feat: Kafka Public CA for SASL

[FLEET-6161]

Author: jclarysse

docs/platform/concepts/tls-ssl-certificates.md

@@ -38,11 +38,17 @@ are exceptions:
   the database, but does not verify the server certificate. For more
   information, see the [PostgreSQL
   documentation](https://www.postgresql.org/docs/current/ssl-tcp.html)
-- **Aiven for Apache Kafka®** requires the Aiven project CA
-  certificate, and also the client key and certificate.
+- **Aiven for Apache Kafka®** supports different authentication methods:
+  - Client certificate: The client requires the Aiven project CA and
+  also the client key and certificate.
+  - SASL over SSL: The client authenticates using a service user name
+  and password. By default the communication is encrypted using the
+  project CA certificate. The user configuration `letsencrypt_sasl`
+  also allows to authenticate using a public CA instead of a project CA.
+  For more information, see the [Kafka documentation](https://aiven.io/docs/products/kafka/howto/kafka-sasl-auth)
 
 For these services you can
-[Download CA certificates](/docs/platform/concepts/tls-ssl-certificates#download-ca-certificates)
+[Download the project CA certificates](/docs/platform/concepts/tls-ssl-certificates#download-ca-certificates)
 from **Overview** page of your service.
 
 :::note

docs/products/kafka/howto/kafka-sasl-auth.md

@@ -8,7 +8,7 @@ import ConsoleLabel from "@site/src/components/ConsoleIcons"
 import ConsoleIcon from "@site/src/components/ConsoleIcons"
 import RelatedPages from "@site/src/components/RelatedPages";
 
-Aiven for Apache Kafka® provides [multiple authentication methods](/docs/products/kafka/concepts/auth-types) to secure your Apache Kafka® data, including the highly secure Simple Authentication and Security Layer ([SASL](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer)).
+Aiven for Apache Kafka® provides [multiple authentication methods](/docs/products/kafka/concepts/auth-types) to secure your Apache Kafka® data, including the highly secure Simple Authentication and Security Layer ([SASL](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer)) over SSL.
 
 ## Enable SASL authentication
 
@@ -19,7 +19,7 @@ Aiven for Apache Kafka® provides [multiple authentication methods](/docs/produc
    Aiven for Apache Kafka service.
 1. Click <ConsoleLabel name="Service settings"/>.
 1. Scroll to **Advanced configuration** and click **Configure**.
-1. In the **Advanced configuration** window, set `kafka_authentication_methods.sasl` to
+   In the **Advanced configuration** window, set `kafka_authentication_methods.sasl` to
    **Enabled**.
 1. Click **Save configurations**.
 
@@ -180,6 +180,117 @@ Parameters:
 
 :::
 
