From 44048fd64c9789adcf5ce155696f7c2dd1b042c2 Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Wed, 17 Jun 2026 00:32:00 -0700 Subject: [PATCH 1/3] oauthbearer support in event plugins --- app/_includes/plugins/confluent/auth.md | 21 +++++++ app/_includes/plugins/kafka/auth.md | 41 ++++++++++++++ app/_includes/plugins/solace/auth.md | 37 +++++++++++++ .../examples/oauthbearer.yaml | 49 +++++++++++++++++ app/_kong_plugins/confluent-consume/index.md | 4 ++ .../confluent/examples/oauthbearer.yaml | 47 ++++++++++++++++ app/_kong_plugins/confluent/index.md | 4 ++ .../kafka-consume/examples/oauthbearer.yaml | 52 ++++++++++++++++++ app/_kong_plugins/kafka-consume/index.md | 4 ++ .../kafka-log/examples/oauthbearer.yaml | 44 +++++++++++++++ app/_kong_plugins/kafka-log/index.md | 6 +- .../kafka-upstream/examples/oauthbearer.yaml | 44 +++++++++++++++ app/_kong_plugins/kafka-upstream/index.md | 4 ++ .../examples/oauth-client-credentials.yaml | 53 ++++++++++++++++++ app/_kong_plugins/solace-consume/index.md | 7 +++ .../examples/oauth-client-credentials.yaml | 55 +++++++++++++++++++ app/_kong_plugins/solace-log/index.md | 14 +++-- .../examples/configure-solace.yaml | 10 ++-- .../examples/oauth-client-credentials.yaml | 55 +++++++++++++++++++ app/_kong_plugins/solace-upstream/index.md | 4 ++ 20 files changed, 544 insertions(+), 11 deletions(-) create mode 100644 app/_includes/plugins/confluent/auth.md create mode 100644 app/_includes/plugins/kafka/auth.md create mode 100644 app/_includes/plugins/solace/auth.md create mode 100644 app/_kong_plugins/confluent-consume/examples/oauthbearer.yaml create mode 100644 app/_kong_plugins/confluent/examples/oauthbearer.yaml create mode 100644 app/_kong_plugins/kafka-consume/examples/oauthbearer.yaml create mode 100644 app/_kong_plugins/kafka-log/examples/oauthbearer.yaml create mode 100644 app/_kong_plugins/kafka-upstream/examples/oauthbearer.yaml create mode 100644 app/_kong_plugins/solace-consume/examples/oauth-client-credentials.yaml create mode 100644 app/_kong_plugins/solace-log/examples/oauth-client-credentials.yaml create mode 100644 app/_kong_plugins/solace-upstream/examples/oauth-client-credentials.yaml diff --git a/app/_includes/plugins/confluent/auth.md b/app/_includes/plugins/confluent/auth.md new file mode 100644 index 0000000000..a3f1f6685c --- /dev/null +++ b/app/_includes/plugins/confluent/auth.md @@ -0,0 +1,21 @@ +The plugin supports the following authentication options for Confluent Cloud connections: +{% table %} +columns: + - title: "Auth method" + key: method + - title: Description + key: description + - title: Example + key: example +rows: + - method: "API key (`cluster_api_key` / `cluster_api_secret`)" + description: "Authenticates using a Confluent Cloud API key and secret via SASL/PLAIN." + example: "--" + - method: | + SASL/OAUTHBEARER (`oauthbearer`) {% new_in 3.15 %} + description: | + Authenticates using short-lived OAuth 2.0 access tokens fetched automatically by {{site.base_gateway}}. +

+ {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from the configured `oauthbearer.token_endpoint_url`, caches them until expiry, and presents them in the SASL/OAUTHBEARER handshake. When `oauthbearer` is set, it takes precedence over `cluster_api_key`/`cluster_api_secret`. + example: "[SASL/OAUTHBEARER authentication](./examples/oauthbearer/)" +{% endtable %} diff --git a/app/_includes/plugins/kafka/auth.md b/app/_includes/plugins/kafka/auth.md new file mode 100644 index 0000000000..39a174e665 --- /dev/null +++ b/app/_includes/plugins/kafka/auth.md @@ -0,0 +1,41 @@ +The plugin supports the following SASL authentication mechanisms for broker connections via [`authentication.mechanism`](./reference/#schema--config-authentication-mechanism): +{% table %} +columns: + - title: "Mechanism" + key: mechanism + - title: Description + key: description + - title: Example + key: example +rows: + - mechanism: "`PLAIN`" + description: | + Authenticates using a username and password. +

+ Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`. + example: | + {% if include.slug == "kafka-consume" %}--{% else %}[Plain authentication](./examples/plain-auth/){% endif %} + - mechanism: "`SCRAM-SHA-256`" + description: | + Authenticates using a username and password with SCRAM-SHA-256 hashing. +

+ Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`. + example: | + {% if include.slug == "kafka-consume" %}--{% else %}[SCRAM-SHA-256 authentication](./examples/scram-sha-256/){% endif %} + - mechanism: "`SCRAM-SHA-512`" + description: | + Authenticates using a username and password with SCRAM-SHA-512 hashing. +

+ Set `authentication.strategy` to `sasl` and provide `authentication.user` and `authentication.password`. + example: | + {% if include.slug == "kafka-consume" %}--{% else %}[SCRAM-SHA-512 authentication](./examples/scram-sha-512/){% endif %} + - mechanism: | + `OAUTHBEARER` {% new_in 3.15 %} + description: | + Authenticates using short-lived OAuth 2.0 access tokens fetched automatically by {{site.base_gateway}}. +

+ {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from the configured `authentication.oauthbearer.token_endpoint_url`, caches them until expiry, and presents them in the SASL/OAUTHBEARER handshake. +

+ Requires the `authentication.oauthbearer` block. + example: "[SASL/OAUTHBEARER authentication](./examples/oauthbearer/)" +{% endtable %} diff --git a/app/_includes/plugins/solace/auth.md b/app/_includes/plugins/solace/auth.md new file mode 100644 index 0000000000..9b3f2a51a9 --- /dev/null +++ b/app/_includes/plugins/solace/auth.md @@ -0,0 +1,37 @@ +The plugin supports the following authentication schemes for Solace broker connections through [`session.authentication.scheme`](./reference/#schema--config-session-authentication-scheme): +{% table %} +columns: + - title: "Scheme" + key: scheme + - title: Description + key: description + - title: Example + key: example +rows: + - scheme: "`NONE`" + description: "No authentication." + example: "--" + - scheme: "`BASIC`" + description: | + Authenticates using a username and password. +

+ Provide `session.authentication.username` and `session.authentication.password`, or supply credentials via `session.authentication.basic_auth_header`. + example: | + {% if include.slug == "solace-upstream" %}[Send message to Solace queues with persistent delivery](./examples/configure-solace/){% elsif include.slug == "solace-log" %}[Enable Solace Logging](./examples/enable-solace-log/){% else %}--{% endif %} + - scheme: "`OAUTH2`" + description: | + Authenticates using a static OAuth 2.0 access token. +

+ Provide `session.authentication.access_token` directly, or supply it via `session.authentication.access_token_header`. + The token must be rotated manually when it expires. + example: "--" + - scheme: | + `CLIENT_CREDENTIALS` {% new_in 3.15 %} + description: | + Authenticates using short-lived OAuth 2.0 access tokens fetched and renewed automatically by {{site.base_gateway}}. +

+ {{site.base_gateway}} uses the `client_credentials` grant to retrieve tokens from `session.authentication.client_credentials.token_endpoint`, caches them until expiry, and retries with a fresh token if Solace returns an unauthenticated response. +

+ Requires the `session.authentication.client_credentials` block. + example: "[OAuth 2.0 client credentials authentication](./examples/oauth-client-credentials/)" +{% endtable %} diff --git a/app/_kong_plugins/confluent-consume/examples/oauthbearer.yaml b/app/_kong_plugins/confluent-consume/examples/oauthbearer.yaml new file mode 100644 index 0000000000..e102078b0e --- /dev/null +++ b/app/_kong_plugins/confluent-consume/examples/oauthbearer.yaml @@ -0,0 +1,49 @@ +description: 'Authenticate to Confluent Cloud using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.' + +title: 'SASL/OAUTHBEARER authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Create a Kafka cluster in Confluent Cloud](https://docs.confluent.io/cloud/current/get-started/index.html#step-1-create-a-ak-cluster-in-ccloud)" + - "[Create a Kafka topic in the cluster](https://docs.confluent.io/cloud/current/get-started/index.html#step-2-create-a-ak-topic)" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + +variables: + host: + description: 'The bootstrap server host.' + value: $BOOTSTRAP_SERVER_HOST + topic: + description: 'The name of the Kafka topic to consume from.' + value: $KAFKA_TOPIC + token_endpoint_url: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + bootstrap_servers: + - host: ${host} + port: 9092 + topics: + - name: ${topic} + mode: http-get + oauthbearer: + token_endpoint_url: ${token_endpoint_url} + client_id: ${client_id} + client_secret: ${client_secret} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/confluent-consume/index.md b/app/_kong_plugins/confluent-consume/index.md index 63a20bca60..137ae886f8 100644 --- a/app/_kong_plugins/confluent-consume/index.md +++ b/app/_kong_plugins/confluent-consume/index.md @@ -62,6 +62,10 @@ For more information, see the [Confluent Cloud documentation](https://docs.confl Kong also provides a [plugin for publishing messages to Confluent Cloud](/plugins/confluent/). +## Authentication + +{% include_cached /plugins/confluent/auth.md slug=page.slug %} + ## Implementation details The plugin supports the following modes of operation: diff --git a/app/_kong_plugins/confluent/examples/oauthbearer.yaml b/app/_kong_plugins/confluent/examples/oauthbearer.yaml new file mode 100644 index 0000000000..0116818964 --- /dev/null +++ b/app/_kong_plugins/confluent/examples/oauthbearer.yaml @@ -0,0 +1,47 @@ +description: 'Authenticate to Confluent Cloud using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.' + +title: 'SASL/OAUTHBEARER authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Create a Kafka cluster in Confluent Cloud](https://docs.confluent.io/cloud/current/get-started/index.html#step-1-create-a-ak-cluster-in-ccloud)" + - "[Create a Kafka topic in the cluster](https://docs.confluent.io/cloud/current/get-started/index.html#step-2-create-a-ak-topic)" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + +variables: + host: + description: 'The bootstrap server host.' + value: $BOOTSTRAP_SERVER_HOST + topic: + description: 'The name of the Kafka topic.' + value: $KAFKA_TOPIC + token_endpoint_url: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + bootstrap_servers: + - host: ${host} + port: 9092 + topic: ${topic} + oauthbearer: + token_endpoint_url: ${token_endpoint_url} + client_id: ${client_id} + client_secret: ${client_secret} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/confluent/index.md b/app/_kong_plugins/confluent/index.md index d9b78bb58a..cb0c34cb9d 100644 --- a/app/_kong_plugins/confluent/index.md +++ b/app/_kong_plugins/confluent/index.md @@ -64,6 +64,10 @@ With Kafka at its core, [Confluent](https://confluent.io) offers complete, fully > * The message format is not customizable. > * {{site.base_gateway}} supports Kafka 4.0 starting from version 3.10. +## Authentication + +{% include_cached /plugins/confluent/auth.md slug=page.slug %} + ## Schema registry support {% new_in 3.11 %} {% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %} \ No newline at end of file diff --git a/app/_kong_plugins/kafka-consume/examples/oauthbearer.yaml b/app/_kong_plugins/kafka-consume/examples/oauthbearer.yaml new file mode 100644 index 0000000000..79e7846522 --- /dev/null +++ b/app/_kong_plugins/kafka-consume/examples/oauthbearer.yaml @@ -0,0 +1,52 @@ +description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.' + +title: 'SASL/OAUTHBEARER authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "You have a [Kafka cluster](https://kafka.apache.org/documentation/#quickstart)" + - "You have a [Kafka topic](https://kafka.apache.org/documentation/#quickstart_createtopic) in the cluster" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + +variables: + host: + description: 'The bootstrap server host.' + value: $BOOTSTRAP_SERVER_HOST + topic: + description: 'The name of the Kafka topic to consume from.' + value: $KAFKA_TOPIC + token_endpoint_url: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + bootstrap_servers: + - host: ${host} + port: 9092 + topics: + - name: ${topic} + mode: http-get + authentication: + strategy: sasl + mechanism: OAUTHBEARER + oauthbearer: + token_endpoint_url: ${token_endpoint_url} + client_id: ${client_id} + client_secret: ${client_secret} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/kafka-consume/index.md b/app/_kong_plugins/kafka-consume/index.md index 6e2eea36b6..8a222797fc 100644 --- a/app/_kong_plugins/kafka-consume/index.md +++ b/app/_kong_plugins/kafka-consume/index.md @@ -105,3 +105,7 @@ In traditional mode, {{site.base_gateway}} will log an error-level message at st In DB-less mode, if the declarative configuration file contains a `kafka-consume` plugin scoped to a Service, {{site.base_gateway}} will fail to start. In this case, you must update the declarative configuration before restarting {{site.base_gateway}}. In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in PostgreSQL, upgrading and restarting the control plane will succeed. However, before updating the data plane, you must update the plugin configuration. Otherwise, once the data plane is upgraded and restarted, it will fail to sync the configuration due to validation errors. + +## Authentication + +{% include_cached /plugins/kafka/auth.md slug=page.slug %} diff --git a/app/_kong_plugins/kafka-log/examples/oauthbearer.yaml b/app/_kong_plugins/kafka-log/examples/oauthbearer.yaml new file mode 100644 index 0000000000..071884ddd5 --- /dev/null +++ b/app/_kong_plugins/kafka-log/examples/oauthbearer.yaml @@ -0,0 +1,44 @@ +description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.' + +title: 'SASL/OAUTHBEARER authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Kafka installed](https://kafka.apache.org/quickstart#quickstart_download) and running" + - "[Create a Kafka topic](https://kafka.apache.org/quickstart#quickstart_createtopic)" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + +variables: + topic: + description: 'The name of your Kafka topic.' + value: $KAFKA_TOPIC + token_endpoint_url: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + topic: ${topic} + authentication: + strategy: sasl + mechanism: OAUTHBEARER + oauthbearer: + token_endpoint_url: ${token_endpoint_url} + client_id: ${client_id} + client_secret: ${client_secret} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/kafka-log/index.md b/app/_kong_plugins/kafka-log/index.md index 3cf10564a2..2f616d9104 100644 --- a/app/_kong_plugins/kafka-log/index.md +++ b/app/_kong_plugins/kafka-log/index.md @@ -81,4 +81,8 @@ slug=page.slug %} ## Schema registry support {% new_in 3.11 %} -{% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %} \ No newline at end of file +{% include_cached /plugins/confluent-kafka-consume/schema-registry.md name=page.name slug=page.slug workflow='producer' %} + +## Authentication + +{% include_cached /plugins/kafka/auth.md slug=page.slug %} \ No newline at end of file diff --git a/app/_kong_plugins/kafka-upstream/examples/oauthbearer.yaml b/app/_kong_plugins/kafka-upstream/examples/oauthbearer.yaml new file mode 100644 index 0000000000..071884ddd5 --- /dev/null +++ b/app/_kong_plugins/kafka-upstream/examples/oauthbearer.yaml @@ -0,0 +1,44 @@ +description: 'Authenticate to a Kafka broker using SASL/OAUTHBEARER. {{site.base_gateway}} fetches and renews OAuth 2.0 access tokens automatically using the client credentials grant.' + +title: 'SASL/OAUTHBEARER authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Kafka installed](https://kafka.apache.org/quickstart#quickstart_download) and running" + - "[Create a Kafka topic](https://kafka.apache.org/quickstart#quickstart_createtopic)" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + +variables: + topic: + description: 'The name of your Kafka topic.' + value: $KAFKA_TOPIC + token_endpoint_url: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + topic: ${topic} + authentication: + strategy: sasl + mechanism: OAUTHBEARER + oauthbearer: + token_endpoint_url: ${token_endpoint_url} + client_id: ${client_id} + client_secret: ${client_secret} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/kafka-upstream/index.md b/app/_kong_plugins/kafka-upstream/index.md index af21686968..677b748ec6 100644 --- a/app/_kong_plugins/kafka-upstream/index.md +++ b/app/_kong_plugins/kafka-upstream/index.md @@ -72,3 +72,7 @@ Known limitations: 1. Message compression is not supported. 