Skip to content
Kannika

Credentials

Credentials are used by Backups and Restores to authenticate with Storages and EventHubs. They refer to sensitive information such as usernames, passwords, and access keys, stored inside Kubernetes Secrets .

Usage

Section titled “Usage”

Credentials can be managed using the kubectl command line tool, and are available by the name creds or credentials. Example:

Terminal window
$ kubectl get creds
NAME         AGE
my-creds     1s

Supported Credentials

Section titled “Supported Credentials”

Kannika Armory supports many different authentication methods for various external systems.

The supported types of Credentials are:

Using Credentials in a Backup

Section titled “Using Credentials in a Backup”

The Credentials can be used on a Backup by referencing it in the .spec.sinkCredentialsFrom fields and the .spec.sourceCredentialsFrom fields.

Here is an example of a Backup using Credentials:

apiVersion: kannika.io/v1alpha
kind: Backup
metadata:
  name: backup
spec:
  source: kafka            # References an EventHub
  sourceCredentialsFrom:
    credentialsRef:
       name: kafka-creds   # References a Credentials


  sink: s3-storage         # References a Storage
  sinkCredentialsFrom:
    credentialsRef:
       name: aws-creds     # References a Credentials

In this example:

  • A Backup named backup is defined, indicated by the .metadata.name field.

  • The Backup will backup data from an EventHub named kafka, specified by the .spec.source field.

  • The Backup references Credentials named kafka-creds for the source EventHub, specified by the .spec.sourceCredentialsFrom.credentialsRef.name field. It will be used to authenticate to the kafka EventHub.

  • The Backup will backup data up to a Storage sink named s3-storage, specified by the .spec.sink field.

  • The Backup references Credentials named aws-creds, specified by the .spec.sinkCredentialsFrom.credentialsRef.name field. It will be used to authenticate to the s3-storage Storage sink.

Using Credentials in a Restore

Section titled “Using Credentials in a Restore”

The Credentials can be used on a Restore by referencing it in the .spec.sourceCredentialsFrom and .spec.sinkCredentialsFrom fields.

Here is an example of a Restore using Credentials:

apiVersion: kannika.io/v1alpha
kind: Restore
metadata:
  name: restore
spec:
  source: s3-storage     # References a Storage
  sourceCredentialsFrom:
    credentialsRef:
       name: aws-creds   # References a Credentials


  sink: kafka            # References an EventHub
  sinkCredentialsFrom:
    credentialsRef:
       name: kafka-creds # References a Credentials


  config: {}

In this example:

  • A Restore named restore is defined, indicated by the .metadata.name field.

  • The Restore will restore data from a Storage source named s3-storage, specified by the .spec.source field.

  • The Restore references Credentials named aws-creds, specified by the .spec.sourceCredentialsFrom.credentialsRef.name field. This will be used to authenticate to the s3-storage Storage source.

  • The Restore will restore data to an EventHub sink named kafka, specified by the .spec.sink field.

  • The Restore references Credentials named kafka-creds, specified by the .spec.sinkCredentialsFrom.credentialsRef.name field. This will be used to authenticate to the kafka EventHub sink.

Using Credentials with an EventHub

Section titled “Using Credentials with an EventHub”

Authenticating to EventHubs is also handled by Credentials. Here is an example on how to use the SASL/SCRAM authentication scheme with a Kafka cluster.

# Define the Kafka EventHub
apiVersion: kannika.io/v1alpha
kind: EventHub
metadata:
  name: my-kafka-cluster
spec:
  kafka:
    properties:
      bootstrap.servers: "broker:9092"
# Create a Secret with the username and password
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: kafka-sasl-creds
data:
  username: RWFzdGVyQnVubnk=
  password: WW9sbw==
---
# Create the Credentials
apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: kafka-sasl-scram-creds
spec:
  sasl:
    mechanism: SCRAM-SHA-256   # 'PLAIN', 'SCRAM-SHA-512' also supported
    usernameFrom:
      secretKeyRef:
        name: kafka-sasl-creds # References the Secret above
        key: username
    passwordFrom:
      secretKeyRef:
        name: kafka-sasl-creds # References the Secret above
        key: password
# Define a Backup that uses our new Credentials to authenticate to Kafka
apiVersion: kannika.io/v1alpha
kind: Backup
metadata:
  name: backup-example
spec:
  source: "my-kafka-cluster"        # References the EventHub above
  sourceCredentialsFrom:
    credentialsRef:
      name: "kafka-sasl-scram-creds" # References the Credentials above
  sink: <Some sink>
  streams:
    - topic: "some-topic"

For more information, please head towards the EventHub section.

Using Credentials with Storage

Section titled “Using Credentials with Storage”

Authenticating to Storage is also handled by Credentials.

Here is an example on how to use the AWS authentication scheme with an S3 bucket.

# Define the storage
apiVersion: kannika.io/v1alpha
kind: Storage
metadata:
  name: s3-storage
spec:
  s3:
    bucket: my-bucket
    region: us-west-2
    prefix: /backups
# Create a Secret with the AWS credentials
apiVersion: v1
data:
  accessKeyId: dGhla2V5aWQ=         # thekeyid
  secretAccessKey: dGhlU2VjcmV0S2V5 # theSecretKey
kind: Secret
type: Opaque
metadata:
  name: aws-creds
---
apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: aws-creds
spec:
  aws:
    accessKeyIdFrom:
      secretKeyRef:
        name: aws-creds             # References the Secret above
        key: accessKeyId
    secretAccessKeyFrom:
      secretKeyRef:
        name: aws-creds             # References the Secret above
        key: secretAccessKey
# Define a Backup that uses our new Credentials to authenticate to S3
apiVersion: kannika.io/v1alpha
kind: Backup
metadata:
  name: backup-example
spec:
  source: <Some source>
  sink: "s3-storage"                 # References the Storage above
  sinkCredentialsFrom:
    credentialsRef:
      name: "aws-creds"              # References the Credentials above
  streams:
    - topic: "some-topic"

Configuring a description

Section titled “Configuring a description”

It is possible to add a description for each type of Credentials resource. This can be useful to document the purpose of the credentials.

To add a description, set the .spec.sasl.description field:

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: kafka-sasl-creds-description
spec:
  sasl:
    description: "Read-only user" # Add a description here
    mechanism: PLAIN
    usernameFrom:
      secretKeyRef:
        name: kafka-sasl-creds
        key: username
    passwordFrom:
      secretKeyRef:
        name: kafka-sasl-creds
        key: password