New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: Add docs for using external secrets in Kafka Connect #1183
Merged
scholzj
merged 4 commits into
master
from
docs-kafka-connect-secrets-and-external-configration
Jan 9, 2019
Merged
Changes from 2 commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
documentation/book/assembly-kafka-connect-external-configuration.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
// This assembly is included in the following assemblies: | ||
// | ||
// assembly-deployment-configuration-kafka-connect.adoc | ||
// assembly-deployment-configuration-kafka-connect-s2i.adoc | ||
|
||
// Save the context of the assembly that is including this one. | ||
// This is necessary for including assemblies in assemblies. | ||
// See also the complementary step on the last line of this file. | ||
|
||
[id='assembly-kafka-connect-external-configuration-{context}'] | ||
|
||
= Using external configuration and secrets | ||
|
||
Kafka Connect connectors have their own configuration. | ||
They are configured using the REST interface. | ||
The connector configuration is passed to Kafka Connect as part of the HTTP requests. | ||
In some cases, it might make sense to externalize the configuration of Kafka Connect connectors and keep it in the regular Kubernetes resources such as ConfigMaps or Secrets. | ||
This applies especially to confidential data such as usernames, passwords or certificates. | ||
|
||
include::con-kafka-connect-external-configuration.adoc[leveloffset=+1] | ||
|
||
include::proc-kafka-connect-mounting-secrets-as-environment-variables.adoc[leveloffset=+1] | ||
|
||
include::proc-kafka-connect-mounting-volumes.adoc[leveloffset=+1] |
92 changes: 92 additions & 0 deletions
92
documentation/book/con-kafka-connect-external-configuration.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
// This assembly is included in the following assemblies: | ||
// | ||
// assembly-kafka-connect-external-configuration.adoc | ||
|
||
[id='con-kafka-connect-external-configuration-{context}'] | ||
|
||
= Externalizing Kafka Connect connector configuration | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
{ProductName} lets you to mount ConfigMaps or Secrets into the Kafka Connect pods as either volumes or environment variables. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
The volumes and environment variables can be configured in the `externalConfiguration` property in `KafkaConnect.spec` and `KafkaConnectS2I.spec` | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
== External configuration as environment variable | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The `env` property can be used to specify one or more environment variables. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
These variables can contain a value from a ConfigMap or from a Secret. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
The names of the environment variables configured by the user cannot start with `KAFKA_` or `STRIMZI_`. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
To mount a value from a Secret to an environment variable, you have to use the `valueFrom` property and the `secretKeyReference` | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Example of environment variable set to a value from a Secret | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
[source,yaml,subs="attributes+"] | ||
---- | ||
apiVersion: {KafkaApiVersion} | ||
kind: KafkaConnect | ||
metadata: | ||
name: my-connect | ||
spec: | ||
# ... | ||
externalConfiguration: | ||
env: | ||
- name: MY_ENVIRONMENT_VARIABLE | ||
valueFrom: | ||
secretKeyRef: | ||
name: my-secret | ||
key: my-key | ||
---- | ||
|
||
A common use case for mounting Secrets into environment variables is for example when your connector needs to communicate with Amazon AWS and needs to read the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables with credentials. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
To mount a value from a ConfigMap use `configMapKeyRef` in the `valueFrom` property. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Example of environment variable set to a value from a ConfigMap | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
[source,yaml,subs="attributes+"] | ||
---- | ||
apiVersion: {KafkaApiVersion} | ||
kind: KafkaConnect | ||
metadata: | ||
name: my-connect | ||
spec: | ||
# ... | ||
externalConfiguration: | ||
env: | ||
- name: MY_ENVIRONMENT_VARIABLE | ||
valueFrom: | ||
configMapKeyRef: | ||
name: my-config-map | ||
key: my-key | ||
---- | ||
|
||
== External configuration as volume | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The ConfigMaps and Secrets can be also mounted as volumes. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Using volumes instead of environment variables migth be useful for example for: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
