Manage Password Encoder Secrets for Confluent Platform Using Confluent for Kubernetes

To encrypt sensitive configuration information, such as passwords for SASL/PLAIN or TLS, you define a password encoder in your custom resource (CR). The feature is used in Confluent for Kubernetes (CFK) for the following use cases:

  • For destination-initiated (default) Kafka Cluster Linking, the destination Kafka cluster needs to set a password encoder secret and use it to encrypt the sensitive authentication and TLS information of the source cluster.

    For source-initiated (default) Kafka Cluster Linking, the source Kafka cluster needs to set a password encoder secret and use it to encrypt the sensitive authentication and TLS information of the destination cluster.

  • For Schema Linking, a password encoder secret needs to be configured in the source Schema Registry cluster.

For details about password encoder secrect, see Kafka Broker Configuration.

To specify a password encoder secret:

  1. Create the password-encoder.txt file with the following content:

    password=<password>
    oldPassword=<old password>
    

    oldPassword is only required for password rotations.

  2. Store the secret for the password encoder, using either a Kubernetes secret or the directory path in the container feature.

    • To use a Kubernetes secret, create a Kubernetes secret using the file created in the previous step:

      The expected key (the file name) is password-encoder.txt.

      For example:

      kubectl create secret generic myencodersecret \
         --from-file=password-encoder.txt=$MY_PATH/password-encoder.txt
      
    • To use the directory path in the container feature, copy the password-encoder.txt file to the container path.

  3. In the Kafka or Schema Registry CR, specify the secret created in the previous step:

    spec:
      passwordEncoder:
        secretRef:                --- [1]
        directoryPathInContainer: --- [2]
    
    • If spec.passwordEncoder is defined, either [1] or [2] is required.

    • [1] The secret for the password encoder.

    • [2] The path in the container where the password-encoder.txt file exists.

      See Provide secrets for Confluent Platform component CR for providing the secret and required annotations when using Vault.

  4. Apply the CR changes using the kubectl apply command.

    The cluster will automatically restart.

Important

You need to manually restart the cluster if the secret ([1]) gets updated later or if the dirPathContainer file ([2]) is changed. For the steps to restart the clusters, see Restart Confluent Platform Using Confluent for Kubernetes.