How to manage client connections¶
Relations to new applications are supported via the
“
Via the kafka_client charm relation interface¶
If the charm supports the kafka_client relation interface, just create an integration between the two charms:
juju integrate kafka-k8s application
To remove a relation:
juju remove-relation kafka-k8s application
Non-charmed applications and external clients¶
The kafka_client interface is used with the data-integrator charm. This charm automatically creates and manages product credentials needed to authenticate with different kinds of data platform charmed products:
Deploy the Data Integrator charm with the desired topic-name and user roles:
juju deploy data-integrator
juju config data-integrator topic-name=test-topic extra-user-roles=producer,consumer
Integrate the two applications with:
juju integrate data-integrator kafka-k8s
To retrieve information, enter:
juju run data-integrator/leader get-credentials
This should output something like:
kafka:
consumer-group-prefix: relation-8-
data: '{"resource": "test-topic", "salt": "w3goGsGhdyROwoaP", "extra-user-roles":
"producer,consumer", "provided-secrets": ["mtls-cert"], "requested-secrets": ["username",
"password", "tls", "tls-ca", "uris", "read-only-uris"]}'
endpoints: kafka-k8s-0.kafka-k8s-endpoints:9092,kafka-k8s-1.kafka-k8s-endpoints:9092,kafka-k8s-2.kafka-k8s-endpoints:9092
password: fm2E0oBidzcnpav1WSNfJXKn0vtgn44G
resource: test-topic
salt: HoczwpSOmsBqKpf6
tls: disabled
topic: test-topic
username: relation-8
version: v0
ok: "True"
Password rotation¶
Password rotation can be performed in multiple ways, depending on the requirements.
External clients¶
There are two ways to rotate credentials of an external client. One is simply to delete and re-create the relation, the other one can be performed without any downtime.
With client application downtime¶
The easiest way to rotate user credentials of client applications is by removing and then re-relating
the application (either a charm supporting the kafka-client interface or a data-integrator) with the kafka-k8s charm:
juju remove-relation kafka-k8s <charm-or-data-integrator>
# wait for the relation to be torn down
juju integrate kafka-k8s <charm-or-data-integrator>
The successful credential rotation can be confirmed by retrieving the new password with the action get-credentials.
Without client application downtime¶
In some use-cases credentials should be rotated with no or limited application downtime. If credentials should be rotated with no or limited downtime, you can deploy a new charm with the same permissions and resource definition, for example:
juju deploy data-integrator rotated-user \
--config topic-name=test-topic \
--config extra-user-roles=producer,consumer
The data-integrator charm can then be integrated to the kafka-k8s charm to create a new user:
juju integrate kafka-k8s rotated-user
At this point, we effectively have two overlapping users, so that applications can swap the password from one to another. If the applications consist of fleets of independent producers and consumers, user credentials can be rotated progressively across fleets, such that no effective downtime is achieved.
Once all applications have rotated their credentials, it is then safe to remove data first data-integrator charm
juju remove-application data-integrator