Configuring PLAIN authentication

To set up PLAIN, create a secret that contains the jaas.conf with the username-password configuration.

echo -n 'org.apache.kafka.common.security.plain.PlainLoginModule required user_kafka="password";' > kafka-jaas.conf

kubectl create secret -n kafka generic my-kafka-secret-name --from-file=kafka-jaas.conf

Next, a Role and a RoleBinding is needed to be able to use the kafka-jaas.conf secret:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kafka-configuration-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["my-kafka-secret-name"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kafka-configuration-role-binding
subjects:
- kind: ServiceAccount
  name: my-cluster-kafka
  namespace: kafka
roleRef:
  kind: Role
  name: kafka-configuration-role
  apiGroup: rbac.authorization.k8s.io

Finally, the Kafka listener can be configured. By setting the spec.kafka.listeners[n].authentication.sasl to true, the Strimzi Cluster Operator will configure SASL protocol for the listener.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: plain
        port: 9093
        type: internal
        tls: true
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.plain.internals.PlainServerCallbackHandler
            sasl.enabled.mechanisms: PLAIN
            plain.sasl.jaas.config: ${secrets:kafka/my-kafka-secret-name:kafka-jaas.conf}
    config:
      config.providers: secrets
      config.providers.secrets.class: io.strimzi.kafka.KubernetesSecretConfigProvider