16 Disabling Kafka Feed Configuration Support

The chapter describes the steps to be taken when external Kafka feeds are no longer needed within the Data Director deployment.

For the external Kafka Feed, TLS and access control settings are essential on the Kafka server. However, if external Kafka Feed support becomes unnecessary, access control within Kafka should be disabled.

The steps in this procedure should only be followed on the worker group in which the Kafka feed support is required to be disabled.

Note:

• If rolling back to a version without Kafka feed is supported, it is mandatory to delete the Producer Client ACLs and Kafka Feeds before initiating the rollback. Follow steps 1 and 3 for deleting the feeds and ACLs.
• When reverting to a version where Kafka feeds were supported and configured, there is no requirement to delete Kafka feeds and producer client ACLs.
• In case it is not possible to delete the ACLs and feeds before the rollback then contact Oracle Suport using MOS.

1. Delete all the Kafka feeds using the UI. See Deleting Kafka Feed section.

   Note:

   Make sure to delete producer Client ACL and generic ACL if missed to Delete generic producer client ACLs previously else ignore and continue with the next steps.
2. Perform helm upgrade by following the steps below:

   Note:

   This step should be performed on the worker group where the feed support is to be disabled, this could be default group or any other worker group. For the default group use the corresponding charts and custom values.
   1. Helm Upgrade for disabling ACL support

      Edit the ocnadd-custom-values-23.4.0.0.1.yaml file and make the following updates in the global section:

      global:
          ssl:
              intraTlsEnabled: true           ## In case of intra TLS connections are required keep this as 'true', else make it 'false' 
          acl:
              kafkaClientAuth: required       ## Update the kafkaClientAuth to none
              aclNotAllowed: false            ## Update the aclNotAllowed to true

   2. To upgrade, run the below command:

      helm upgrade <worker-group-release-name> -f ocnadd-custom-values-<wg1-group>.yaml --namespace <worker-group1-namespace> <helm_chart> --set  global.acl.genericAclAllowed=true

      For example:

      helm upgrade ocnadd-wg1 -f ocnadd-custom-values-wg1-group.yaml --namespace dd-worker-group1 ocnadd_wg1 --set  global.acl.genericAclAllowed=true

   3. After the helm upgrade, ensure that all pods are in a running state.
3. Remove all the specific producer client ACLs from the worker group where the Kafka feed support should be disabled:
   1. Access any pod within the OCNADD deployment, for example, 'kafka-broker-0', using this command:

      kubectl exec -it kafka-broker-0 -n <worker-group-namespace> -- bash

   2. Run the command below and provide the name of the <workerGroup> in the below command

      curl -k --location --request DELETE 'http://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{
          "principal": "<aclUser>",
          "resourceName": "<topic_name>",   # provide topic name
          "aclOperation": "WRITE"
      }

      Examples:

      • Delete ACL for the SCP topic, assuming the SCP producer's <aclUser> name is 'scpuser':

        curl -k --location --request DELETE 'http://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{
            "principal": "scpuser",
            "resourceName": "SCP",
            "aclOperation": "WRITE"
        }'

      • Delete ACL for the NRF topic, assuming the NRF producer ACL user name is 'nrfuser':

        curl -k --location --request DELETE 'http://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{
            "principal": "nrfuser",
            "resourceName": "NRF",
            "aclOperation": "WRITE"
        }

      • Delete ACL for the SEPP topic, assuming the SEPP producer ACL user name is 'seppuser':

        curl -k --location --request DELETE 'http://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{
            "principal": "seppuser",
            "resourceName": "SEPP",
            "aclOperation": "WRITE"
        }'

Note:

Delete Generic ACLs if not already deleted, see Deleting Generic Producer Client ACLs section.