Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

9.15. Loading configuration values from external sources

Use configuration providers to load configuration data from external sources. The providers operate independently of Streams for Apache Kafka. You can use them to load configuration data for all Kafka components, including producers and consumers. You reference the external source in the configuration of the component and provide access rights. The provider loads data without needing to restart the Kafka component or extracting files, even when referencing a new external source. For example, use providers to supply the credentials for the Kafka Connect connector configuration. The configuration must include any access rights to the external source.

9.15.1. Enabling configuration providers
复制链接

You can enable one or more configuration providers using the config.providers properties in the spec configuration of a component.

Example configuration to enable a configuration provider

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect
  annotations:
    strimzi.io/use-connector-resources: "true"
spec:
  # ...
  config:
    # ...
    config.providers: env
    config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
  # ...

KubernetesSecretConfigProvider
Loads configuration data from OpenShift secrets. You specify the name of the secret and the key within the secret where the configuration data is stored. This provider is useful for storing sensitive configuration data like passwords or other user credentials.
KubernetesConfigMapConfigProvider
Loads configuration data from OpenShift config maps. You specify the name of the config map and the key within the config map where the configuration data is stored. This provider is useful for storing non-sensitive configuration data.
EnvVarConfigProvider
Loads configuration data from environment variables. You specify the name of the environment variable where the configuration data is stored. This provider is useful for configuring applications running in containers, for example, to load certificates or JAAS configuration from environment variables mapped from secrets.
FileConfigProvider
Loads configuration data from a file. You specify the path to the file where the configuration data is stored. This provider is useful for loading configuration data from files that are mounted into containers.
DirectoryConfigProvider
Loads configuration data from files within a directory. You specify the path to the directory where the configuration files are stored. This provider is useful for loading multiple configuration files and for organizing configuration data into separate files.

To use KubernetesSecretConfigProvider and KubernetesConfigMapConfigProvider, which are part of the OpenShift Configuration Provider plugin, you must set up access rights to the namespace that contains the configuration file.

You can use the other providers without setting up access rights. You can supply connector configuration for Kafka Connect or MirrorMaker 2 in this way by doing the following:

  • Mount config maps or secrets into the Kafka Connect pod as environment variables or volumes
  • Enable EnvVarConfigProvider, FileConfigProvider, or DirectoryConfigProvider in the Kafka Connect or MirrorMaker 2 configuration
  • Pass connector configuration using the externalConfiguration property in the spec of the KafkaConnect or KafkaMirrorMaker2 resource

Using providers help prevent the passing of restricted information through the Kafka Connect REST interface. You can use this approach in the following scenarios:

  • Mounting environment variables with the values a connector uses to connect and communicate with a data source
  • Mounting a properties file with values that are used to configure Kafka Connect connectors
  • Mounting files in a directory that contains values for the TLS truststore and keystore used by a connector
注意

A restart is required when using a new Secret or ConfigMap for a connector, which can disrupt other connectors.

Use the KubernetesSecretConfigProvider to provide configuration properties from a secret or the KubernetesConfigMapConfigProvider to provide configuration properties from a config map.

In this procedure, a config map provides configuration properties for a connector. The properties are specified as key values of the config map. The config map is mounted into the Kafka Connect pod as a volume.

Prerequisites

  • A Kafka cluster is running.
  • The Cluster Operator is running.
  • You have a config map containing the connector configuration.

Example config map with connector properties

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-connector-configuration
data:
  option1: value1
  option2: value2

Procedure

  1. Configure the KafkaConnect resource.

    • Enable the KubernetesConfigMapConfigProvider

    The specification shown here can support loading values from config maps and secrets.

    Example Kafka Connect configuration to use config maps and secrets

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect
  annotations:
    strimzi.io/use-connector-resources: "true"
spec:
  # ...
  config:
    # ...
    config.providers: secrets,configmaps
    1 
    
    config.providers.configmaps.class: io.strimzi.kafka.KubernetesConfigMapConfigProvider
    2 
    
    config.providers.secrets.class: io.strimzi.kafka.KubernetesSecretConfigProvider
    3 
    
  # ...

    1
    The alias for the configuration provider is used to define other configuration parameters. The provider parameters use the alias from config.providers, taking the form config.providers.${alias}.class.
    2
    KubernetesConfigMapConfigProvider provides values from config maps.
    3
    KubernetesSecretConfigProvider provides values from secrets.

  2. Create or update the resource to enable the provider. 

    oc apply -f <kafka_connect_configuration_file>

  3. Create a role that permits access to the values in the external config map.

    Example role to access values from a config map

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: connector-configuration-role
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["my-connector-configuration"]
  verbs: ["get"]
# ...

    The rule gives the role permission to access the my-connector-configuration config map.

