| :page-cloud: true | ||
|
|
||
| Redpanda Cloud supports mTLS authentication for the Kafka API. |
There was a problem hiding this comment.
@paulzhang97 @bpraseed what could we add here regarding why we added this authentication mechanism and why we might recommend it over SASL (is it SASL/SCRAM to be specific?)?
There was a problem hiding this comment.
Yes. It is SASL/SCRAM. Good question! I can't think of any clear advantage of mTLS since our SASL is over TLS communication instead of unencrypted traffic over e.g. plain TCP, other than that the algorithms in authenticating client in mTLS is more secure than username/password based SASL.
| * `<ca-certificate-pem>`: A trusted Kafka client CA certificate in PEM format. The `ca_certificates_pem` field accepts a list of certificates. | ||
| * `<principal-mapping-rule>`: Configurable rule for mapping the Common Name of Kafka client certificates to Kafka principals. | ||
| + | ||
| For example, the mapping rule `RULE:.*CN=([^,]+).*/\\$1/` maps the following certificate subject to a principal named `test`: |
There was a problem hiding this comment.
@kbatuigas: This isn't rendering properly with the *
| rpk cluster info --tls-enabled | ||
| ---- | ||
|
|
||
| You should get an error like the following: |
There was a problem hiding this comment.
Shouldnt this be if TLS is not enabled correctly you will get the below error @paulzhang97 ?
There was a problem hiding this comment.
This is the actual error returned by rpk. I think tls: certificate required makes sense. It says certificate is required. It could better if e.g. tls: client certificate required.
|
|
||
| . Create a service account in your organization, if you have not already done so. Go to the https://cloud.redpanda.com/clients[Clients^] page in the Redpanda Cloud UI and click *Add client* to create a service account. Enter a name and description. | ||
| . Retrieve the client ID and secret by clicking *Copy ID* and *Copy Secret*. | ||
| . Obtain an access token by making a `POST` request to `https://auth.prd.cloud.redpanda.com/oauth/token` with the ID and secret in the request body. |
There was a problem hiding this comment.
Looks like this link is now broken.
Co-authored-by: Paulo Borges <paulohtb@hotmail.com>
Description
How to enable mTLS for Kafka API on RP cloud clusters.
Also includes minor edits related to mTLS mentioned on other docs.
Resolves https://github.com/redpanda-data/documentation-private/issues/2345
Review deadline: 24 May 2024
Page previews
https://deploy-preview-520--redpanda-docs-preview.netlify.app/current/deploy/deployment-option/cloud/security/cloud-authentication/#mtls
Checks