From Vault release 4.0, the Vault Installer supports the automatic creation of Kafka ACLs (Access Control Lists) and deletion of ACLs that are no longer required. These comprise coarse-grained ACLs applicable to Vault principals, topics and consumer groups, created during a Vault installation.

The Vault Installer will create ACLs for Vault services users only; you cannot use it for creating custom ACLs for your services.

You can manually create Kafka ACLs; however, we recommend that you choose to automatically create Kafka ACLs through our installer. The manual process involves the release.json (Vault 4.4 onwards) or kafka_principals_info.json (Vault 3.0 onwards) release artifact. Both are documented in the Vault installation guide and are to be used as an audit reference for what the kafka-init installer component will create for the ACLs.

If you create Kafka ACLs manually, there is a burden and risk that comes with every Vault upgrade, because new services may be introduced that require new ACL rules and they will not function until that rule is put in place.

If you would prefer to manually create ACLs yourself, refer to the Vault installation guide and notify Thought Machine, providing the reasons for your decision. We may be able to offer you advice.

If you decide to generate your own client certificates and choose both mTLS as the authentication method and opt-in for ACL creation/deletion when installing Vault, then you will need to set kafka.client.ssl_subject in values.yaml. You do not need to set this if you will not create Kafka ACLs manually.