directoryPathInContainer on MDS dependencies seemingly not supported.

Question

directoryPathInContainer on MDS dependencies seemingly not supported.

mccullya opened this issue 3 years ago · comments

Greetings,

Trying to make use of Vault secret mounts (instead of Kubernentes secrets). When I adjust the MDS dependency as such:

    mds:
      endpoint: https://kafka.sandbox.svc.cluster.local:8090
      tokenKeyPair:
        secretRef: mds-public
      authentication:
        type: bearer
        bearer:
          directoryPathInContainer: /vault/secrets
#          secretRef: mds-client-connect

Confluent Operator errors with the following:

{"level":"error","ts":1623324127.5090387,"logger":"connect","caller":"controller/controller.go:244","msg":"apply failed","name":"connect","namespace":"sandbox","error":"loading mds authentication from directoryPathInContainer is not supported"}

This is despite it being a valid property in the CRD.

Is there a reason for this? It would seem intentional (as there is a custom error for it), however, I do not understand why it would then be defined?

The workaround that I have found for now, is to use a dummy secret in place, and then perform an config override.

i.e.

configOverrides:
  server:
    - sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.sandbox.svc.cluster.local:8090" username="${file:/vault/secrets/bearer.txt:username}" password="${file:/vault/secrets/bearer.txt:password}";

Thanks in advance!

BoySherman · Answer 1 · Thu Jun 10 2021 21:43:50 GMT+0800 (China Standard Time)

FYI, just observed same when trying to change the KafkaRestClass:
i.e.

apiVersion: platform.confluent.io/v1beta1
kind: KafkaRestClass
metadata:
  name: default
spec:
  kafkaRest:
    authentication:
      type: bearer
      bearer:
        directoryPathInContainer: /vault/secrets