Table of Contents |
---|
Status
Current state: Under discussion
...
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Kafka Connect allows integration with many types of external systems. Some of these systems may require secrets to be configured in order to access them. Many customers have an existing Secret Management strategy and are using centralized management systems such as Vault, Keywhiz, or AWS Secrets Manager. Vault is very popular and has been described as "the current gold standard in secret management and provisioning". These Secret Management systems may satisfy the following customer requirements:
...
Connect should not store or transmit cleartext passwords in connector configurations. TLS can be enabled on Connect's REST API, and this proposal addresses how Connect deals with secrets in stored connector configurations by integrating with external secret management systems. First, since no single standard exists, Connect will provide an extension point for adding customized integrations and will provide a simple file-based extension as an example. Second, a Connect runtime can be configured to use one or more of these extensions, and will allow connector configurations to use placeholders that will be resolved by the runtime before passing the complete connector configurations to connectors. Therefore, existing connectors will not see any difference in the configurations that Connect provides to them at startup. And third, Connect's API will be changed to allow a connector to obtain the latest connector configuration at any time.
Public Interfaces
Two new interfaces will be added to Kafka Connect's public API to allow custom implementations to integrate with external systems for managing secrets.
...
Config Option | Description | Example | Default |
---|---|---|---|
config.providers | A comma-separated list of names for providers. | config.providers=file,vault | N/A |
config.providers.{name}.class | The Java class name for a provider. | config.providers.file.class=org.apache.kafka.connect.configs.FileConfigProvider | N/A |
config.providers.{name}.param.{param-name} | A parameter to be passed to the above Java class on initialization. | config.providers.file.param.secrets=/run/mysecrets | N/A |
config.reload.action | One of:
| config.reload.action=restart | restart |
Proposed Changes
Currently the configuration for both Connectors and Tasks is stored in a Kafka topic. The goal is for these stored configurations to only contain indirect references to secrets. When a Connector or Task is started, the configuration will be read from Kafka and then passed to the specific Connector or Task. Before the configuration is passed to the Connector or Task, the indirect references need to be resolved.
...
In the above example, VaultConfigProvider will be passed the string "/run/secrets/vault-token" on initialization, which could be the filename for a Docker secret containing the initial Vault token, residing on the tmpfs mount, for instance. When resolving the value for "mysql.db.password", the VaultConfigProvider will use the key "vault_db_password_key". The VaultConfigProvider would use this key to look up the corresponding secret. (VaultConfigProvider is a hypothetical example for illustration purposes only.)
Secret Rotation
Secret Management systems such as Vault support secret rotation by associating a "lease duration" with a secret, which can be read by the client.
...
- ConfigProvider: The
ConfigProvider
may have knowledge of the method of rotation. For Vault, it would be a "lease duration". For a file-based provider, it could be file watches. If it knows when a secret is going to be reloaded, it would callscheduleConfigReload()
to inform the Herder. - Herder: The Herder can push information to the Connector indicating that secrets have expired or may expire in the future. When the Herder receives the
scheduleConfigReload()
call, it will check a new connector configuration propertyconfig.reload.action
which can be one of the following:- The value
restart
, which means to schedule a restart of the Connector and all its Tasks. This will be the default. - The value
none
, which means to do nothing.
- The value
- Connector Tasks: A task may wish to handle rotation on its own (a pull model). In this case the Connector would need to set
config.reload.action
tonone
. The methodsSinkTaskContext.config()
andSourceTaskContext.config()
would be used by the Task to reload the config and resolve indirect references again.
Compatibility, Deprecation, and Migration Plan
No changes are required for existing Connectors. Existing connector configurations with plaintext passwords will not be affected, and only after they are changed to use the variables (aka, indirect references) will the secrets not be stored by Connect.
Connectors that use a ConfigProvider and do not want the restart behavior can specify config.reload.action
as none
.
Rejected Alternatives
The current scope of this proposal is for Connectors only. It does not address brokers nor clients. The injection will happen at a very specific time in the lifecycle of Kafka Connect, i.e. after the configuration is stored and before the Connectors and Tasks are started.
...