Kafka cluster
In order to use Kpow with Strimzi, use the specific Strimzi build to ensure the necessary OAuth libraries are present:
docker pull factorhouse/kpow:95.4-strimzi
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes. For production, you can tailor the cluster to your needs using features such as rack awareness, taints, and tolerations.
Configuration for authenticating to Strimzi
Strimzi supports three primary authentication mechanisms: Mutual TLS (mTLS), SASL SCRAM-SHA-512, and OAuth 2.0.
Mutual TLS (mTLS)
Strimzi natively manages Certificate Authorities and User Certificates. You must mount the Cluster CA (truststore) and User Certificate (keystore) from your Kubernetes Secrets.
SECURITY_PROTOCOL=SSL
# Truststore (Cluster CA)
SSL_TRUSTSTORE_TYPE=PKCS12
SSL_TRUSTSTORE_LOCATION=/path/to/cluster-ca.p12
SSL_TRUSTSTORE_PASSWORD=changeit
# Keystore (User Certificate)
SSL_KEYSTORE_TYPE=PKCS12
SSL_KEYSTORE_LOCATION=/path/to/user.p12
SSL_KEYSTORE_PASSWORD=changeit
SASL SCRAM-SHA-512
Strimzi uses SHA-512 for password-based authentication.
SECURITY_PROTOCOL=SASL_SSL
SASL_MECHANISM=SCRAM-SHA-512
# Truststore is required for SSL encryption
SSL_TRUSTSTORE_LOCATION=/path/to/cluster-ca.p12
SSL_TRUSTSTORE_PASSWORD=changeit
# JAAS Config
SASL_JAAS_CONFIG=org.apache.kafka.common.security.scram.ScramLoginModule required username="YOUR_USERNAME" password="YOUR_PASSWORD";
OAuth 2.0 (OAUTHBEARER)
Strimzi provides a dedicated callback handler for OAuth.
To keep your configuration secure, we recommend using the simple JAAS configuration below and providing your credentials via Environment Variables. Kpow supports variable substitution (e.g., ${VAR_NAME}) inside the configuration values.
Scenario A: Identity provider uses public CA (e.g., Okta, Azure)
SECURITY_PROTOCOL=SASL_SSL
SASL_MECHANISM=OAUTHBEARER
SASL_LOGIN_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
oauth.client.id="${OAUTH_CLIENT_ID}" \
oauth.client.secret="${OAUTH_CLIENT_SECRET}" \
oauth.token.endpoint.uri="${OAUTH_TOKEN_ENDPOINT_URI}";
Scenario B: Identity provider uses internal/self-signed CA (e.g., Keycloak on K8s)
If your identity provider (Keycloak) is internal and uses a self-signed certificate or the Strimzi cluster CA, you must configure the OAuth HTTP Client to trust that certificate explicitly using the oauth.ssl properties.
SECURITY_PROTOCOL=SASL_SSL
SASL_MECHANISM=OAUTHBEARER
SSL_TRUSTSTORE_LOCATION=/path/to/cluster-ca.p12
SSL_TRUSTSTORE_PASSWORD=changeit
SASL_LOGIN_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
# Note the addition of oauth.ssl properties below
SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
oauth.client.id="${OAUTH_CLIENT_ID}" \
oauth.client.secret="${OAUTH_CLIENT_SECRET}" \
oauth.token.endpoint.uri="${OAUTH_TOKEN_ENDPOINT_URI}" \
oauth.ssl.truststore.location="/path/to/cluster-ca.p12" \
oauth.ssl.truststore.password="changeit" \
oauth.ssl.truststore.type="PKCS12";
Required environment variables:
When using the simple config above, you must define the following environment variables in your Kpow container:
OAUTH_CLIENT_IDOAUTH_CLIENT_SECRETOAUTH_TOKEN_ENDPOINT_URI