  4. Create a role binding to permit access to the namespace that contains the config map.

    Example role binding to access the namespace that contains the config map

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: connector-configuration-role-binding
subjects:
- kind: ServiceAccount
  name: my-connect-connect
  namespace: my-project
roleRef:
  kind: Role
  name: connector-configuration-role
  apiGroup: rbac.authorization.k8s.io
# ...

    The role binding gives the role permission to access the my-project namespace.

    The service account must be the same one used by the Kafka Connect deployment. The service account name format is <cluster_name>-connect, where <cluster_name> is the name of the KafkaConnect custom resource.

  5. Reference the config map in the connector configuration.

    Example connector configuration referencing the config map

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnector
metadata:
  name: my-connector
  labels:
    strimzi.io/cluster: my-connect
spec:
  # ...
  config:
    option: ${configmaps:my-project/my-connector-configuration:option1}
    # ...
# ...

    The placeholder structure is configmaps:<path_and_file_name>:<property>. KubernetesConfigMapConfigProvider reads and extracts the option1 property value from the external config map.

Use the EnvVarConfigProvider to provide configuration properties as environment variables. Environment variables can contain values from config maps or secrets.

In this procedure, environment variables provide configuration properties for a connector to communicate with Amazon AWS. The connector must be able to read the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The values of the environment variables are derived from a secret mounted into the Kafka Connect pod.

注意

The names of user-defined environment variables cannot start with KAFKA_ or STRIMZI_.

Prerequisites

  • A Kafka cluster is running.
  • The Cluster Operator is running.
  • You have a secret containing the connector configuration.

Example secret with values for environment variables

apiVersion: v1
kind: Secret
metadata:
  name: aws-creds
type: Opaque
data:
  awsAccessKey: QUtJQVhYWFhYWFhYWFhYWFg=
  awsSecretAccessKey: Ylhsd1lYTnpkMjl5WkE=

Procedure

  1. Configure the KafkaConnect resource.

    • Enable the EnvVarConfigProvider
    • Specify the environment variables using the externalConfiguration property.

    Example Kafka Connect configuration to use external environment variables

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect
  annotations:
    strimzi.io/use-connector-resources: "true"
spec:
  # ...
  config:
    # ...
    config.providers: env
    1 
    
    config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
    2 
    
  # ...
  externalConfiguration:
    env:
      - name: AWS_ACCESS_KEY_ID
    3 
    
        valueFrom:
          secretKeyRef:
            name: aws-creds
    4 
    
            key: awsAccessKey
    5 
    
      - name: AWS_SECRET_ACCESS_KEY
        valueFrom:
          secretKeyRef:
            name: aws-creds
            key: awsSecretAccessKey
  # ...

    1
    The alias for the configuration provider is used to define other configuration parameters. The provider parameters use the alias from config.providers, taking the form config.providers.${alias}.class.
    2
    EnvVarConfigProvider provides values from environment variables.
    3
    The environment variable takes a value from the secret.
    4
    The name of the secret containing the environment variable.
    5
    The name of the key stored in the secret.
    注意

    The secretKeyRef property references keys in a secret. If you are using a config map instead of a secret, use the configMapKeyRef property.

  2. Create or update the resource to enable the provider. 

    oc apply -f <kafka_connect_configuration_file>

  3. Reference the environment variable in the connector configuration.

    Example connector configuration referencing the environment variable

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnector
metadata:
  name: my-connector
  labels:
    strimzi.io/cluster: my-connect
spec:
  # ...
  config:
    option: ${env:AWS_ACCESS_KEY_ID}
    option: ${env:AWS_SECRET_ACCESS_KEY}
    # ...
# ...

    The placeholder structure is env:<environment_variable_name>. EnvVarConfigProvider reads and extracts the environment variable values from the mounted secret.

Use the FileConfigProvider to provide configuration properties from a file within a directory. Files can be config maps or secrets.

In this procedure, a file provides configuration properties for a connector. A database name and password are specified as properties of a secret. The secret is mounted to the Kafka Connect pod as a volume. Volumes are mounted on the path /opt/kafka/external-configuration/<volume-name>.

Prerequisites

  • A Kafka cluster is running.
  • The Cluster Operator is running.
  • You have a secret containing the connector configuration.

Example secret with database properties

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  connector.properties: |-
1 

    dbUsername: my-username
2 

    dbPassword: my-password

1
The connector configuration in properties file format.
2
Database username and password properties used in the configuration.

Procedure

  1. Configure the KafkaConnect resource.

    • Enable the FileConfigProvider
    • Specify the file using the externalConfiguration property.

