---
# Admin account: super user (declared in Kafka CR → authorization.superUsers).
# Strimzi-generated secret: kubectl -n kafka get secret kafka-admin
apiVersion: kafka.strimzi.io/v1
kind: KafkaUser
metadata:
  name: kafka-admin
  namespace: kafka
  labels:
    strimzi.io/cluster: kafka
spec:
  authentication:
    type: scram-sha-512
---
# Application account with explicit ACLs — duplicate per application.
# Strimzi-generated secret: kubectl -n kafka get secret kafka-client
apiVersion: kafka.strimzi.io/v1
kind: KafkaUser
metadata:
  name: kafka-client
  namespace: kafka
  labels:
    strimzi.io/cluster: kafka
spec:
  authentication:
    type: scram-sha-512
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: "*"
          patternType: literal
        operations:
          - Read
          - Write
          - Create
          - Describe
          - DescribeConfigs
      - resource:
          type: group
          name: "*"
          patternType: literal
        operations:
          - Read
          - Describe
      - resource:
          type: transactionalId
          name: "*"
          patternType: literal
        operations:
          - Describe
          - Write