Merge branch 'release/v2.1.14' into main

github-actions · github-actions · commit b2ebda022ec8 · 2025-02-13T18:42:41.000Z
diff --git a/deploy-versions.json b/deploy-versions.json
@@ -1 +1 @@
-[{"text":"Latest","icon":"fas fa-home","key":"latest","tag":"v2.1.13"}]
+[{"text":"Latest","icon":"fas fa-home","key":"latest","tag":"v2.1.14"}]
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "zilla-docs",
   "type": "module",
-  "version": "2.1.13",
+  "version": "2.1.14",
   "description": "The official documentation for the aklivity/zilla open-source project",
   "keywords": [],
   "author": "aklivity.io",
diff --git a/src/.vuepress/public/many_to_one.png b/src/.vuepress/public/many_to_one.png
diff --git a/src/.vuepress/public/one_to_many.png b/src/.vuepress/public/one_to_many.png
diff --git a/src/.vuepress/public/secure_private_access.png b/src/.vuepress/public/secure_private_access.png
diff --git a/src/.vuepress/sidebar/en.ts b/src/.vuepress/sidebar/en.ts
@@ -111,6 +111,10 @@ export const enSidebar = sidebar({
           prefix: "how-tos/amazon-msk/secure-public-access/",
           link: "how-tos/amazon-msk/secure-public-access/production.md",
           children: [
+            {
+              text: "CDK",
+              link: "https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-public-access",
+            },
             {
               text: "Terraform",
               link: "https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdktf/secure-public-access",
@@ -143,6 +147,26 @@ export const enSidebar = sidebar({
         },
       ],
     },
+    {
+      text: "Secure Private Access",
+      icon: "aky-zilla-plus",
+      children: [
+        {
+          text: "Deployment Options",
+          link: "concepts/kafka-proxies/secure-private-access.md",
+          children: [],
+        },
+        {
+          text: "Amazon MSK",
+          children: [
+            {
+              text: "CDK",
+              link: "https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-private-access",
+            },
+          ],
+        },
+      ],
+    },
     {
       text: "IoT Ingest and Control",
       icon: "aky-zilla-plus",
@@ -401,6 +425,12 @@ export const enSidebar = sidebar({
           link: "solutions/concepts/kafka-proxies/secure-public-access.md",
           children: [],
         },
+        {
+          text: "Secure Private Access on AWS",
+          icon: "aky-zilla-plus",
+          link: "solutions/concepts/kafka-proxies/secure-private-access.md",
+          children: [],
+        },
         {
           text: "IoT Ingest and Control on AWS",
           icon: "aky-zilla-plus",
diff --git a/src/cookbooks/mqtt.kafka.broker/zilla.yaml b/src/cookbooks/mqtt.kafka.broker/zilla.yaml
@@ -72,6 +72,7 @@ bindings:
               - topic: device/#
         with:
           messages: mqtt-devices
+        exit: north_kafka_cache_client
     #endregion device_mapping
 
   #region kafka_sync
diff --git a/src/how-tos/connecting-to-kafka/amazon-msk.md b/src/how-tos/connecting-to-kafka/amazon-msk.md
@@ -11,7 +11,7 @@ Unlike other hosted Kafka services, Amazon MSK is not readily reachable over the
 "Public Access" can be turned on for MSK clusters running Apache Kafka 2.6.0 or later. Follow the MSK [Public Access Guide](https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html)to do so.
 
 ::: warning
-MSK's “Public Access” feature directly exposes your brokers to the internet, which may present additional security concerns. An alternative and more flexible solution is the [Secure Public Access](../../solutions/concepts/kafka-proxies/secure-public-access.md) solution using [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44). The solution acts as intermediary that securely routes connectivity between external clients and MSK brokers without having to modify the brokers.
+MSK's “Public Access” feature directly exposes your brokers to the internet, which may present additional security concerns. An alternative and more flexible solution is the [Secure Public Access](../../solutions/concepts/kafka-proxies/secure-public-access.md) solution using [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44). The solution acts as intermediary that securely routes connectivity between external clients and MSK brokers without having to modify the broker configuration. Specifically, no broker configuration change is needed for advertised listeners.
 :::
 
