Credentials
Credentials are used by Backups and Restores to authenticate with Storages and EventHubs. They refer to sensitive information such as usernames, passwords, and access keys, stored inside Kubernetes Secrets .
Usage
Credentials can be managed using the kubectl command line tool,
and are available by the name creds or credentials.
Example:
$ kubectl get credsNAME AGEmy-creds 1sSupported Credentials
Kannika Armory supports many different authentication methods for various external systems.
The supported types of Credentials are:
Using Credentials in a Backup
The Credentials can be used on a Backup by referencing it in the .spec.sinkCredentialsFrom fields and the .spec.sourceCredentialsFrom fields.
Here is an example of a Backup using Credentials:
apiVersion: kannika.io/v1alphakind: Backupmetadata: name: backupspec: source: kafka # References an EventHub sourceCredentialsFrom: credentialsRef: name: kafka-creds # References a Credentials
sink: s3-storage # References a Storage sinkCredentialsFrom: credentialsRef: name: aws-creds # References a CredentialsIn this example:
-
A Backup named
backupis defined, indicated by the.metadata.namefield. -
The Backup will backup data from an EventHub named
kafka, specified by the.spec.sourcefield. -
The Backup references Credentials named
kafka-credsfor the source EventHub, specified by the.spec.sourceCredentialsFrom.credentialsRef.namefield. It will be used to authenticate to thekafkaEventHub. -
The Backup will backup data up to a Storage sink named
s3-storage, specified by the.spec.sinkfield. -
The Backup references Credentials named
aws-creds, specified by the.spec.sinkCredentialsFrom.credentialsRef.namefield. It will be used to authenticate to thes3-storageStorage sink.
Using Credentials in a Restore
The Credentials can be used on a Restore by referencing it in the .spec.sourceCredentialsFrom and .spec.sinkCredentialsFrom fields.
Here is an example of a Restore using Credentials:
apiVersion: kannika.io/v1alphakind: Restoremetadata: name: restorespec: source: s3-storage # References a Storage sourceCredentialsFrom: credentialsRef: name: aws-creds # References a Credentials
sink: kafka # References an EventHub sinkCredentialsFrom: credentialsRef: name: kafka-creds # References a Credentials
config: {}In this example:
-
A Restore named
restoreis defined, indicated by the.metadata.namefield. -
The Restore will restore data from a Storage source named
s3-storage, specified by the.spec.sourcefield. -
The Restore references Credentials named
aws-creds, specified by the.spec.sourceCredentialsFrom.credentialsRef.namefield. This will be used to authenticate to thes3-storageStorage source. -
The Restore will restore data to an EventHub sink named
kafka, specified by the.spec.sinkfield. -
The Restore references Credentials named
kafka-creds, specified by the.spec.sinkCredentialsFrom.credentialsRef.namefield. This will be used to authenticate to thekafkaEventHub sink.
Using Credentials with an EventHub
Authenticating to EventHubs is also handled by Credentials. Here is an example on how to use the SASL/SCRAM authentication scheme with a Kafka cluster.
# Define the Kafka EventHubapiVersion: kannika.io/v1alphakind: EventHubmetadata: name: my-kafka-clusterspec: kafka: properties: bootstrap.servers: "broker:9092"# Create a Secret with the username and passwordapiVersion: v1kind: Secrettype: Opaquemetadata: name: kafka-sasl-credsdata: username: RWFzdGVyQnVubnk= password: WW9sbw==---# Create the CredentialsapiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: kafka-sasl-scram-credsspec: sasl: mechanism: SCRAM-SHA-256 # 'PLAIN', 'SCRAM-SHA-512' also supported usernameFrom: secretKeyRef: name: kafka-sasl-creds # References the Secret above key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds # References the Secret above key: password# Define a Backup that uses our new Credentials to authenticate to KafkaapiVersion: kannika.io/v1alphakind: Backupmetadata: name: backup-examplespec: source: "my-kafka-cluster" # References the EventHub above sourceCredentialsFrom: credentialsRef: name: "kafka-sasl-scram-creds" # References the Credentials above sink: <Some sink> streams: - topic: "some-topic"For more information, please head towards the EventHub section.
Using Credentials with Storage
Authenticating to Storage is also handled by Credentials.
Here is an example on how to use the AWS authentication scheme with an S3 bucket.
# Define the storageapiVersion: kannika.io/v1alphakind: Storagemetadata: name: s3-storagespec: s3: bucket: my-bucket region: us-west-2 prefix: /backups# Create a Secret with the AWS credentialsapiVersion: v1data: accessKeyId: dGhla2V5aWQ= # thekeyid secretAccessKey: dGhlU2VjcmV0S2V5 # theSecretKeykind: Secrettype: Opaquemetadata: name: aws-creds---apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: aws-credsspec: aws: accessKeyIdFrom: secretKeyRef: name: aws-creds # References the Secret above key: accessKeyId secretAccessKeyFrom: secretKeyRef: name: aws-creds # References the Secret above key: secretAccessKey# Define a Backup that uses our new Credentials to authenticate to S3apiVersion: kannika.io/v1alphakind: Backupmetadata: name: backup-examplespec: source: <Some source> sink: "s3-storage" # References the Storage above sinkCredentialsFrom: credentialsRef: name: "aws-creds" # References the Credentials above streams: - topic: "some-topic"Configuring a description
It is possible to add a description for each type of Credentials resource. This can be useful to document the purpose of the credentials.
To add a description,
set the .spec.sasl.description field:
apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: kafka-sasl-creds-descriptionspec: sasl: description: "Read-only user" # Add a description here mechanism: PLAIN usernameFrom: secretKeyRef: name: kafka-sasl-creds key: username passwordFrom: secretKeyRef: name: kafka-sasl-creds key: password