Use Environment variables to hold secrets and use them in Kafka Connect.
Add the plugin to the worker classloader isolation via the plugin.path option:
plugin.path=/usr/share/connectors,/opt/secret-providers
Example Worker Properties:
config.providers=env config.providers.env.class=io.lenses.connect.secrets.providers.ENVSecretProvider config.providers.env.param.file.dir=my-secret-dir
To use this provider in a connector, reference the ENVSecretProvider environment variable providing the value of the connector property.
The indirect reference is in the form ${provider::key} where:
For example, if we store two secrets as environment variables:
we would set:
name=my-sink class=my-class topics=mytopic username=${env::MY_ENV_VAR_USERNAME} password=${env::MY_ENV_VAR_PASSWORD}
This would resolve at runtime to:
name=my-sink class=my-class topics=mytopic username=lenses password=my-secret-password
This provider inspects the value of the environment to determine how to process the value. The value can optionally provider value metadata to support base64 decoding and writing values to files.
To provide metadata the following patterns are expected:
where value is the actual payload and metadata can be one of the following:
if no metadata is found the value of the environment variable is return.
On this page