Hi, Sorry for the late reply. I think we can avoid adding a new config: interpolate_secrets_into_config_map.
https://github.com/apache/pulsar/pull/20903#issuecomment-1674570878 Thanks, Baodi Shi On Aug 11, 2023 at 00:34:05, Michael Marshall <mmarsh...@apache.org> wrote: > * Should we deprecate the old way of injecting secrets? It wasn't > > widely used, and it does not work in all cases. (See the PIP for the > > old mechanism.) > > > I propose we leave the old way of injecting secrets in place. This > will prevent unnecessary breaking changes. > > I'll add some new docs to make sure users understand what is available > to them for injecting secrets. > > * Should we enable environment variable interpolation by default? It > > carries some risk, but in a Kubernetes environment, that risk is > > limited. > > > Let's leave this disabled by default. We can revisit later if necessary. > > Thanks, > Michael > > On Fri, Jul 28, 2023 at 7:57 PM Michael Marshall <mmarsh...@apache.org> > wrote: > > > Thanks for the question. I tried to find a way that would work using the > existing framework. Specifically, I looked into using the annotation that > is partially implemented in the connector code base. That annotation relies > on the getSecret method. > > > However, I don’t see a way to make this work for wrapped connectors, like > the Kafka Connect Adapter mentioned in the PIP. In that case, the wrapped > connector will have arbitrary secrets that we cannot know at compile time. > As such, I think we need a framework change that gives users arbitrarily > map in secrets at runtime. > > > Thanks, > > Michael > > > On Fri, Jul 28, 2023 at 7:42 PM Neng Lu <nl...@apache.org> wrote: > > > > > > Hi Michael, > > > > > > Thanks for writing the PIP for the connector secret issue. > > > > > > One question I have is why not reusing the `context.getSecret()` method > inside connectors to get sensitive values. > > > > > > In this way, no API/framework changes are needed and all we need to do > is update each connector to get the secret value with `context.getSecret()` > first. If nothing provided, then fall back to the plain text way. > > > > > > What do you think? > > > > > > On 2023/07/28 21:59:57 Michael Marshall wrote: > > > > Hi Pulsar Community, > > > > > > > > This is the discussion thread for PIP > > > > https://github.com/apache/pulsar/pull/20903. > > > > > > > > This PIP will help improve Pulsar Connector Security by giving users > > > > the ability to remove all plaintext secrets from their configurations. > > > > > > > > Thanks, > > > > Michael > > > > > >