    Example Kafka Connect configuration to use an external property file

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect
spec:
  # ...
  config:
    config.providers: file
    1 
    
    config.providers.file.class: org.apache.kafka.common.config.provider.FileConfigProvider
    2 
    
  #...
  externalConfiguration:
    volumes:
      - name: connector-config
    3 
    
        secret:
          secretName: mysecret
    4

    1
    The alias for the configuration provider is used to define other configuration parameters.
    2
    FileConfigProvider provides values from properties files. The parameter uses the alias from config.providers, taking the form config.providers.${alias}.class.
    3
    The name of the volume containing the secret.
    4
    The name of the secret.

  2. Create or update the resource to enable the provider. 

    oc apply -f <kafka_connect_configuration_file>

  3. Reference the file properties in the connector configuration as placeholders.

    Example connector configuration referencing the file

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnector
metadata:
  name: my-source-connector
  labels:
    strimzi.io/cluster: my-connect-cluster
spec:
  class: io.debezium.connector.mysql.MySqlConnector
  tasksMax: 2
  config:
    database.hostname: 192.168.99.1
    database.port: "3306"
    database.user: "${file:/opt/kafka/external-configuration/connector-config/mysecret:dbUsername}"
    database.password: "${file:/opt/kafka/external-configuration/connector-config/mysecret:dbPassword}"
    database.server.id: "184054"
    #...

    The placeholder structure is file:<path_and_file_name>:<property>. FileConfigProvider reads and extracts the database username and password property values from the mounted secret.

Use the DirectoryConfigProvider to provide configuration properties from multiple files within a directory. Files can be config maps or secrets.

In this procedure, a secret provides the TLS keystore and truststore user credentials for a connector. The credentials are in separate files. The secrets are mounted into the Kafka Connect pod as volumes. Volumes are mounted on the path /opt/kafka/external-configuration/<volume-name>.

Prerequisites

  • A Kafka cluster is running.
  • The Cluster Operator is running.
  • You have a secret containing the user credentials.

Example secret with user credentials

apiVersion: v1
kind: Secret
metadata:
  name: my-user
  labels:
    strimzi.io/kind: KafkaUser
    strimzi.io/cluster: my-cluster
type: Opaque
data:
  ca.crt: <public_key> # Public key of the clients CA
  user.crt: <user_certificate> # Public key of the user
  user.key: <user_private_key> # Private key of the user
  user.p12: <store> # PKCS #12 store for user certificates and keys
  user.password: <password_for_store> # Protects the PKCS #12 store

The my-user secret provides the keystore credentials (user.crt and user.key) for the connector.

The <cluster_name>-cluster-ca-cert secret generated when deploying the Kafka cluster provides the cluster CA certificate as truststore credentials (ca.crt).

Procedure

  1. Configure the KafkaConnect resource.

    • Enable the DirectoryConfigProvider
    • Specify the files using the externalConfiguration property.

    Example Kafka Connect configuration to use external property files

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect
spec:
  # ...
  config:
    config.providers: directory
    1 
    
    config.providers.directory.class: org.apache.kafka.common.config.provider.DirectoryConfigProvider
    2 
    
  #...
  externalConfiguration:
    volumes:
    3 
    
      - name: cluster-ca
    4 
    
        secret:
          secretName: my-cluster-cluster-ca-cert
    5 
    
      - name: my-user
        secret:
          secretName: my-user
    6

    1
    The alias for the configuration provider is used to define other configuration parameters.
    2
    DirectoryConfigProvider provides values from files in a directory. The parameter uses the alias from config.providers, taking the form config.providers.${alias}.class.
    3
    The names of the volumes containing the secrets.
    4
    The name of the secret for the cluster CA certificate to supply truststore configuration.
    5
    The name of the secret for the user to supply keystore configuration.

  2. Create or update the resource to enable the provider. 

    oc apply -f <kafka_connect_configuration_file>

  3. Reference the file properties in the connector configuration as placeholders.

    Example connector configuration referencing the files

    apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnector
metadata:
  name: my-source-connector
  labels:
    strimzi.io/cluster: my-connect-cluster
spec:
  class: io.debezium.connector.mysql.MySqlConnector
  tasksMax: 2
  config:
    # ...
    database.history.producer.security.protocol: SSL
    database.history.producer.ssl.truststore.type: PEM
    database.history.producer.ssl.truststore.certificates: "${directory:/opt/kafka/external-configuration/cluster-ca:ca.crt}"
    database.history.producer.ssl.keystore.type: PEM
    database.history.producer.ssl.keystore.certificate.chain: "${directory:/opt/kafka/external-configuration/my-user:user.crt}"
    database.history.producer.ssl.keystore.key: "${directory:/opt/kafka/external-configuration/my-user:user.key}"
    #...

    The placeholder structure is directory:<path>:<file_name>. DirectoryConfigProvider reads and extracts the credentials from the mounted secrets.

Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

Legal Notice

Theme

© 2026 Red Hat返回顶部