+## Enable public CA for SASL authentication
+
+After [enabling SASL authentication](#enable-sasl-authentication), enable
+the Public CA for SASL authentication if clients connecting to Kafka can't
+install or trust the default Project CA.
+
+<Tabs groupId="config-methods">
+<TabItem value="console" label="Aiven Console" default>
+
+1. Access the [Aiven Console](https://console.aiven.io) and select your
+   Aiven for Apache Kafka service.
+1. Click <ConsoleLabel name="Service settings"/>.
+1. Scroll to **Cloud and network**, click **[...]** and select
+   **More network configurations**.
+1. In the **Network configuration** window, click **Add configuration options**
+   and select `letsencrypt_sasl` for enabling public CA for SASL authentication
+   via regular routes or `letsencrypt_sasl_privatelink` via PrivateLink connection.
+1. Set the configuration value to **Enabled**.
+1. Click **Save configurations**.
+
+The **Connection information** in the <ConsoleLabel name="overview"/> page now
+allows SASL connections using either **Project CA** or **Public CA**.
+
+</TabItem>
+<TabItem value="cli" label="CLI">
+
+Enable public CA for SASL authentication for your Aiven for Apache Kafka service using
+[Aiven CLI](/docs/tools/cli):
+
+1. Get the name of the Aiven for Apache Kafka service:
+
+   ```bash
+   avn service list
+   ```
+
+   Note the `SERVICE_NAME` corresponding to your Aiven for Apache Kafka service.
+
+1. Enable public CA for SASL authentication:
+
+   ```bash
+   avn service update SERVICE_NAME -c CONFIG_NAME=true
+   ```
+
+   Parameters:
+
+   - `SERVICE_NAME`: Name of your Aiven for Apache Kafka service.
+   - `CONFIG_NAME`: Name of the configuration parameter to set. Use `letsencrypt_sasl`
+   for enabling public CA for SASL authentication via regular routes or
+   `letsencrypt_sasl_privatelink` via PrivateLink connection.
+
+</TabItem>
+<TabItem value="api" label="API">
+
+Use the [ServiceUpdate](https://api.aiven.io/doc/#tag/Service/operation/ServiceUpdate)
+API to enable public CA for SASL authentication on an existing service:
+
+```bash
+curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
+     -H "Authorization: Bearer <API_TOKEN>" \
+     -H "Content-Type: application/json" \
+     -d '{"user_config": {"letsencrypt_sasl": true}}'   # or letsencrypt_sasl_privatelink for PrivateLink
+```
+</TabItem>
+<TabItem value="terraform" label="Terraform">
+
+1. Create or update your [Aiven for Apache Kafka service resource](https://registry.terraform.io/providers/aiven/aiven/latest/docs/resources/kafka):
+
+```hcl
+resource "aiven_kafka" "example_kafka" {
+  plan                    = "business-4"
+  project                 = data.aiven_project.example_project.project
+  service_name            = "example-kafka"
+
+  kafka_user_config {
+    letsencrypt_sasl = true   # or letsencrypt_sasl_privatelink for PrivateLink
+  }
+}
+```
+
+1. In order to figure out the right `port` to use for a specific route,
+access the [read-only `components`](https://registry.terraform.io/providers/aiven/aiven/latest/docs/data-sources/kafka#components-4)
+and specify appropriate filters to the [`aiven_service_component` data source](https://registry.terraform.io/providers/aiven/aiven/latest/docs/data-sources/service_component)
+for example:
+
+```hcl
+data "aiven_service_component" "sc1" {
+  project                     = aiven_kafka.example_project.project
+  service_name                = aiven_kafka.example_kafka.service_name
+  component                   = "kafka"
+  route                       = "dynamic"
+  kafka_authentication_method = "sasl"
+  kafka_ssl_ca                = "letsencrypt"
+}
+```
+
+</TabItem>
+</Tabs>
+
+:::note
+
+- The public certificate is issued and validated by [Let's Encrypt](https://letsencrypt.org)
+(a widely trusted Certification Authority) for the service domain.
+For more information, see [How It Works](https://letsencrypt.org/how-it-works)
+
+- When enabling public CA for SASL authentication via PrivateLink connection, the
+network can take several minutes to configure until clients are able to connect.
+This is due to the dynamical allocation of a new port, and corresponding update of
+the Load Balancer route table.
+
+:::
+
 <RelatedPages/>
 
 - [Enable OAUTH2/OIDC authentication for Aiven for Apache Kafka](/docs/products/kafka/howto/enable-oidc)

static/includes/config-kafka.md

@@ -220,11 +220,22 @@ import Link from '@docusaurus/Link'
         </table>
       </td>
     </tr>
+    <tr>
+      <td>
+        <div className="param"><p className="name"><Link id="letsencrypt_sasl"/><Link to="#letsencrypt_sasl"><strong>letsencrypt_sasl</strong></Link></p><p><code className="type">boolean,null</code></p></div>
+        <p className="title">Use Let's Encrypt CA for Kafka SASL</p>
+        <div className="description"><p>Use a Let's Encrypt certificate authority (CA) for Kafka SASL authentication. (Default: False)</p></div>
+        <table className="service-param-children">
+          <tbody>
+          </tbody>
+        </table>
+      </td>
+    </tr>
     <tr>
       <td>
         <div className="param"><p className="name"><Link id="letsencrypt_sasl_privatelink"/><Link to="#letsencrypt_sasl_privatelink"><strong>letsencrypt_sasl_privatelink</strong></Link></p><p><code className="type">boolean,null</code></p></div>
-        <p className="title">Use Letsencrypt CA for Kafka SASL via Privatelink</p>
-        <div className="description"><p>Use Letsencrypt CA for Kafka SASL via Privatelink</p></div>
+        <p className="title">Use Let's Encrypt CA for Kafka SASL via Privatelink</p>
+        <div className="description"><p>Use a Let's Encrypt certificate authority (CA) for Kafka SASL authentication via Privatelink. (Default: False)</p></div>
         <table className="service-param-children">
           <tbody>
           </tbody>
@@ -827,6 +838,17 @@ import Link from '@docusaurus/Link'
         </table>
       </td>
     </tr>
+    <tr>
+      <td>
+        <div className="param"><p className="name"><Link id="sasl_oauthbearer_allowed_urls"/><Link to="#sasl_oauthbearer_allowed_urls"><strong>sasl_oauthbearer_allowed_urls</strong></Link></p><p><code className="type">array</code></p></div>
+        <p className="title">Allowed URLs for SASL OAUTHBEARER</p>
+        <div className="description"><p>List of allowed URLs for SASL OAUTHBEARER authentication. Only HTTPS URLs are allowed for security reasons.</p></div>
+        <table className="service-param-children">
+          <tbody>
+          </tbody>
+        </table>
+      </td>
+    </tr>
     <tr>
       <td>
         <div className="param"><p className="name"><Link id="kafka_rest"/><Link to="#kafka_rest"><strong>kafka_rest</strong></Link></p><p><code className="type">boolean</code></p></div>