 ## Set up mTLS Authentication between MSK and Zilla
diff --git a/src/reference/config/catalogs/.partials/options-schema-registry.md b/src/reference/config/catalogs/.partials/options-schema-registry.md
@@ -21,3 +21,59 @@ Schema context represents an independent scope in the Schema Registry.
 > `integer` | Default: `300`
 
 The maximum duration in seconds to keep a cached schema before fetching the schema again.
+
+#### options.tls
+
+> `object`
+
+TLS configuration for connecting to secure Schema Registry. A configured `vault` is required to manage the keys and certificates necessary for TLS authentication.
+
+```yaml {2}
+tls:
+  trust:
+    - serverca
+  keys:
+    - client1
+```
+
+##### options.tls.keys
+
+> `array` of `string`
+
+A list of reference names for the Vault key.
+
+##### options.tls.trust
+
+> `array` of `string`
+
+A list of reference names for the Vault certificate.
+
+##### options.tls.trustcacerts
+
+> `boolean`
+
+Trust CA certificates. When the this property is not explicitly set it will be automatically set to `true` if [options.tls.trust](#options-tls-trust) is `null`.
+
+#### options.credentials
+
+> `object`
+
+Configures the credentials used to authenticate the user.
+
+```yaml {2}
+credentials:
+  headers:
+    authorization: Basic dXNlcjpzZWNyZXQ=
+```
+
+##### options.credentials.headers
+
+> `object`
+
+Authentication headers to be included in requests to the Schema Registry.
+
+###### options.credentials.headers.authorization
+
+> `string`
+
+The authorization header for authenticating API requests. For example, use a Basic token or Bearer token format.
diff --git a/src/reference/config/catalogs/confluent-schema-registry.md b/src/reference/config/catalogs/confluent-schema-registry.md
@@ -27,4 +27,5 @@ catalog:
 
 ## Configuration (\* required)
 
+<!-- @include: ../bindings/.partials/vault.md -->
 <!-- @include: ./.partials/options-schema-registry.md -->
diff --git a/src/reference/config/catalogs/karapace-schema-registry.md b/src/reference/config/catalogs/karapace-schema-registry.md
@@ -24,4 +24,5 @@ catalog:
 
 ## Configuration (\* required)
 
+<!-- @include: ../bindings/.partials/vault.md -->
 <!-- @include: ./.partials/options-schema-registry.md -->
diff --git a/src/solutions/concepts/kafka-proxies/secure-private-access.md b/src/solutions/concepts/kafka-proxies/secure-private-access.md
@@ -0,0 +1,48 @@
+---
+icon: aky-zilla-plus
+description: Securely access your Kafka cluster via the intranet.
+---
+
+# Secure Private Access
+
+[Available in <ZillaPlus/>](https://www.aklivity.io/products/zilla-plus)
+{.zilla-plus-badge .hint-container .info}
+
+The [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44) Secure Private Access proxy enables authorized Kafka clients deployed across **cross-account VPCs** to securely connect, publish messages, and subscribe to topics in your Amazon MSK Serverless cluster.
+
+This setup establishes a fully private, secure, and scalable communication channel between Kafka clients and the Amazon MSK cluster by leveraging **<ZillaPlus/>** proxy.
+
+**<ZillaPlus/>:** An auto-scaling, stateless proxy layer deployed in a private VPC that handles authentication and routing of Kafka requests.
+
+![Secure Private Access Overview](/secure_private_access.png)
+
+## Key Features
+
+- Seamless MSK Serverless Connectivity across **Cross-Account VPCs**.
+- **Custom Wildcard DNS** & Route 53 Hosted Zone Integration.
+- **Unified Domain Name** for Kafka clients, streamlining configuration.
+- **Eliminates** the need to **manually whitelist** each bootstrap endpoint to enable access.
+- Seamless end-to-end **TLS** handshake.
+- **Auto-Scaling** <ZillaPlus/> Instances.
+- Deployed behind a **Network Load Balancer** for high availability and efficient request routing.
+- Integrates with **AWS Nitro Enclaves**, enabling automated certificate renewal.
+
+### Many-to-One Private Access
+
+Multiple Kafka clients from different cross-account VPCs securely connect to a single Amazon MSK Serverless cluster. This approach simplifies multi-tenant access and ensures a unified, private connectivity model.
+
+![Many to One Private Access Overview](/many_to_one.png)
+
+### One-to-Many Private Access
+
+Enables Kafka clients to securely access multiple Amazon MSK Serverless clusters deployed across different VPCs.
+
+![One to Many Private Access Overview](/one_to_many.png)
+
+You will need to choose a wildcard DNS pattern to use for intranet access to the brokers in your Kafka cluster. These wildcard DNS names must resolve to the IP address of the VPC Endpoint in the client VPC, which then routes traffic via the VPC Endpoint Service to the ZillaPlus Network Load Balancer (NLB).
+
+Additionally, the <ZillaPlus/> proxy must also be configured with a TLS server certificate representing the same wildcard DNS pattern.
+
+## Deploy with CDK
+
+Follow the [Secure Private Access with CDK](https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-private-access) guide to generate or deploy a custom AWS CDK stack.
diff --git a/src/solutions/concepts/kafka-proxies/secure-public-access.md b/src/solutions/concepts/kafka-proxies/secure-public-access.md
@@ -11,7 +11,7 @@ description: Securely access your Kafka cluster via the internet.
 [Available in <ZillaPlus/>](https://www.aklivity.io/products/zilla-plus)
 {.zilla-plus-badge .hint-container .info}
 
