Support alternative mechanisms for injecting KMS secrets

Using the existing json format for defining KMS we embed the secrets in the config file.

```
[
  {
    "name"         : "vault",
    "type"         : "io.strimzi.kafka.topicenc.kms.vault.VaultKmsFactory",
    "uri"          : "http://127.0.0.1:8200/v1/secret/data",
    "credential"   : "secretgoeshere"
  }
]
```

It may be preferable in a Kubernetes env to inject secrets as files or environment variable, so we can use k8s secret management, and be able to refer to them from the config.

Kroxylicious could support something like macro replacement, expanding `"credential"   : "${env:SECRET_NAME}"` or `"credential"   : "${file:/path/to/secret}"` and re-writing the json blob before handing it to the encryption module.

Or we could support a different format and aim to upstream it into the encryption module like:

```
[
  {
    "name"         : "vault",
    "type"         : "io.strimzi.kafka.topicenc.kms.vault.VaultKmsFactory",
    "uri"          : "http://127.0.0.1:8200/v1/secret/data",
    "credentialFile"   : "/path/to/vault/secret"
  }
]
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support alternative mechanisms for injecting KMS secrets #8

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development