-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feat][fn] Add option to merge secrets into config for sink/source #20863
[feat][fn] Add option to merge secrets into config for sink/source #20863
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have one question: how does this work with structured configurations ? A value in the configuration may be a Map, is it possible to update entries inside a nested map?
@@ -158,6 +158,15 @@ public class JavaInstanceStarter implements AutoCloseable { | |||
required = false) | |||
public Boolean ignoreUnknownConfigFields = false; | |||
|
|||
@Parameter(names = "--merge_secrets_into_config_map", arity = 1, | |||
description = "Whether to merge secrets into the connector's configuration. Only affects Sinks and Sources." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this doesn't apply to Functions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could apply to functions. I targeted Sources and Sinks because those are often cases where you are running a third party connector and in those cases, it is easier to merge the configs than updating the code. In the function runtime, it seems to be a well defined flow to get a secret from the function's context. That being said, we could also just fix each implementation.
I provide some direct examples of issues with connectors in this comment #20862 (comment).
The current logic is a naive |
@eolivelli - looks like recursive secret interpolation would be valuable here: Lines 59 to 62 in 55523ac
|
This will be superseded by the outcome of PIP 289. My preference is to use #20901. |
Fixes #20862
Motivation
See the issue for detailed motivation. Briefly, the current solution for configuring sinks and sources requires each sink and source to implement calls to materialize secrets using the
SecretsProvider
. Instead of relying on each connector to implement this feature, this PR introduces an option to pass the configuration into the sink and sourceopen
method call, so that the secrets are available without needing them to be passed in as plain text.One major benefit of this solution is that it integrates with the existing functionality to pass in secrets.
In order to be backwards compatible, I followed the approach used by #20116 to add a configuration to the function worker that will apply to all sinks/sources created by the function worker.
Example for old configuration and new configuration:
bin/pulsar-admin sinks create --input-specs "spec with secret"
Modifications
secrets
map into the config map that is subsequently passed to the sink or source when callingopen
.mergeSecretsIntoConfigMap
) and an associated new parameter to theJavaInstanceStarter
(--merge_secrets_into_config_map
) to enable this feature. The default value keeps the current behavior.Verifying this change
This change added tests.
Does this pull request potentially affect one of the following parts:
Adds a new configuration option. It is backwards compatible and defaults to use the old behavior.
Documentation
doc-required
I'll need a PR to add docs for this feature.
Matching PR in forked repository
PR in forked repository: michaeljmarshall#53