1

We are using Kafka Connectors (JDBC and others), and configuring them using the REST API (using curl in shell scripts). Right now, when testing/developing, we are including secrets (for the JDBC connect - database user/pw) directly in the request. This is obviously bad, as those are then readily available for everybody to see when reading them out using the GET request.

Is there a good way to give secrets to the connectors? We can bring them in safely using environment variables or config files (injected fom OpenShift) - but is there a syntax available when starting a connector via the REST API for that?

EDIT: This is for the distributed mode of connectors; i.e., configuration by REST API, not connector config files...

AnoE
  • 8,048
  • 1
  • 21
  • 36

1 Answers1

1

A pluggable interface for this was implemented in Apache Kafka 2.0 through KIP-297. You can see more details in the documented example here.

Robin Moffatt
  • 30,382
  • 3
  • 65
  • 92
  • There's still an open JIRA that exposes the password later at /config endpoint, I saw – OneCricketeer Feb 13 '19 at 03:44
  • 1
    Thanks so far. That pages shows the way with config files (i.e., a config file which contains the secret; possible injected by openshift in my case) which would be cool. I have not found out yet whether this can be used in a connector configured/created via REST API, but will try to figure it out later... or did you do that already, @RobinMoffatt? – AnoE Feb 13 '19 at 09:48
  • @AnoE The REST API is the only way to make connectors, so yes. The file needs to already exist in your containers/hosts. – OneCricketeer Feb 17 '19 at 20:12