-The [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44) Secure Public Access Proxy lets authorized Kafka clients connect, publish messages and subscribe to topics in your Amazon MSK cluster via the internet.
+The [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44) Secure Public Access proxy lets authorized Kafka clients connect, publish messages and subscribe to topics in your Amazon MSK cluster via the internet.
 
 By automating the configuration of an internet-facing network load balancer and auto-scaling group of stateless Secure Public Access proxies to expose your MSK cluster via the public internet, Kafka clients can connect, publish messages and subscribe to topics in your Amazon MSK cluster from outside AWS.
 
@@ -23,6 +23,10 @@ The <ZillaPlus/> proxy can securely expose any Kafka cluster with these deployme
 
 The [Zilla Plus for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44) Secure Public Access proxy lets authorized Kafka clients connect, publish messages and subscribe to topics in your Amazon MSK cluster via the internet.
 
+### Deploy with CDK
+
+Follow the [Secure Public Access with CDK](https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-public-access) guide to generate or deploy a custom AWS CDK stack, enabling `IAM access control`, `SASL/SCRAM authentication`, `Mutual TLS (mTLS) authentication` or `Unauthorized access` to setup connectivity to your MSK cluster using a wildcard DNS pattern.
+
 ### Deploy with Terraform
 
 Follow the [Secure Public Access with Terraform](https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdktf/secure-public-access) guide to generated or deploy a custom Terraform template using [CDKTF](https://developer.hashicorp.com/terraform/cdktf). This Terraform script can be configured to deploy `SASL/SCRAM authentication`, `Mutual TLS (mTLS) authentication` or `Unauthorized access` to setup connectivity to your MSK cluster with a wildcard DNS pattern.

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-[{"text":"Latest","icon":"fas fa-home","key":"latest","tag":"v2.1.13"}]`
	`1`	`+[{"text":"Latest","icon":"fas fa-home","key":"latest","tag":"v2.1.14"}]`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "zilla-docs",`
`3`	`3`	`"type": "module",`
`4`		`- "version": "2.1.13",`
	`4`	`+ "version": "2.1.14",`
`5`	`5`	`"description": "The official documentation for the aklivity/zilla open-source project",`
`6`	`6`	`"keywords": [],`
`7`	`7`	`"author": "aklivity.io",`
Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,5 @@ catalog:`
`27`	`27`
`28`	`28`	`## Configuration (\* required)`
`29`	`29`
	`30`	`+<!-- @include: ../bindings/.partials/vault.md -->`
`30`	`31`	`<!-- @include: ./.partials/options-schema-registry.md -->`