-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud: mTLS support for Kafka API #520
Conversation
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
@@ -210,7 +210,6 @@ image::shared:byoc_apply.png[cloud_byoc_apply] | |||
|
|||
Redpanda Cloud does not support the following self-hosted functionality: | |||
|
|||
- mTLS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 @micheleRP want to verify that we can make this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not clear about what self-hosted deployment can do. I will defer the question to @bpraseed.
modules/deploy/pages/deployment-option/cloud/security/cloud-authentication.adoc
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 is there anything we should document regarding rotating certificates? Not sure if we need to provide specific guidance there for users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean that rotating trusted client CA certificates or client certificates? I don't think we need to document how to rotate the certs since it is customer's responsibility to rotate the certs. If there is feedback later, we will add then.
modules/ROOT/nav.adoc
Outdated
@@ -74,6 +74,7 @@ | |||
**** xref:deploy:deployment-option/cloud/manage-billing/aws-commit.adoc[Use AWS Commits] | |||
*** xref:deploy:deployment-option/cloud/security/index.adoc[Security] | |||
**** xref:deploy:deployment-option/cloud/security/cloud-authentication.adoc[Authentication] | |||
**** xref:deploy:deployment-option/cloud/security/cloud-enable-mtls-kafka-api.adoc[Enable mTLS for Kafka API] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 @micheleRP would like to double check if this seems like an appropriate place in the navigation tree for this doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 This is an authentication option, and should appear as a subtopic under AuthN, no? Makes no sense to me that it is at the same level as AuthN.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. It is AuthN. I didn't look at the content under Security/Authentication
. Seems that it should be under Service authentication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Feediver1 -- Security/Authentication
in the nav tree is currently a conceptual doc https://docs.redpanda.com/current/deploy/deployment-option/cloud/security/cloud-authentication/ whereas this new content is a task-oriented topic, so I've added it as its own doc. I don't know if we would actually want to turn Security/Authentication
as its own subsection, perhaps I'll defer to @micheleRP ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a strong opinion about where it lands right now, since we'll be changing so much soon with the Cloud docs reorg. @paulzhang97 or @Feediver1: would you prefer that this content be incorporated into the Authentication page as a nested section in the Service authentication section or kept as a standalone file but nested under Authentication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 I found it odd that this is placed outside the scope of the authN heading/umbrella here--thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to put it under Service authentication section. It sounds better fit to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merge into the requested page.
modules/deploy/pages/deployment-option/cloud/security/cloud-enable-mtls-kafka-api.adoc
Outdated
Show resolved
Hide resolved
:description: Use the Cloud API to enable mTLS for Kafka API connections on your Redpanda cluster. | ||
:page-cloud: true | ||
|
||
Redpanda Cloud supports mTLS authentication for the Kafka API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulzhang97 @bpraseed what could we add here regarding why we added this authentication mechanism and why we might recommend it over SASL (is it SASL/SCRAM to be specific?)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. It is SASL/SCRAM. Good question! I can't think of any clear advantage of mTLS since our SASL is over TLS communication instead of unencrypted traffic over e.g. plain TCP, other than that the algorithms in authenticating client in mTLS is more secure than username/password based SASL.
* `<ca-certificate-pem>`: A trusted Kafka client CA certificate in PEM format. The `ca_certificates_pem` field accepts a list of certificates. | ||
* `<principal-mapping-rule>`: Configurable rule for mapping the Common Name of Kafka client certificates to Kafka principals. | ||
+ | ||
For example, the mapping rule `RULE:.*CN=([^,]+).*/\\$1/` maps the following certificate subject to a principal named `test`: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kbatuigas: This isn't rendering properly with the *
rpk cluster info --tls-enabled | ||
---- | ||
|
||
You should get an error like the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldnt this be if TLS is not enabled correctly you will get the below error @paulzhang97 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the actual error returned by rpk. I think tls: certificate required
makes sense. It says certificate is required. It could better if e.g. tls: client certificate required
.
|
||
. Create a service account in your organization, if you have not already done so. Go to the https://cloud.redpanda.com/clients[Clients^] page in the Redpanda Cloud UI and click *Add client* to create a service account. Enter a name and description. | ||
. Retrieve the client ID and secret by clicking *Copy ID* and *Copy Secret*. | ||
. Obtain an access token by making a `POST` request to `https://auth.prd.cloud.redpanda.com/oauth/token` with the ID and secret in the request body. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this link is now broken.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Paulo Borges <paulohtb@hotmail.com>
Description
How to enable mTLS for Kafka API on RP cloud clusters.
Also includes minor edits related to mTLS mentioned on other docs.
Resolves https://github.com/redpanda-data/documentation-private/issues/2345
Review deadline: 24 May 2024
Page previews
https://deploy-preview-520--redpanda-docs-preview.netlify.app/current/deploy/deployment-option/cloud/security/cloud-authentication/#mtls
Checks