Versions Compared

Old Version 8

changes.mady.by.user Robert Yokota

Saved on

compared with

New Version 9

changes.mady.by.user Robert Yokota

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JIRA:

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyKAFKA-6886

WIP pull request:  https://github.com/apache/kafka/pull/4990/files

 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

In the above example, VaultConfigProvider will be passed the string "/run/secrets/vault-token" on initialization, which could be the filename for a Docker secret containing the initial Vault token, residing on the tmpfs mount, for instance.    When resolving the value for "mysql.db.password", the VaultConfigProvider will use the key "vault_db_password_key".  The VaultConfigProvider would use this key to look up the corresponding secret.  (VaultConfigProvider is a hypothetical example for illustration purposes only.)

Here is an example of a FileConfigProvider:

Code Block
/**
 * An implementation of {@link ConfigProvider} that simply uses a Properties file.
 */
public class FileConfigProvider implements ConfigProvider {

    private static final Logger log = LoggerFactory.getLogger(FileConfigProvider.class);

    public final static String FILE_NAME = "filename";

    private Properties properties;

    /**
     * Configure this class with the initialization parameters
     */
    public void configure(Map<String, ?> configs) {
        String fileName = (String) configs.get(FILE_NAME);
        try {
            FileReader fileReader = new FileReader(fileName);
            properties = new Properties();
            properties.load(fileReader);
        } catch (IOException e) {
            throw new ConfigException("File name " + fileName + " not found for FileConfigProvider");
        }
    }

    /**
     * Transform the configs by resolving all indirect references
     */
    public Map<String, String> transform(ConfigContext ctx, Map<String, String> configs) {
        Map<String, String> newConfigs = new HashMap<>();
        for (Map.Entry<String, String> config : configs.entrySet()) {
            String value = properties.getProperty(config.getValue());
            if (value != null) {
                log.info("Replacing {} for key {}", config.getValue(), config.getKey());
                newConfigs.put(config.getKey(), value);
            }
        }
        return newConfigs;
    }

    public void close() {
    }
}


Secret Rotation

Secret Management systems such as Vault support secret rotation by associating a "lease duration" with a secret, which can be read by the client.   

...