...
JIRA:
Jira | ||||||
---|---|---|---|---|---|---|
|
WIP pull request: https://github.com/apache/kafka/pull/4990/files
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
In the above example, VaultConfigProvider will be passed the string "/run/secrets/vault-token" on initialization, which could be the filename for a Docker secret containing the initial Vault token, residing on the tmpfs mount, for instance. When resolving the value for "mysql.db.password", the VaultConfigProvider will use the key "vault_db_password_key". The VaultConfigProvider would use this key to look up the corresponding secret. (VaultConfigProvider is a hypothetical example for illustration purposes only.)
Here is an example of a FileConfigProvider:
Code Block |
---|
/** * An implementation of {@link ConfigProvider} that simply uses a Properties file. */ public class FileConfigProvider implements ConfigProvider { private static final Logger log = LoggerFactory.getLogger(FileConfigProvider.class); public final static String FILE_NAME = "filename"; private Properties properties; /** * Configure this class with the initialization parameters */ public void configure(Map<String, ?> configs) { String fileName = (String) configs.get(FILE_NAME); try { FileReader fileReader = new FileReader(fileName); properties = new Properties(); properties.load(fileReader); } catch (IOException e) { throw new ConfigException("File name " + fileName + " not found for FileConfigProvider"); } } /** * Transform the configs by resolving all indirect references */ public Map<String, String> transform(ConfigContext ctx, Map<String, String> configs) { Map<String, String> newConfigs = new HashMap<>(); for (Map.Entry<String, String> config : configs.entrySet()) { String value = properties.getProperty(config.getValue()); if (value != null) { log.info("Replacing {} for key {}", config.getValue(), config.getKey()); newConfigs.put(config.getKey(), value); } } return newConfigs; } public void close() { } } |
Secret Rotation
Secret Management systems such as Vault support secret rotation by associating a "lease duration" with a secret, which can be read by the client.
...