external kafka with kerberos authentication pega.yaml configuration for helm on openshift
we are migrating from embedded kafka to external kafka for (openshift) stream nodes. we have a truststore jks file for authentication. we are trying to configure pega.yaml for helm deployment.we couldnt find an example for it. we need step by step explanation what to do with jks file (do we need to convert it to base64 encoded file). where to put it in openshift secret and/or in pega.yaml file? what name should be given to which field in yaml or secret? if we need secret what type of secret should it be (key/value or anything else)? we also have a keytab file for kerberos authentication which I couldnt find where to configure such a file in yaml. we are on version 24.1
ai4process ltd
GB
Yes. you’ll need to base64-encode the JKS file before embedding it in a Kubernetes secret.
1. Setup the Truststore jks file by creating a base64 encoded jks file and include it in a kubernetes secret file.
apiVersion: v1
kind: Secret
metadata:
name: kafka-truststore-secret
type: Opaque
data:
truststore.jks: <base64-encoded-content>
2. base 64 encode your keytab file as well to include the kerberos
apiVersion: v1
kind: Secret
metadata:
name: kafka-keytab-secret
type: Opaque
data:
kafka.keytab: <base64-encoded-content>
3. refer the secret in pega.yaml under stream configuration
stream:
kafka:
kerberos:
enabled: true
keytabSecret:
name: kafka-keytab-secret
mountPath: /opt/pega/secrets/kafka
fileName: kafka.keytab
principal: <kafka principal realm reference>
serviceName: kafka
realm: <Your Realm>
security:
protocol: SASL_SSL
truststoreSecret:
name: kafka-truststore-secret
mountPath: /opt/pega/secrets/kafka
fileName: truststore.jks
Ensure that your kafka brokers are configured to accept Kerberos auth and SSL and Use Opaque secrets for both JKS and keytab.