Add Doc changes for enableTls and saslAuthType for Kafka Scaler S…

…caledObject (kedacore#1016) Signed-off-by: dttung2905 <[email protected]>
DmitrySenin · Mar 9, 2023 · f161a36 · f161a36
1 parent 9856d59
commit f161a36
Showing 1 changed file with 146 additions and 5 deletions.
diff --git a/content/docs/2.10/scalers/apache-kafka.md b/content/docs/2.10/scalers/apache-kafka.md
@@ -34,6 +34,8 @@ triggers:
     excludePersistentLag: false
     version: 1.0.0
     partitionLimitation: '1,2,10-20,31'
+    tls: enable
+    sasl: plaintext
 ```
 
 **Parameter list:**
@@ -52,6 +54,8 @@ partition will be scaled to zero. See the [discussion](https://github.com/kedaco
 - `excludePersistentLag` - When set to `true`, the scaler will exclude partition lag for partitions which current offset is the same as the current offset of the previous polling cycle. This parameter is useful to prevent scaling due to partitions which current offset message is unable to be consumed. If `false` (the default), scaler will include all consumer lag in all partitions as per normal. (Default: `false`, Optional)
 - `version` - Version of your Kafka brokers. See [samara](https://github.com/Shopify/sarama) version (Default: `1.0.0`, Optional)
 - `partitionLimitation` - Comma separated list of partition ids to scope the scaling on. Allowed patterns are "x,y" and/or ranges "x-y". If set, the calculation of the lag will only take these ids into account.  (Default: All partitions, Optional)
+- `sasl` - Kafka SASL auth mode. (Values: `plaintext`, `scram_sha256`, `scram_sha512`, `oauthbearer` or `none`, Default: `none`, Optional). This parameter could also be specified in `sasl` in TriggerAuthentication
+- `tls` - To enable SSL auth for Kafka, set this to `enable`. If not set, TLS for Kafka is not used. (Values: `enable`, `disable`, Default: `disable`, Optional). This parameter could also be specified in `tls` in TriggerAuthentication
 
 > **Note:**
 >
@@ -73,6 +77,7 @@ partition will be scaled to zero. See the [discussion](https://github.com/kedaco
 ### Authentication Parameters
 
  You can use `TriggerAuthentication` CRD to configure the authenticate by providing `sasl`, `username` and `password`, in case your Kafka cluster has SASL authentication turned on. If you are using SASL/OAuthbearer you will need to provide `oauthTokenEndpointUri` and `scopes` as required by your OAuth2 provider. If TLS is required you should set `tls` to `enable`. If required for your Kafka configuration, you may also provide a `ca`, `cert`, `key` and `keyPassword`. `cert` and `key` must be specified together.
+ Another alternative is to specify `tls` and `sasl` in ScaledObject instead of `tls` and `sasl` in TriggerAuthentication, respectively.
 
 **Credential based authentication:**
 
@@ -81,8 +86,8 @@ partition will be scaled to zero. See the [discussion](https://github.com/kedaco
 - `sasl` - Kafka SASL auth mode. (Values: `plaintext`, `scram_sha256`, `scram_sha512`, `oauthbearer` or `none`, Default: `none`, Optional)
 - `username` - Username used for sasl authentication. (Optional)
 - `password` - Password used for sasl authentication. (Optional)
-- `oauthTokenEndpointUri` - The OAuth Access Token URI used for oauthbreaker token requests. (Optional unless sasl mode set to oauthbearer)
-- `scopes` - A comma separated lists of OAuth scopes used in the oauthbreaker token requests. (Optional)
+- `oauthTokenEndpointUri` - The OAuth Access Token URI used for oauthbearer token requests. (Optional unless sasl mode set to oauthbearer)
+- `scopes` - A comma separated lists of OAuth scopes used in the oauthbearer token requests. (Optional)
 
 **TLS:**
 
@@ -101,7 +106,7 @@ When a new Kafka consumer is created, it must determine its consumer group initi
 
 ### Example
 
-Your kafka cluster no SASL/TLS auth:
+#### Your kafka cluster has no SASL/TLS auth:
 
