directoryPathInContainer on MDS dependencies seemingly not supported.
mccullya opened this issue · comments
BoySherman commented
Greetings,
Trying to make use of Vault secret mounts (instead of Kubernentes secrets). When I adjust the MDS dependency as such:
mds:
endpoint: https://kafka.sandbox.svc.cluster.local:8090
tokenKeyPair:
secretRef: mds-public
authentication:
type: bearer
bearer:
directoryPathInContainer: /vault/secrets
# secretRef: mds-client-connect
Confluent Operator errors with the following:
{"level":"error","ts":1623324127.5090387,"logger":"connect","caller":"controller/controller.go:244","msg":"apply failed","name":"connect","namespace":"sandbox","error":"loading mds authentication from directoryPathInContainer is not supported"}
This is despite it being a valid property in the CRD.
Is there a reason for this? It would seem intentional (as there is a custom error for it), however, I do not understand why it would then be defined?
The workaround that I have found for now, is to use a dummy secret in place, and then perform an config override.
i.e.
configOverrides:
server:
- sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.sandbox.svc.cluster.local:8090" username="${file:/vault/secrets/bearer.txt:username}" password="${file:/vault/secrets/bearer.txt:password}";
Thanks in advance!
BoySherman commented
FYI, just observed same when trying to change the KafkaRestClass:
i.e.
apiVersion: platform.confluent.io/v1beta1
kind: KafkaRestClass
metadata:
name: default
spec:
kafkaRest:
authentication:
type: bearer
bearer:
directoryPathInContainer: /vault/secrets