* Mounting truststores / keystores with TLS certificates | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
* Mounting properties file which should used to configure Kafka Connect connectors | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The ConfigMaps and Secrets which should be mounted as volumes should be listed in the `volumes` property of `externalConfiguration`. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Each volume has to specify a name in the `name` property and a reference to ConfigMap or Secret. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Example of volumes with external configuration | ||
[source,yaml,subs="attributes+"] | ||
---- | ||
apiVersion: {KafkaApiVersion} | ||
kind: KafkaConnect | ||
metadata: | ||
name: my-connect | ||
spec: | ||
# ... | ||
externalConfiguration: | ||
volumes: | ||
- name: connector1 | ||
configMap: | ||
name: connector1-configuration | ||
- name: connector1-certificates | ||
secret: | ||
secretName: connector1-certificates | ||
---- | ||
|
||
The volumes will be mounted inside the Kafka Connect containers in the path `/opt/kafka/external-configuration/_<volume-name>_`. | ||
For example the files from the volume named `connector1` will be in the directory `/opt/kafka/external-configuration/connector1`. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The `FileConfigProvider` has to be used to read the values from the mounted properties files in connector configurations. |
75 changes: 75 additions & 0 deletions
75
...entation/book/proc-kafka-connect-mounting-secrets-as-environment-variables.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
// This assembly is included in the following assemblies: | ||
// | ||
// assembly-kafka-connect-external-configuration.adoc | ||
|
||
[id='proc-kafka-connect-mounting-secrets-as-environment-variables-{context}'] | ||
|
||
= Mounting Secrets as environment variables | ||
|
||
This procedure shows how to use an {ProductPlatformName} Secret and mount it as environment variable into Kafka Connect. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Prerequisites | ||
|
||
* A running Cluster Operator. | ||
|
||
.Procedure | ||
|
||
. Create a secret containing the information which should be mounted as environment variable. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
For example: | ||
+ | ||
[source,yaml,subs=attributes+] | ||
---- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: aws-creds | ||
type: Opaque | ||
data: | ||
awsAccessKey: QUtJQVhYWFhYWFhYWFhYWFg= | ||
awsAecretAccessKey: Ylhsd1lYTnpkMjl5WkE= | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
---- | ||
|
||
. Create or edit the Kafka Connect resource. | ||
Configure the `externalConfiguration` section of the `KafkaConnect` or `KafkaConnectS2I` custom resource to reference the secret: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
For example: | ||
+ | ||
[source,yaml,subs="attributes+"] | ||
---- | ||
apiVersion: {KafkaApiVersion} | ||
kind: KafkaConnect | ||
metadata: | ||
name: my-connect | ||
spec: | ||
# ... | ||
externalConfiguration: | ||
env: | ||
- name: AWS_ACCESS_KEY_ID | ||
valueFrom: | ||
secretKeyRef: | ||
name: aws-creds | ||
key: awsAccessKey | ||
- name: AWS_SECRET_ACCESS_KEY | ||
valueFrom: | ||
secretKeyRef: | ||
name: aws-creds | ||
key: awsAecretAccessKey | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
---- | ||
|
||
. Apply the changes to your Kafka Connect deployment. | ||
+ | ||
ifdef::Kubernetes[] | ||
On {KubernetesName} this can be done using `kubectl apply`: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
[source,shell,subs=+quotes] | ||
kubectl apply -f _your-file_ | ||
+ | ||
endif::Kubernetes[] | ||
On {OpenShiftName} this can be done using `oc apply`: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
+ | ||
[source,shell,subs=+quotes] | ||
oc apply -f _your-file_ | ||
|
||
. Use the environment variables in your connectors. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Additional resources | ||
|
||
* For more information about external configuration in Kafka Connect, see xref:type-ExternalConfiguration-reference[]. |
89 changes: 89 additions & 0 deletions
89
documentation/book/proc-kafka-connect-mounting-volumes.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
// This assembly is included in the following assemblies: | ||
// | ||
// assembly-kafka-connect-external-configuration.adoc | ||
|
||
[id='proc-kafka-connect-mounting-volumes-{context}'] | ||
|
||
= Mounting Secrets as volumes | ||
|
||
This procedure shows how to use an {ProductPlatformName} Secret, mount it as volume into Kafka Connect, and use it to configure Kafka Connect connector. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.Prerequisites | ||
|
||
* A running Cluster Operator. | ||
|
||
.Procedure | ||
|
||
