contrib/kafka: use secrets for SASL user and password

[danp]

Proposed Changes

Change the Kafka source spec to use SecretValueFromSource for user and
password, similar to the GitHub source.

This means the SASL user and password will no longer be stored in cleartext in the KafkaSource resources.

Based on #289 I did not allow for a graceful transition to this new scheme but happy to add it if needed.

Release Note

KafkaSource User and Password are now references to keys in secrets instead of plaintext values. Existing KafkaSource resources will need to be updated.

[knative-prow-robot]

Hi @danp. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[danp]

Wasn't sure how to nicely regenerate config/300-kafkasource.yaml so I did roughly:

cd contrib/kafka
go run ../../vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all
mv config/crds/sources_v1alpha1_kafkasource.yaml config/300-kafkasource.yaml
# cut out non-relevant changes, add back license header, etc

If there's a better way, please let me know!

[matzew]

Mind adding a section on the readme for this ?

[danp]

Which one were you thinking?

Did realize I need to update contrib/kafka/samples/event-source.yaml, will do that shortly.

[matzew]

yeah, thanks @danp the readme in the samples and the related yamls doc

[matzew]

IMO it would be nice if some of the new secret bits are captured here:

• https://github.com/knative/eventing-sources/tree/810ad72018e4878a20508eb8350a1e8584182f62/contrib/kafka/samples

Also, the docs repo has some high level details on the KafkaSource:

• https://github.com/knative/docs/pull/1099/files

I wonder what's best ... if we move the samples/docs to the docs repo and write some real doc for it, explaining all possible config settings ?

Thoughts ?

@samodell @evankanderson @abrennan89

[danp]

Ok! I did update the sample YAML in 810ad72.

Should we consider further doc changes as part of future PRs? For example, the current sample README doesn't mention SASL at all.

[matzew]

@danp I personally would like to see some more doc here.

I think in the long run we want to have some decent doc for all the sources, including all possible options.

In the long run, I'd like to see all docs mostly in the docs repo, and some short/dev references from here to the docs repo.

Perhaps @samodell from the docs team has some thoughts here too /cc @abrennan89

[matzew]

@danp btw. mind to rebase, when adding the doc ?

there is a conflict here

[matzew]

/ok-to-test

[matzew]

/lgtm

[matzew]

IMO it's good enough to release note that the User and Password are now references to secrets, instead of not so secure plaintext 😂

/cc @grantr

[matzew]

/approve

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danp, matzew

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• contrib/kafka/OWNERS [matzew]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment