Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support alternative mechanisms for injecting KMS secrets #8

Open
robobario opened this issue Jun 30, 2023 · 0 comments
Open

Support alternative mechanisms for injecting KMS secrets #8

robobario opened this issue Jun 30, 2023 · 0 comments

Comments

@robobario
Copy link

robobario commented Jun 30, 2023
edited
Loading

Using the existing json format for defining KMS we embed the secrets in the config file.

[
  {
    "name"         : "vault",
    "type"         : "io.strimzi.kafka.topicenc.kms.vault.VaultKmsFactory",
    "uri"          : "http://127.0.0.1:8200/v1/secret/data",
    "credential"   : "secretgoeshere"
  }
]

It may be preferable in a Kubernetes env to inject secrets as files or environment variable, so we can use k8s secret management, and be able to refer to them from the config.

Kroxylicious could support something like macro replacement, expanding "credential" : "${env:SECRET_NAME}" or "credential" : "${file:/path/to/secret}" and re-writing the json blob before handing it to the encryption module.

Or we could support a different format and aim to upstream it into the encryption module like:

[
  {
    "name"         : "vault",
    "type"         : "io.strimzi.kafka.topicenc.kms.vault.VaultKmsFactory",
    "uri"          : "http://127.0.0.1:8200/v1/secret/data",
    "credentialFile"   : "/path/to/vault/secret"
  }
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robobario