strimzi / strimzi-kafka-operator

Apache Kafka® running on Kubernetes
https://strimzi.io/
Apache License 2.0
4.87k stars 1.3k forks source link

[Enhancement]: Support for Passing Username as Secret in KafkaClientAuthenticationPlain #10823

Open joystern13 opened 1 week ago

joystern13 commented 1 week ago

Related problem

Description: I am trying to use Plain authentication for my Kafka clients as documented here. However, I need the ability to pass the username as a Kubernetes secret.

Background: We are using Strimzi for building Kafka Connectors. We connect to Kafka server hosted on Confluent platform by a different application which uses plain authentication scheme. Our system credentials are stored in Azure Key Vault, where the username and password are rotated periodically. To manage these secrets effectively in Kubernetes, we initially attempted integration with the Secrets Store CSI driver to automatically fetch updated secrets from Key Vault. However, this failed as CSI driver integration is currently unsupported for Strimzi (refer to Issue #5277).

We have now started using akv2k8s to handle this requirement, which requires that both the username and password are configured as Kubernetes secrets.

Request: Please add support for passing the username in KafkaClientAuthenticationPlain via a Kubernetes secret, in addition to the existing support for passing the password this way. This feature would allow Strimzi users to securely manage dynamically updated usernames and passwords stored in external secrets managers like Azure Key Vault.

Suggested solution

In KafkaClientAuthenticationPlain add the ability to pass both username and password as a single secret.

Alternatives

No response

Additional context

No response

scholzj commented 1 week ago

This is currently not planned. But if you would want to contribute it, it might not be a problem, but it should have a proposal to cover the new APIs, backwards compatibility, impact on other places where username is passed (it should lilely be done in the same way everywhere) etc.

im-konge commented 1 week ago

Triaged on 14.11.2024: This makes sense to have implemented, but it requires a proposal. @joystern13 do you want to have a look at it?

joystern13 commented 1 week ago

Hello @scholzj , @im-konge , I will look at it and provide a proposal. Sorry, I can't commit to a timeline.

scholzj commented 1 week ago

@joystern13 No worries about the timeline. When you get to it you get to it.