. Create a secret containing a properties file with the configuration options we want to use in our connector configuration. | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
For example: | ||
+ | ||
[source,yaml,subs=attributes+] | ||
---- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: mysecret | ||
type: Opaque | ||
stringData: | ||
connector.properties: |- | ||
dbUsername: my-user | ||
dbPassword: my-password | ||
---- | ||
|
||
. Create or edit the Kafka Connect resource. | ||
Configure the `FileConfigProvider` in the `config` section and the `externalConfiguration` section of the `KafkaConnect` or `KafkaConnectS2I` custom resource to reference the secret: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
For example: | ||
+ | ||
[source,yaml,subs="attributes+"] | ||
---- | ||
apiVersion: {KafkaApiVersion} | ||
kind: KafkaConnect | ||
metadata: | ||
name: my-connect | ||
spec: | ||
# ... | ||
config: | ||
config.providers: file | ||
config.providers.file.class: org.apache.kafka.common.config.provider.FileConfigProvider | ||
#... | ||
externalConfiguration: | ||
volumes: | ||
- name: connector-config | ||
secret: | ||
secretName: mysecret | ||
---- | ||
|
||
. Apply the changes to your Kafka Connect deployment. | ||
+ | ||
ifdef::Kubernetes[] | ||
On {KubernetesName} this can be done using `kubectl apply`: | ||
scholzj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
[source,shell,subs=+quotes] | ||
kubectl apply -f _your-file_ | ||
+ | ||
endif::Kubernetes[] | ||
On {OpenShiftName} this can be done using `oc apply`: | ||
+ | ||
[source,shell,subs=+quotes] | ||
oc apply -f _your-file_ | ||
|
||
. Use the values from the mounted properties file in your JSON payload with connector configuration. | ||
For example: | ||
+ | ||
[source,json,subs="attributes+"] | ||
---- | ||
{ | ||
"name":"my-connector", | ||
"config":{ | ||
"connector.class":"MyDbConnector", | ||
"tasks.max":"3", | ||
"database": "my-postgresql:5432" | ||
"username":"${file:/opt/kafka/external-configuration/connector-config/connector.properties:dbUsername}", | ||
"password":"${file:/opt/kafka/external-configuration/connector-config/connector.properties:dbPassword}", | ||
# ... | ||
} | ||
} | ||
---- | ||
|
||
.Additional resources | ||
|
||
* For more information about external configuration in Kafka Connect, see xref:type-ExternalConfiguration-reference[]. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please reword as follows:
Kafka Connect connectors include built-in configuration using REST. The connector configuration is transferred to Kafka Connect whenever an HTTP request to the connector is made.
Alternatively, the configuration of a Kafka Connect connector can be stored externally as ConfigMaps or Secrets. ConfigMaps and Secrets are standard {ProductPlatformName} resources used for Pod configuration and authentication. This method applies especially to confidential data, such as usernames, passwords, or certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laidan6000 I fixed all the other comments as you suggested. But I'm a bit unsure about this one as I don't think it is correct and makes really sense.
I think especially the first paragraph in your suggestion is wrong and confusing. The second could be probably used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the additional information in the bullet points. In my eagerness to use the verb "store" rather than "externalize", I changed the meaning of the sentence. To be honest, I am struggling to fully understand the approach here. I've edited the first paragraph based on your bullet points -- does it work for you? Please tweak the wording as needed.
==
Kafka Connect connectors are configured using an HTTP REST interface. The connector configuration is stored within Kafka itself and passed to Kafka Connect as part of an HTTP request.
Alternatively, the configuration of a Kafka Connect connector can be externalized as ConfigMaps or Secrets. You can then reference the configuration values in HTTP REST commands (this keeps the configuration separate and more secure, if needed). This method applies especially to confidential data, such as usernames, passwords, or certificates.
ConfigMaps and Secrets are standard {ProductPlatformName} resources used for Pod configuration and authentication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laidan6000 I did some additional changes to this to make it (hopefully) a bit more clear. Especially to make it more clear that it doesn't store the whole configuration but just some pieces (I think this was probably written incorrectly already by me on the beginning). It would be great if you could have another review. The other comments should be incorporated as you suggested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It reads very well and makes sense to me. Happy for you to merge the PR.