You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when auth.sasl.enabled: true is set in the Helm chart, it results in both enable_sasl=true and kafka_enable_authorization=true being set, which is not aligned with the recommended configuration. According to the best practices for configuring authN and authZ, the Helm chart should adhere to the following configurations:
Option 1: Enable SASL without setting Kafka authorization enable_sasl=true kafka_enable_authorization=null authentication_method on the listeners should NOT be set
Option 2: Use authentication_method with Kafka authorization enabled enable_sasl=false kafka_enable_authorization=true authentication_method on the listeners MUST be set
Combinations where enable_sasl=true and kafka_enable_authorization is explicitly set to true or false, or where authentication_method is set without enabling Kafka authorization, are not recommended and can lead to issues.
Additionally, when enabling SASL on an existing instance, updating the Helm values and performing an upgrade is insufficient. The changes need to be activated imperatively using rpk.
What happened?
Currently, when
auth.sasl.enabled: true
is set in the Helm chart, it results in bothenable_sasl=true
andkafka_enable_authorization=true
being set, which is not aligned with the recommended configuration. According to the best practices for configuring authN and authZ, the Helm chart should adhere to the following configurations:enable_sasl=true
kafka_enable_authorization=null
authentication_method
on the listeners should NOT be setenable_sasl=false
kafka_enable_authorization=true
authentication_method
on the listeners MUST be setCombinations where
enable_sasl=true
andkafka_enable_authorization
is explicitly set totrue
orfalse
, or whereauthentication_method
is set without enabling Kafka authorization, are not recommended and can lead to issues.Additionally, when enabling SASL on an existing instance, updating the Helm values and performing an upgrade is insufficient. The changes need to be activated imperatively using rpk.
What did you expect to happen?
AuthN and auth Z should be configured correctly. See https://redpandacommunity.slack.com/archives/C01AJDUT88N/p1721169800647159?thread_ts=1721075726.706739&cid=C01AJDUT88N
Also see the docs: https://docs.redpanda.com/current/manage/security/authentication/#enable-sasl-authentication
How can we reproduce it (as minimally and precisely as possible)?. Please include values file.
Anything else we need to know?
No response
Which are the affected charts?
Redpanda
Chart Version(s)
Latest
Cloud provider
JIRA Link: K8S-293
The text was updated successfully, but these errors were encountered: