A config provider for Kafka
, able to retrieve secrets from environment variables.
This is meant to be used in Kafka
connectors configuration, to be able to get
values that are defined in environment variables.
This is particularly useful when running in the cloud, since configuration for Docker images (or Kubernetes pods) is normally achieved through environment variables.
This config provider can also be used as a way to externalize secrets when using
Kafka
, as described here.
A possible way to use this for secrets would be delegating the actual secrets management
to something external (e.g., a Kubernetes operator that gets the secrets from
AWS
Secrets Management
and stores it as Kubernetes secrets) and just pass the
secrets to your application as environment variables.
Using a config provider ensures that secrets can be passed to your Kafka
connectors
without being neither exposed nor logged by the Kafka
connect infrastructure.
In order to install this config provider on a Kafka connect
instance:
- build the
kafka-env-config-provider
jar using gradle:gradle build
- include the jar under
build/libs
in theKafka connect
instance you are using in a separate specific directory (e.g.,/usr/local/share/java/kafka-connect/plugins/kafka-env-config-provider
) (if are using Docker, create an image that extends theKafka connect
standard one from Confluent, adding this jar)- if extending
confluentinc/cp-kafka-connect
version >= 6, you must include the jar in/usr/share/java/cp-base-new/
- if extending
- in the
Kafka connect
worker configuration, add the directory where you placed the jar to the plugins path- if you are using the
confluent-oss
platform, edit the fileetc/schema-registry/connect-avro-distributed.properties
and add the jar directory to theplugin.path
property as follows:plugin.path=share/java,/usr/local/share/java/kafka-connect/plugins/kafka-env-config-provider
- if you are extending the
confluentinc/cp-kafka-connect
Docker image with version < 6, set the environment variableCONNECT_PLUGIN_PATH
value with the jar directory when running the container. For versions >= 6 you can omit this step.
- if you are using the
In order to use this config provider in Kafka connect
, you need to declare it
in the worker configuration as follows:
- in the
confluent-oss
platform, edit the fileetc/schema-registry/connect-avro-distributed.properties
adding the following properties:config.providers=env config.providers.env.class=org.ggt.kafka.config.provider.KafkaEnvConfigProvider
- if you are extending the
confluentinc/cp-kafka-connect
Docker image, add the following environment variables when running the container:CONNECT_CONFIG_PROVIDERS=env CONNECT_CONFIG_PROVIDERS_ENV_CLASS=org.ggt.kafka.config.provider.KafkaEnvConfigProvider
You can then reference environment variables from Kafka connect
connector
configurations as follows:
${env:ENVIRONMENT_VARIABLE_NAME}