 ```yaml
 apiVersion: keda.sh/v1alpha1
@@ -124,7 +129,9 @@ spec:
       offsetResetPolicy: latest
 ```
 
-Your kafka cluster turn on SASL/TLS auth:
+#### Your kafka cluster turns on SASL/TLS auth:
+
+##### Method 1: `tls` and `sasl` are in TriggerAuthentication
 
 ```yaml
 apiVersion: v1
@@ -192,7 +199,71 @@ spec:
       name: keda-trigger-auth-kafka-credential
 ```
 
-Your kafka cluster turn on SASL OAuthbearer/TLS auth:
+##### Method 2: `tls` and `sasl` are in ScaledObject
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keda-kafka-secrets
+  namespace: default
+data:
+  username: "admin"
+  password: "admin"
+  ca: <your ca>
+  cert: <your cert>
+  key: <your key>
+---
+apiVersion: keda.sh/v1alpha1
+kind: TriggerAuthentication
+metadata:
+  name: keda-trigger-auth-kafka-credential
+  namespace: default
+spec:
+  secretTargetRef:
+  - parameter: username
+    name: keda-kafka-secrets
+    key: username
+  - parameter: password
+    name: keda-kafka-secrets
+    key: password
+  - parameter: ca
+    name: keda-kafka-secrets
+    key: ca
+  - parameter: cert
+    name: keda-kafka-secrets
+    key: cert
+  - parameter: key
+    name: keda-kafka-secrets
+    key: key
+---
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: kafka-scaledobject
+  namespace: default
+spec:
+  scaleTargetRef:
+    name: azure-functions-deployment
+  pollingInterval: 30
+  triggers:
+  - type: kafka
+    metadata:
+      bootstrapServers: localhost:9092
+      consumerGroup: my-group       # Make sure that this consumer group name is the same one as the one that is consuming topics
+      topic: test-topic
+      tls: enable
+      sasl: plaintext
+      # Optional
+      lagThreshold: "50"
+      offsetResetPolicy: latest
+    authenticationRef:
+      name: keda-trigger-auth-kafka-credential
+```
+
+#### Your kafka cluster turns on SASL OAuthbearer/TLS auth:
+
+##### Method 1: `tls` and `sasl` are in TriggerAuthentication
 
 ```yaml
 apiVersion: v1
@@ -267,3 +338,73 @@ spec:
     authenticationRef:
       name: keda-trigger-auth-kafka-credential
 ```
+
+##### Method 2: `tls` and `sasl` are in ScaledObject
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keda-kafka-secrets
+  namespace: default
+data:
+  username: "admin"
+  password: "admin"
+  oauthTokenEndpointUri: "https://tokenendpoint.com/token"
+  scopes: "default"
+  ca: <your ca>
+  cert: <your cert>
+  key: <your key>
+---
+apiVersion: keda.sh/v1alpha1
+kind: TriggerAuthentication
+metadata:
+  name: keda-trigger-auth-kafka-credential
+  namespace: default
+spec:
+  secretTargetRef:
+  - parameter: username
+    name: keda-kafka-secrets
+    key: username
+  - parameter: password
+    name: keda-kafka-secrets
+    key: password
+  - parameter: oauthTokenEndpointUri
+    name: keda-kafka-secrets
+    key: oauthTokenEndpointUri
+  - parameter: scopes
+    name: keda-kafka-secrets
+    key: scopes
+  - parameter: ca
+    name: keda-kafka-secrets
+    key: ca
+  - parameter: cert
+    name: keda-kafka-secrets
+    key: cert
+  - parameter: key
+    name: keda-kafka-secrets
+    key: key
+---
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: kafka-scaledobject
+  namespace: default
+spec:
+  scaleTargetRef:
+    name: azure-functions-deployment
+  pollingInterval: 30
+  triggers:
+  - type: kafka
+    metadata:
+      bootstrapServers: localhost:9092
+      consumerGroup: my-group       # Make sure that this consumer group name is the same one as the one that is consuming topics
+      topic: test-topic
+      tls: enable
+      sasl: oauthbearer
+      # Optional
+      lagThreshold: "50"
+      offsetResetPolicy: latest
+    authenticationRef:
+      name: keda-trigger-auth-kafka-credential
+```