Confusion around upgrading from v1beta2 to v1

[sebastian-gott]

I saw in the release notes that v1 versions of the CRDs had been rolled out now. In the release notes, it states that in the authentication and authorization fields type: oauth and type: keycloak respectively has been replaced by type: custom. My v1beta2 manifest currently looks like this:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: kafka
spec:
  kafka:
    resources:
      requests:
        memory: 2Gi
        cpu: 1
      limits:
        memory: 4Gi
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
        authentication:
          type: oauth
          clientId: kafka
          clientSecret:
            key: secret
            secretName: broker-oauth-secret
          validIssuerUri: http://keycloak.keycloak.svc.cluster.local:8080/realms/integration_platform
          jwksEndpointUri: http://keycloak.keycloak.svc.cluster.local:8080/realms/integration_platform/protocol/openid-connect/certs
          userNameClaim: preferred_username
          enableMetrics: false
    authorization:
      type: keycloak
      clientId: kafka
      superUsers:
        - "User:kafka"
      tokenEndpointUri: http://keycloak.keycloak.svc.cluster.local:8080/realms/integration_platform/protocol/openid-connect/token
      enableMetrics: false

In the docs for manual changes that has to be made on the Kafka resource it says to replace oauth with custom and instead mount the secrets using the template section. In the v1 CRD, the authentication section looks like this:

authentication:
  type: object
  properties:
    listenerConfig:
      x-kubernetes-preserve-unknown-fields: true
      type: object
    sasl:
      type: boolean
    type:
      type: string
      enum:
        - tls
        - scram-sha-512
        - custom

It no longer contains properties like clientId, validIssuerUri, etc. either so I assume these should be moved somewhere else as well? In the oauth section of the documentation it still uses type: oauth despite using the v1 manifest as well which is kinda confusing. Any clarification on this? Is the documentation just not fully updated yet? Help much appreciated 😃

[scholzj]

That is indeed confusing. There will be some improvements around this in the 0.49.1 docs. You can see how the config would look like for example in the latest docs builds from the main branch: https://strimzi.io/docs/operators/in-development/deploying.html#configuring_authentication_on_kafka_listeners