Description
This article provides the steps to secure the JVM config value -Djavax.net.ssl.trustStorePassword when it is set using spec.configOverrides.jvm in any Confluent Platform component deployed using Confluent for Kubernetes.
Applies To
Confluent for Kubernetes 2.x
CFK
Cause
In some situations, it is necessary to pass the truststore at the JVM level. For example, when configuring the control center for encryption and authentication using LDAP over SSL (LDAPS). This requires specifying the-Djavax.net.ssl.trustStorePassword config in the control center custom resource file under spec.configOverrides.jvm, as shown below, however, this approach uses the password as plaintext:
configOverrides:
jvm:
- -Djavax.net.ssl.trustStore=/mnt/secrets/ldaps-tls/truststore.jks
- -Djavax.net.ssl.trustStorePassword=<changeit>
Resolution
- Create a secret with a key that contains the whole JVM parameter, e.g.
-Djavax.net.ssl.trustStorePassword=<changeit>
kubectl create secret generic test-secret -n confluent --from-literal=jvmtruststorepass=-Djavax.net.ssl.trustStorePassword=<changeit>
- In the Confluent Platform component custom resource file, use envVars inside podTemplate section to set CONTROL_CENTER_OPTS or KAFKA_OPTS, based on the component:
spec:
podTemplate:
envVars:
- name: CONTROL_CENTER_OPTS
valueFrom:
secretKeyRef:
name: test-secret
key: jvmtruststorepass
..
..
configOverrides:
jvm:
- -Djavax.net.ssl.trustStore=/mnt/secrets/ldaps-tls/truststore.jks
- Apply the changes,
kubectl apply -f <custom_resource_file.yaml> - Exec into the pod, e.g.
kubectl exec controlcenter-0 -it bash -n confluentand run the command to confirm the JVM truststore password is loadedps -ef | grep trustStorePassword