Hi, as far as I can tell, the way to provide a keystore/truststore password to the kafka ingress/egress config is to put it in plaintext in module.yaml, like so:
kind: io.statefun.kafka.v1/ingressspec: #(...) properties: - ssl.truststore.password: changeme This isn't ideal and I think it would be neater to be able to replace a placeholder with something from the parameter tool / global config kind: io.statefun.kafka.v1/ingressspec: #(...) properties: - ssl.truststore.password: ${SSL_TRUSTSTORE_PASS} Similarly, we need to get our hands on a kerberos keytab location inside module.yaml. This is not a problem when the location is static and available to all cluster nodes, but when yarn gets involved, it's only the yarn client (?) that has the keytab file in a static location. As far as I can tell, task manager nodes get a 'resolved' and node/container-specific location, something along the lines of "/JBOD_D01/yarn/application_12345667_0001", which is different for every node. I think I could get my hands on that location from the global config, seeing as YarnTaskExecutorRunner sets '-Dsecurity.kerberos.login.keytab=/container/specific/path/here' To achieve all of this, we could alter RemoteModule#bindComponent to replace instances of ${PLACEHOLDERs} with values from the global config using regex. Please let me know what you think Fil