Chart
strimzi-mirrormaker2-instance (current version 2.0.0)
Problem
Strimzi 1.0.0 (kafka.strimzi.io/v1 API) removed type: oauth from KafkaMirrorMaker2 authentication. The only supported OAuth path is now type: custom with SASL OAUTHBEARER (docs §17.4.2). This requires injecting the OAuth client secret as a container environment variable and referencing it in the JAAS config via ${strimzienv:VAR}:
target:
authentication:
type: custom
sasl: true
config:
sasl.mechanism: OAUTHBEARER
sasl.login.callback.handler.class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
sasl.jaas.config: |
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
oauth.token.endpoint.uri="https://..."
oauth.client.id="kafka-mm2"
oauth.client.secret="${strimzienv:OAUTH_CLIENT_SECRET}"
oauth.scope="...";The ${strimzienv:OAUTH_CLIENT_SECRET} reference requires OAUTH_CLIENT_SECRET to be set in the connect container via spec.template.connectContainer.env. The chart does not currently expose this.
Required fix
values.yaml — add connectContainer under template:
template:
pod:
affinity: {}
tolerations: []
topologySpreadConstraints: []
priorityClassName: ""
connectContainer:
env: []templates/mirrormaker2.yaml — add connectContainer block after the existing pod block inside template::
template:
pod:
# ... existing pod block unchanged ...
{{- if .Values.template.connectContainer.env }}
connectContainer:
env:
{{- toYaml .Values.template.connectContainer.env | nindent 8 }}
{{- end }}Usage after fix
template:
connectContainer:
env:
- name: OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: mm2-kafka-oauth
key: client-secretContext
- Strimzi operator
0.45.0, API kafka.strimzi.io/v1
- ArgoCD SSA enforces strict CRD schema validation —
type: oauth and clientId fields are rejected with field not declared in schema
- Without
connectContainer.env, the OAuth client secret cannot be securely provided to the connect container
Chart
strimzi-mirrormaker2-instance(current version 2.0.0)Problem
Strimzi 1.0.0 (
kafka.strimzi.io/v1API) removedtype: oauthfromKafkaMirrorMaker2authentication. The only supported OAuth path is nowtype: customwith SASL OAUTHBEARER (docs §17.4.2). This requires injecting the OAuth client secret as a container environment variable and referencing it in the JAAS config via${strimzienv:VAR}:The
${strimzienv:OAUTH_CLIENT_SECRET}reference requiresOAUTH_CLIENT_SECRETto be set in the connect container viaspec.template.connectContainer.env. The chart does not currently expose this.Required fix
values.yaml— addconnectContainerundertemplate:templates/mirrormaker2.yaml— addconnectContainerblock after the existingpodblock insidetemplate::Usage after fix
Context
0.45.0, APIkafka.strimzi.io/v1type: oauthandclientIdfields are rejected withfield not declared in schemaconnectContainer.env, the OAuth client secret cannot be securely provided to the connect container