strimzi / strimzi-kafka-operator

Apache Kafka® running on Kubernetes
https://strimzi.io/
Apache License 2.0
4.85k stars 1.3k forks source link

[Enhancement]: Support for Passing Username as Secret in KafkaClientAuthenticationPlain #10823

Open joystern13 opened 2 days ago

joystern13 commented 2 days ago

Related problem

Description: I am trying to use Plain authentication for my Kafka clients as documented here. However, I need the ability to pass the username as a Kubernetes secret.

Background: We are using Strimzi for building Kafka Connectors. We connect to Kafka server hosted on Confluent platform by a different application which uses plain authentication scheme. Our system credentials are stored in Azure Key Vault, where the username and password are rotated periodically. To manage these secrets effectively in Kubernetes, we initially attempted integration with the Secrets Store CSI driver to automatically fetch updated secrets from Key Vault. However, this failed as CSI driver integration is currently unsupported for Strimzi (refer to Issue #5277).

We have now started using akv2k8s to handle this requirement, which requires that both the username and password are configured as Kubernetes secrets.

Request: Please add support for passing the username in KafkaClientAuthenticationPlain via a Kubernetes secret, in addition to the existing support for passing the password this way. This feature would allow Strimzi users to securely manage dynamically updated usernames and passwords stored in external secrets managers like Azure Key Vault.

Suggested solution

In KafkaClientAuthenticationPlain add the ability to pass both username and password as a single secret.

Alternatives

No response

Additional context

No response

scholzj commented 1 day ago

This is currently not planned. But if you would want to contribute it, it might not be a problem, but it should have a proposal to cover the new APIs, backwards compatibility, impact on other places where username is passed (it should lilely be done in the same way everywhere) etc.