1. In {{site.base_gateway}} 3.9 or earlier, the message format is not customizable. + +## Authentication + +{% include_cached /plugins/kafka/auth.md slug=page.slug %} diff --git a/app/_kong_plugins/solace-consume/examples/oauth-client-credentials.yaml b/app/_kong_plugins/solace-consume/examples/oauth-client-credentials.yaml new file mode 100644 index 0000000000..6ae9e64eb4 --- /dev/null +++ b/app/_kong_plugins/solace-consume/examples/oauth-client-credentials.yaml @@ -0,0 +1,53 @@ +description: 'Authenticate to a Solace broker using OAuth 2.0 client credentials. {{site.base_gateway}} fetches and renews access tokens automatically.' + +title: 'OAuth 2.0 client credentials authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Solace installed](https://docs.solace.com/API/API-Developer-Guide/Installation.htm) and running" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + - "The Solace broker configured to accept OAuth 2.0 tokens" + +variables: + host: + description: 'The [IPv4 or IPv6 address or hostname](https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry) of the Solace broker. Use a TLS listener, for example `tcps://127.0.0.1:55443`.' + value: SOLACE_HOST + queue: + description: 'The name of the Solace queue to consume from.' + value: SOLACE_QUEUE + token_endpoint: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + session: + host: ${host} + vpn_name: default + ssl_validate_certificate: true + authentication: + scheme: CLIENT_CREDENTIALS + client_credentials: + token_endpoint: ${token_endpoint} + client_id: ${client_id} + client_secret: ${client_secret} + eagerly_expire: 5 + flow: + binds: + - name: ${queue} + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/solace-consume/index.md b/app/_kong_plugins/solace-consume/index.md index cde70d492e..ce514cd465 100644 --- a/app/_kong_plugins/solace-consume/index.md +++ b/app/_kong_plugins/solace-consume/index.md @@ -133,6 +133,9 @@ rows: desc: "Enable SSL validation." - example: "[URI capture](./examples/uri-capture/)" desc: "Capture the URI of the request and use it as the message destination name." + - example: | + [OAuth 2.0 client credentials](./examples/oauth-client-credentials/) {% new_in 3.15 %} + desc: "Authenticate to a Solace broker using the `CLIENT_CREDENTIALS` scheme, with Kong fetching and renewing OAuth 2.0 tokens automatically." {% endtable %} ## Implementation details @@ -150,3 +153,7 @@ The plugin supports the following modes of operation: ### Message delivery guarantees {% include /plugins/confluent-kafka-consume/message-delivery.md %} + +## Authentication + +{% include_cached /plugins/solace/auth.md slug=page.slug %} diff --git a/app/_kong_plugins/solace-log/examples/oauth-client-credentials.yaml b/app/_kong_plugins/solace-log/examples/oauth-client-credentials.yaml new file mode 100644 index 0000000000..560208d579 --- /dev/null +++ b/app/_kong_plugins/solace-log/examples/oauth-client-credentials.yaml @@ -0,0 +1,55 @@ +description: 'Authenticate to a Solace broker using OAuth 2.0 client credentials. {{site.base_gateway}} fetches and renews access tokens automatically.' + +title: 'OAuth 2.0 client credentials authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Solace installed](https://docs.solace.com/API/API-Developer-Guide/Installation.htm) and running" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + - "The Solace broker configured to accept OAuth 2.0 tokens" + +variables: + host: + description: 'The [IPv4 or IPv6 address or hostname](https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry) of the Solace broker. Use a TLS listener, for example `tcps://127.0.0.1:55443`.' + value: SOLACE_HOST + destination: + description: 'The name of the Solace queue or topic to publish logs to.' + value: SOLACE_DESTINATION + token_endpoint: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + session: + host: ${host} + vpn_name: default + ssl_validate_certificate: true + authentication: + scheme: CLIENT_CREDENTIALS + client_credentials: + token_endpoint: ${token_endpoint} + client_id: ${client_id} + client_secret: ${client_secret} + eagerly_expire: 5 + message: + destinations: + - name: ${destination} + type: QUEUE + delivery_mode: PERSISTENT + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/solace-log/index.md b/app/_kong_plugins/solace-log/index.md index cd777d33ed..36b9d19485 100644 --- a/app/_kong_plugins/solace-log/index.md +++ b/app/_kong_plugins/solace-log/index.md @@ -78,9 +78,13 @@ If the [custom Lua code](#custom-fields-by-lua) associated with