Kafka secrets expose wrong for Service URI

[toredash]

When creating a ServiceUser for Kafka, the generated secret contains:

ACCESS_CERT: 
ACCESS_KEY: 
CA_CERT: 
HOST: 
PASSWORD:
PORT: "26588"
USERNAME: 

The port appears to be wrong, as the port show in the Overview-part for a given Kafka cluster in Aiven is listed as 26599.

Related: the port number to the schemaregistry is not listed in the Secret, could that be added to the secret as well ?

[byashimov]

I wonder why host/port ever exposed. Depending on bouncer, pool, etc a "port" is so many different things. I think, they should be dropped and specific service secrets used instead. This is what API returns for a user, we can use this:

"access_cert": "<CERTIFICATE>",
"access_key": "<PRIVATE KEY>",
"password": "00000000",
"type": "primary",
"username": "00000000"

So what I would do:

1. drop host/port fields
2. add schemaregistry port number

What do you think?

[toredash]

The port is relevant for us as the services (kafka/psql/etc) is already created outside of the scope of the operator. Hence for a developer to know where to connect to, in relation to the ServiceUser/secret-details, this information is required.

If host/port is removed, it will break our current workflows

[byashimov]

@toredash could you please share your yaml file (with no sensitive data)?
My port for kafka is the same as on the web ui.

[toredash]

% SECRET=$(kubectl get serviceuser kafka-sa -o json | jq '.spec.connInfoSecretTarget.name' -r)
% kubectl get secret $SECRET -o json | jq '.data.PORT' -r | base64 -d                                
26588

Is this sufficient ? I can raise a support ticket if you want more details

[byashimov]

Hey. Thanks for the response.
I see you have sasl enabled and certificate disabled. That changes the port. But by some reason API still returns certificate port as uri param. I believe the web ui has a workaround. Let me see what I can do here.