[Enhancement]: Allow Custom Service Account for MirrorMaker resource #10951
Comments
|
Strimzi does not support using custom service accounts and currently we do not have any plans for that. If you want, you can pre-create the service account before deploying Mirror Maker 2 or specify custom annotations on it. I'm also not sure if that will help you in anyway, because we do not support Azure Managed Identity based authentication anyway. |
|
thank you for quick response, when it comes to Managed Identity I was exploring option to utilize custom login handler class. Wouldn't that be an option? |
|
The authentication is controlled by the Strimzi custom resource. I do not think that has currently any option to pass some custom login handler class. As far as I know, you can connect to Azure Event Hub using SASL PLAIN and the connection string it provides. But I don't think Strimzi will work with their custom authentication. |
|
so to make sure I understand, what is described here: https://github.com/Azure/azure-event-hubs-for-kafka/blob/master/tutorials/oauth/java/managedidentity/README.md#client-configuration-for-oauth isn't applicable for strimzi's CRDs? in other words setting sasl.login.callback.handler.class won't work? |
|
I don't think you can set it, yes. (but maybe I forgot something) |
|
I see, thank you, I will give a quick test. Please are you aware if there were some previous request for this capability? Also just very roughly, what is technical complexity to enable this capability from your point of view, considering underlaying Kafka resources allow custom handler class. |
|
There were some discussions about it and there migth be some open issues. But it is not completely simple and has a simple workaround in most cases such as using other authentication type. |
|
indeed I have came across this proposal strimzi/proposals#42 and I understand it stalled. Problem in my case is that SAS Tokens used by event hubs are not considered safe enough and there is demand from security to use passwordless aproach with Managed Identity. If you'd consider reopening the proposal I do have space to get involved |
|
The proposal is not ours, so not something we can re-open. I guess you would need to work with the original author or simply open a new one. Also, I do not think we have resources to test custom authentication mechanisms like these and IIRC that is also one of the points where that proposal got stuck. So the way to implement support for this is through a custom pluggable authentication. If you are interested in that, you can of course prepare a proposal and contribute an implementation. |
|
Triaged on 9.1.2025: It seems that @MarekLani went a different way with the issue (based on #11002) - as discussed on community call, we are closing this issue. |
Related problem
I am using Mirror Maker on Azure Kubernetes Service to replicate data to Azure Event Hub, while I am trying to enable Azure Managed Identity based authentication. In order to do so I follow this docs: https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster
I got stuck while not being able to set custom Service Account required so that Mirror Maker pod can make use of the Workload Identity.
Suggested solution
Allow serviceAccountName property to be set inside Mirror Makers crd Pod template
Alternatives
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: