[SRVKE-1687] Unify KafkaChannel and KafkaBroker secret format #95471
Conversation
openshift-ci
bot
added
the
size/S
|
🤖 Mon Jul 21 14:21:54 - Prow CI generated the docs preview: https://95471--ocpdocs-pr.netlify.app/openshift-serverless/latest/eventing/brokers/kafka-broker.html |
|
QE review request here. |
| @@ -32,14 +32,14 @@ $ oc create secret -n knative-eventing generic <secret_name> \ | |||
| --from-literal=user="my-sasl-user" | |||
| ---- | |||
| ** Use the key names `ca.crt`, `password`, and `sasl.mechanism`. Do not change them. | |||
There was a problem hiding this comment.
(all of the key names must be such, so protocol, and user should be also listed here ) ( I suppose the original reason for this note is the ca.crt , as this is not obvious that it needs to be literally that, but since we list other, we should probably list all of them?)
| @@ -32,14 +32,14 @@ $ oc create secret -n knative-eventing generic <secret_name> \ | |||
| --from-literal=user="my-sasl-user" | |||
| ---- | |||
| ** Use the key names `ca.crt`, `password`, and `sasl.mechanism`. Do not change them. | |||
| ** If you want to use SASL with public CA certificates, you must use the `tls.enabled=true` flag, rather than the `ca.crt` argument, when creating the secret. For example: | |||
| ** If you want to use SASL with public CA certificates, you must use the protocol="SASL_SSL" flag, rather than the ca.crt argument, when creating the secret. For example: | |||
There was a problem hiding this comment.
I don't think this makes sense as is... It did make sense with the original format, as not listing the "ca.crt" would not work if you also didn't explicitly enable TLS with tls.enabled=true .. However, with the new format, the protocol is required to be specified either way, and if it is set to protocol=SASL_SSL it means SSL is enabled. (you can also optionally use protocol=SASL_PLAIN to use SASL over plaintext, without using TLS )
(the only difference between "with public CA certificates" now is that the "ca.crt" argument is not specified.
We could perhaps simplify the whole section by having just a single example with "ca.crt", and having a note that would say "ca.crt" is optional, if the Kafka cluster is using a public CA certificate (verified by one of the default certificate authorities present in the default system truststores in the knative kafka images, if we wanted to be pedantic)
(same comment applies to the sasl-channels, as they now use the same format)
There was a problem hiding this comment.
I see, thanks for the explanation and suggestion. I'll update this.
There was a problem hiding this comment.
@maschmid Updated and pushed.
Please let me know if this matches what you suggested.
openshift-ci
bot
added
size/M
|
QE approved |
|
/label peer-review-needed |
openshift-ci
bot
added
the
peer-review-needed
|
/label peer-review-in-progress |
openshift-ci
bot
added
the
peer-review-in-progress
| --from-literal=saslType="SCRAM-SHA-512" \ | ||
| --from-literal=user="my-sasl-user" | ||
| ---- | ||
| [NOTE] |
There was a problem hiding this comment.
Kafka is a product name, so you might want to consider creating an attribute for Kafka.
|
/label peer-review-done |
openshift-ci
bot
added
the
peer-review-done
|
/remove-label peer-review-needed |
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
ShaunaDiaz
removed
peer-review-in-progress
|
/remove-label merge-review-needed |
openshift-ci
bot
added
merge-review-in-progress
| ---- | ||
| [NOTE] | ||
| ==== | ||
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA that is trusted by the system truststore. |
There was a problem hiding this comment.
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA that is trusted by the system truststore. | |
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA whose certificate is already in the system truststore. |
| ---- | ||
| [NOTE] | ||
| ==== | ||
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA that is trusted by the system truststore. |
There was a problem hiding this comment.
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA that is trusted by the system truststore. | |
| The `ca.crt` key is optional if the Kafka cluster uses a certificate signed by a public CA whose certificate is already in the system truststore. |
qe feedback no1 mr feedback no1
|
@ochromy: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Good suggestions, @briandooley! |
|
/cherry-pick serverless-docs-1.35 |
|
@briandooley: new pull request created: #96411 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherry-pick serverless-docs-1.36 |
|
@briandooley: new pull request created: #96413 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherry-pick serverless-docs-1.37 |
|
@briandooley: new pull request created: #96524 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Version(s):
serverless-docs-1.35+
Issue:
Link to docs preview:
QE review: