scholzj
commented
4 years ago I think you can already do this today using the templates: https://strimzi.io/docs/operators/latest/full/using.html#supported_template_properties_for_a_kafka_cluster ... the resource would look something like this:
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: my-cluster
labels:
app: my-cluster
spec:
kafka:
# ...
listeners:
external:
type: route
template:
externalBootstrapRoute:
metadata:
annotations:
myanno: myvalue
perPodRoute:
metadata:
annotations:
myanno: myvalue
# ...
siw36
Hi, I have a Strimzi Kafka running on OpenShift and I need to somehow restrict the access to the external listener (type route) to some IP addresses. I know that it's possible to add a host parameter to the ACLs, so that the ACL will only match when the connection comes from the configured IP address. But I want to drop all packages that are not originating from an allowed IP address. Usually I would add an annotation to the OpenShift route and specify a IP allowlist to only allow connections from certain IPs. [1]
My idea: add a parameter to the
KafkaListenerExternalRouteobject like "KafkaListenerExternalRouteAnnotations", so it is possible to add annotations to the created routes.Let me know what you think about it.
[1] https://docs.openshift.com/container-platform/4.3/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration