Configuring PLAIN authentication

PLAIN (basic) authentication can be configured by applying a custom authentication configuration for Kafka on an exposed listener.

To set up PLAIN, create a secret that contains the jaas.conf with the username-password configuration.
echo -n 'org.apache.kafka.common.security.plain.PlainLoginModule required user_kafka="password";' > kafka-jaas.conf
kubectl create secret -n kafka generic my-kafka-secret-name --from-file=kafka-jaas.conf
Next, a Role and a RoleBinding is needed to be able to use the kafka-jaas.conf secret:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kafka-configuration-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["my-kafka-secret-name"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kafka-configuration-role-binding
subjects:
- kind: ServiceAccount
  name: my-cluster-kafka
  namespace: kafka
roleRef:
  kind: Role
  name: kafka-configuration-role
  apiGroup: rbac.authorization.k8s.io

Finally, the Kafka listener can be configured. By setting the spec.kafka.listeners[n].authentication.sasl to true, the Strimzi Cluster Operator will configure SASL protocol for the listener.