the log fields f ## Custom fields by Lua -{% include /plugins/logging/log-custom-fields-by-lua.md -custom_fields_by_lua='config.message.custom_fields_by_lua' -custom_fields_by_lua_slug='config-message-custom-fields-by-lua' -custom_fields_by_lua_name='custom_fields_by_lua' -name=page.name +{% include /plugins/logging/log-custom-fields-by-lua.md +custom_fields_by_lua='config.message.custom_fields_by_lua' +custom_fields_by_lua_slug='config-message-custom-fields-by-lua' +custom_fields_by_lua_name='custom_fields_by_lua' +name=page.name slug=page.slug %} + +## Authentication + +{% include_cached /plugins/solace/auth.md slug=page.slug %} diff --git a/app/_kong_plugins/solace-upstream/examples/configure-solace.yaml b/app/_kong_plugins/solace-upstream/examples/configure-solace.yaml index 7f373d60ab..3b6f046457 100644 --- a/app/_kong_plugins/solace-upstream/examples/configure-solace.yaml +++ b/app/_kong_plugins/solace-upstream/examples/configure-solace.yaml @@ -16,19 +16,19 @@ weight: 900 variables: host: description: 'The [IPv4 or IPv6 address or hostname](https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry) of the Solace broker to connect to. For example, `tcp://127.0.0.1:55555`.' - value: SOLACE_HOST + value: $SOLACE_HOST username: description: 'The username used with `BASIC` authentication scheme when connecting to an event broker.' - value: SOLACE_USERNAME + value: $SOLACE_USERNAME password: description: 'The password used with `BASIC` authentication scheme when connecting to an event broker.' - value: SOLACE_PASSWORD + value: $SOLACE_PASSWORD queue1: description: 'The name of the first destination queue.' - value: QUEUE_NAME + value: $QUEUE_NAME queue2: description: 'The name of the second destination queue.' - value: ANOTHER_QUEUE_NAME + value: $ANOTHER_QUEUE_NAME config: session: diff --git a/app/_kong_plugins/solace-upstream/examples/oauth-client-credentials.yaml b/app/_kong_plugins/solace-upstream/examples/oauth-client-credentials.yaml new file mode 100644 index 0000000000..6b1f84a938 --- /dev/null +++ b/app/_kong_plugins/solace-upstream/examples/oauth-client-credentials.yaml @@ -0,0 +1,55 @@ +description: 'Authenticate to a Solace broker using OAuth 2.0 client credentials. {{site.base_gateway}} fetches and renews access tokens automatically.' + +title: 'OAuth 2.0 client credentials authentication' + +weight: 900 + +min_version: + gateway: '3.15' + +requirements: + - "[Solace installed](https://docs.solace.com/API/API-Developer-Guide/Installation.htm) and running" + - "An OAuth 2.0 identity provider that supports the client credentials grant" + - "The Solace broker configured to accept OAuth 2.0 tokens" + +variables: + host: + description: 'The [IPv4 or IPv6 address or hostname](https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry) of the Solace broker. Use a TLS listener, for example `tcps://127.0.0.1:55443`.' + value: SOLACE_HOST + topic: + description: 'The name of the Solace topic to publish to.' + value: SOLACE_TOPIC + token_endpoint: + description: 'The URL of the OAuth 2.0 token endpoint.' + value: $TOKEN_ENDPOINT_URL + client_id: + description: 'The OAuth 2.0 client ID.' + value: $CLIENT_ID + client_secret: + description: 'The OAuth 2.0 client secret.' + value: $CLIENT_SECRET + +config: + session: + host: ${host} + vpn_name: default + ssl_validate_certificate: true + authentication: + scheme: CLIENT_CREDENTIALS + client_credentials: + token_endpoint: ${token_endpoint} + client_id: ${client_id} + client_secret: ${client_secret} + eagerly_expire: 5 + message: + destinations: + - name: ${topic} + type: TOPIC + delivery_mode: DIRECT + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/solace-upstream/index.md b/app/_kong_plugins/solace-upstream/index.md index 9c9f4a19b6..5414b855b4 100644 --- a/app/_kong_plugins/solace-upstream/index.md +++ b/app/_kong_plugins/solace-upstream/index.md @@ -62,3 +62,7 @@ When encoding request bodies, several things happen: then the body will be base64-encoded to ensure that the message can be sent as JSON. In such a case, the message has an extra attribute called `body_base64` set to `true`. +## Authentication + +{% include_cached /plugins/solace/auth.md slug=page.slug %} + From a3c977a81b1d6b23469dd95785df6723e140ef85 Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Wed, 17 Jun 2026 21:03:29 -0700 Subject: [PATCH 2/3] add plugin name to table intro to make the intro less awkward --- app/_includes/plugins/confluent/auth.md | 2 +- app/_includes/plugins/kafka/auth.md | 2 +- app/_includes/plugins/solace/auth.md | 2 +- app/_kong_plugins/confluent-consume/index.md | 2 +- app/_kong_plugins/confluent/index.md | 2 +- app/_kong_plugins/kafka-consume/index.md | 2 +- app/_kong_plugins/kafka-log/index.md | 2 +- app/_kong_plugins/kafka-upstream/index.md | 2 +- app/_kong_plugins/solace-consume/index.md | 2 +- app/_kong_plugins/solace-log/index.md | 2 +- app/_kong_plugins/solace-upstream/index.md | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/app/_includes/plugins/confluent/auth.md b/app/_includes/plugins/confluent/auth.md index a3f1f6685c..bc0047f5da 100644 --- a/app/_includes/plugins/confluent/auth.md +++ b/app/_includes/plugins/confluent/auth.md @@ -1,4 +1,4 @@ -The plugin supports the following authentication options for Confluent Cloud connections: +The {{include.name}} plugin supports the following authentication options for Confluent Cloud connections: {% table %} columns: - title: "Auth method" diff --git a/app/_includes/plugins/kafka/auth.md b/app/_includes/plugins/kafka/auth.md index 39a174e665..9160d7172f 100644 --- a/app/_includes/plugins/kafka/auth.md +++ b/app/_includes/plugins/kafka/auth.md @@ -1,4 +1,4 @@ -The plugin supports the following SASL authentication mechanisms for broker connections via [`authentication.mechanism`](./reference/#schema--config-authentication-mechanism): +The {{include.name}} plugin supports the following SASL authentication mechanisms for broker connections via [`authentication.mechanism`](./reference/#schema--config-authentication-mechanism): {% table %} columns: - title: "Mechanism" diff --git a/app/_includes/plugins/solace/auth.md b/app/_includes/plugins/solace/auth.md index 9b3f2a51a9..d82d2911e9 100644 --- a/app/_includes/plugins/solace/auth.md +++ b/app/_includes/plugins/solace/auth.md @@ -1,4 +1,4 @@ -The plugin supports the following authentication schemes for Solace broker connections through [`session.authentication.scheme`](./reference/#schema--config-session-authentication-scheme): +The {{include.name}} plugin supports the following authentication schemes for Solace broker connections through [`session.authentication.scheme`](./reference/#schema--config-session-authentication-scheme): {% table %} columns: - title: "Scheme" diff --git a/app/_kong_plugins/confluent-consume/index.md b/app/_kong_plugins/confluent-consume/index.md index 137ae886f8..8db0dfd657 100644 --- a/app/_kong_plugins/confluent-consume/index.md +++ b/app/_kong_plugins/confluent-consume/index.md @@ -64,7 +64,7 @@ Kong also provides a [plugin for publishing messages to Confluent Cloud](/plugin ## Authentication -{% include_cached /plugins/confluent/auth.md slug=page.slug %} +{% include_cached /plugins/confluent/auth.md slug=page.slug name=page.name %} ## Implementation details diff --git a/app/_kong_plugins/confluent/index.md b/app/_kong_plugins/confluent/index.md index cb0c34cb9d..6310f07589 100644 --- a/app/_kong_plugins/confluent/index.md +++ b/app/_kong_plugins/confluent/index.md @@ -66,7 +66,7 @@ With Kafka at its core, [Confluent](https://confluent.io) offers complete, fully ## Authentication -{% include_cached /plugins/confluent/auth.md slug=page.slug %} +{% include_cached /plugins/confluent/auth.md slug=page.slug name=page.name %} ## Schema registry support {% new_in 3.11 %} diff --git a/app/_kong_plugins/kafka-consume/index.md b/app/_kong_plugins/kafka-consume/index.md index 8a222797fc..ef792752d6 100644 --- a/app/_kong_plugins/kafka-consume/index.md +++ b/app/_kong_plugins/kafka-consume/index.md @@ -108,4 +108,4 @@ In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in Postgr ## Authentication -{% include_cached /plugins/kafka/auth.md slug=page.slug %} +{% include_cached /plugins/kafka/auth.md slug=page.slug name=page.name %} diff --git a/app/_kong_plugins/kafka-log/index.md b/app/_kong_plugins/kafka-log/index.md index 2f616d9104..ce5ecf5532 100644 --- a/app/_kong_plugins/kafka-log/index.md +++ b/app/_kong_plugins/kafka-log/index.md @@ -85,4 +85,4 @@ slug=page.slug %} ## Authentication -{% include_cached /plugins/kafka/auth.md slug=page.slug %} \ No newline at end of file +{% include_cached /plugins/kafka/auth.md slug=page.slug name=page.name %} \ No newline at end of file diff --git a/app/_kong_plugins/kafka-upstream/index.md b/app/_kong_plugins/kafka-upstream/index.md index 677b748ec6..033629a3c1 100644 --- a/app/_kong_plugins/kafka-upstream/index.md +++ b/app/_kong_plugins/kafka-upstream/index.md @@ -75,4 +75,4 @@ Known limitations: ## Authentication -{% include_cached /plugins/kafka/auth.md slug=page.slug %} +{% include_cached /plugins/kafka/auth.md slug=page.slug name=page.name %} diff --git a/app/_kong_plugins/solace-consume/index.md b/app/_kong_plugins/solace-consume/index.md index ce514cd465..06ba30b750 100644 --- a/app/_kong_plugins/solace-consume/index.md +++ b/app/_kong_plugins/solace-consume/index.md @@ -156,4 +156,4 @@ The plugin supports the following modes of operation: ## Authentication -{% include_cached /plugins/solace/auth.md slug=page.slug %} +{% include_cached /plugins/solace/auth.md slug=page.slug name=page.name %} diff --git a/app/_kong_plugins/solace-log/index.md b/app/_kong_plugins/solace-log/index.md index 36b9d19485..035a0ff2e0 100644 --- a/app/_kong_plugins/solace-log/index.md +++ b/app/_kong_plugins/solace-log/index.md @@ -87,4 +87,4 @@ slug=page.slug %} ## Authentication -{% include_cached /plugins/solace/auth.md slug=page.slug %} +{% include_cached /plugins/solace/auth.md slug=page.slug name=page.name %} diff --git a/app/_kong_plugins/solace-upstream/index.md b/app/_kong_plugins/solace-upstream/index.md index 5414b855b4..5dc724b3f6 100644 --- a/app/_kong_plugins/solace-upstream/index.md +++ b/app/_kong_plugins/solace-upstream/index.md @@ -64,5 +64,5 @@ When encoding request bodies, several things happen: ## Authentication -{% include_cached /plugins/solace/auth.md slug=page.slug %} +{% include_cached /plugins/solace/auth.md slug=page.slug name=page.name %} From aae1ec93aec8d1c0ab95838c205a52e1e65b7413 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 18 Jun 2026 09:08:12 -0700 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Julia <101819212+juliamrch@users.noreply.github.com> --- app/_kong_plugins/kafka-consume/index.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/app/_kong_plugins/kafka-consume/index.md b/app/_kong_plugins/kafka-consume/index.md index ef792752d6..89effaeaf4 100644 --- a/app/_kong_plugins/kafka-consume/index.md +++ b/app/_kong_plugins/kafka-consume/index.md @@ -102,9 +102,14 @@ If you try to scope this plugin to a Service on a fresh {{site.base_gateway}} in In traditional mode, {{site.base_gateway}} will log an error-level message at startup if a `kafka-consume` plugin scoped to a Service is detected. The plugin configuration must be updated after startup. Until the configuration is updated, requests to the previous plugin URL will continue to be forwarded to the upstream Service, and responses will be returned to the downstream client as before. -In DB-less mode, if the declarative configuration file contains a `kafka-consume` plugin scoped to a Service, {{site.base_gateway}} will fail to start. In this case, you must update the declarative configuration before restarting {{site.base_gateway}}. +In DB-less mode, if the declarative configuration file contains a `kafka-consume` plugin scoped to a Service, {{site.base_gateway}} will fail to start. In this case, proceed as follows: -In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in PostgreSQL, upgrading and restarting the control plane will succeed. However, before updating the data plane, you must update the plugin configuration. Otherwise, once the data plane is upgraded and restarted, it will fail to sync the configuration due to validation errors. +1. Update the declarative configuration 1. Restart {{site.base_gateway}}. + +In hybrid mode, if a `kafka-consume` plugin scoped to a Service exists in PostgreSQL, upgrading and restarting the control plane will succeed. Then, to avoid validation errors on sync, follow these steps: + +1. Update the plugin configuration. +1. Update and restart the data plane. ## Authentication