Uploaded image for project: 'Kafka Connector'
  1. Kafka Connector
  2. KAFKA-414

External secrets in connection.uri attribute runs into validation error during connector deployment if config providers is not set on the connect worker level

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.13.0
    • Affects Version/s: 1.11.2
    • Component/s: Configuration
    • None
    • Java Drivers

      connection.uri attribute is supposed to be a secret in the mongo sink/source config.

      In kafka connect, secrets are handled through config providers. Config provider attributes can be specified on the connect worker level and/or directly on the specific connector configuration.

      When config providers are defined on the connect worker level, the worker attempts to replace all the external values using the providers. And when the mongo sink/source connector receives the connect config properties from the worker, usually the secrets are already replaced. So the connector does not have to deal with any external secrets in this flow. So far so good.

      But if the config providers are not defined in the worker level but directly on the connector configuration or for some reason the secret replacement at the worker level didn’t work, then the mongo connector receives the raw unresolved attributes. In that case, connection.uri looks something like “${<provider>:<path>:<key>}”. This causes the connect REST API to respond 400 to the mongo connector deployment request. It throws the following error:

       

      Connector configuration is invalid and contains the following 1 error(s):\nInvalid value ${keyVault:azure-eep-connect-dev-MongoSinkDocument-663137214425cc2520c35f1a:connection.uri} for configuration connection.uri: The connection string is invalid. Connection strings must start with either 'mongodb://' or 'mongodb+srv://\nYou can also find the above list of errors at the endpoint `/connector-plugins/{connectorType}/config/validate`

       

      How to regenerate the issue:

      We faced this issue when working with Microsoft Azure KeyVault Provider:

      https://www.confluent.io/hub/confluentinc/csid-secrets-provider-azure

       

      Exact steps to reproduce with Azure KeyVault:

      1. Install the key vault secret provider on your connect cluster:
      confluent-hub install --no-prompt confluentinc/csid-secrets-provider-azure:1.0.13
      1. Do not set any config.providers attribute on the connect worker properties
      2. Define and deploy a working mongo sink/source connector without any external secrets
      3. Create an azure key vault (Will require other pre-configuration(s) and knowledge on Azure, e.g creating a tenant, resource group etc)
      4. Create a service principal with a client id/secret pair that has reader access to the key vault (Again, will require some knowledge on Azure)
      5. Create a secret in the keyvault named “mongodb-connector-secret” with value
      6. Set the following key vault secret provider attributes on the working mongo sink/source connector config.
      "config.providers": "keyVault",     
"config.providers.keyVault.class":   "io.confluent.csid.config.provider.azure.KeyVaultConfigProvider",     
"config.providers.keyVault.param.credential.type": "ClientSecret",     
"config.providers.keyVault.param.vault.url": "<Your keyvault url>",     
"config.providers.keyVault.param.client.secret": "<Your client secret>",     
"config.providers.keyVault.param.client.id": "<Your client id>",         
"config.providers.keyVault.param.tenant.id": "<Your azure tenant id>"
      1. Replace connection.uri attribute with this:
      “connection.uri”: “${keyVault:mongodb-connector-secret:connection.uri}”
      1. Redeploy the new config and you will see the mentioned error.

      Generic steps to reproduce with any other config provider:

      1. Do not set any config.providers attribute on the connect worker properties
      2. Only set config provider attributes on the specific connect configuration
      3. Make sure that the validate method of MongoSinkConnector or MongoSourceConnector receives unresolved connection.uri property, meaning the value looks like ${*}
      4. Deploy the config and you will get the error

       

      Suspected technical reason:

      When unresolved values come to the MongoSinkConnector -> validate method as connectorConfigs, then ‘super.validate(connectorConfigs)’ is invoked. Since the unresolved value is not a valid mongodb connection string, util -> validators -> errorCheckingPasswordValueValidator method adds the following error message to the ConfigValue -> errorMessages object:

      Invalid value ${keyVault:azure-eep-connect-dev-MongoSinkDocument-663137214425cc2520c35f1a:connection.uri} for configuration connection.uri: The connection string is invalid. Connection strings must start with either 'mongodb://' or 'mongodb+srv://

      And this errorMessage causes the following if condition in the ConfigValidator -> validateCanConnect to evaluate to false:

       

      if (optionalConnectionString.isPresent()
   && optionalConnectionString.get().errorMessages().isEmpty())

       

      Which causes the server to respond with 400 to the connector deployment request with this error.

            Assignee:
            jagadish.nallapaneni@mongodb.com Jagadish Nallapaneni
            Reporter:
            rasifmahmud16@gmail.com Asif Mahmud
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: