Is your feature request related to a problem? Please describe.
Currently, the Kafka URL used to configure the EventBus in Argo Events must be defined directly in the EventBus YAML manifest. This effectively requires hardcoding infrastructure-specific connection details into the Kubernetes resource definition.
In many real-world environments, connection details such as Kafka URLs are centrally managed via Kubernetes Secrets and are often synchronized from external secret management systems (e.g. Vault or External Secrets operators). Hardcoding these values in manifests leads to several issues:
- Duplication of configuration values across multiple manifests
- Increased risk of misconfiguration
- Reduced flexibility when rotating or changing connection details
- Inconsistency with established best practices for secret management in Kubernetes
As a result, managing Kafka connection details for Argo Events does not integrate well into existing secret management workflows - especially considering that parts of the TLS configuration already require references to Kubernetes Secrets.
Describe the solution you'd like
I would like Argo Events to support referencing a Kubernetes Secret for the Kafka URL (and maybe also topic name and user) in the EventBus configuration, using semantics similar to valueFrom.secretKeyRef known from Kubernetes environment variables.
This mechanism should exist alongside the current approach of specifying the Kafka URL directly, ensuring backward compatibility while providing additional flexibility. To support this, a validation or startup check should ensure that either a secret reference or a hardcoded URL is defined, but not both (or that precedence is clearly defined).
Describe alternatives you've considered
The following alternatives were considered, but all have notable drawbacks:
- Hardcoding the Kafka URL in YAML
This is the current approach, but it conflicts with secret management best practices and increases operational overhead.
- Using templating tools (e.g. Helm, Kustomize)
While templating can inject values at deploy time, the Kafka URL is still managed outside of Kubernetes-native Secret references and deployments become more complex.
- Manually syncing Secrets into EventBus manifests
This requires additional custom logic and tooling, which is error-prone and difficult to scale across environments.
None of these alternatives provide a clean, native, and secure way to integrate with standard Kubernetes Secret workflows.
Additional context
Supporting Secret references for the Kafka URL would align Argo Events more closely with established Kubernetes conventions and common enterprise practices. Similar patterns are already widely adopted across the Kubernetes ecosystem (e.g. Deployments, Pods, and controllers supporting Secret and ConfigMap references).
This feature would be especially valuable in environments where secrets are centrally managed and automatically rotated, as it would allow Argo Events to consume updated connection details without requiring changes to EventBus manifests.
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
Is your feature request related to a problem? Please describe.
Currently, the Kafka URL used to configure the EventBus in Argo Events must be defined directly in the EventBus YAML manifest. This effectively requires hardcoding infrastructure-specific connection details into the Kubernetes resource definition.
In many real-world environments, connection details such as Kafka URLs are centrally managed via Kubernetes Secrets and are often synchronized from external secret management systems (e.g. Vault or External Secrets operators). Hardcoding these values in manifests leads to several issues:
As a result, managing Kafka connection details for Argo Events does not integrate well into existing secret management workflows - especially considering that parts of the TLS configuration already require references to Kubernetes Secrets.
Describe the solution you'd like
I would like Argo Events to support referencing a Kubernetes Secret for the Kafka URL (and maybe also topic name and user) in the EventBus configuration, using semantics similar to
valueFrom.secretKeyRefknown from Kubernetes environment variables.This mechanism should exist alongside the current approach of specifying the Kafka URL directly, ensuring backward compatibility while providing additional flexibility. To support this, a validation or startup check should ensure that either a secret reference or a hardcoded URL is defined, but not both (or that precedence is clearly defined).
Describe alternatives you've considered
The following alternatives were considered, but all have notable drawbacks:
This is the current approach, but it conflicts with secret management best practices and increases operational overhead.
While templating can inject values at deploy time, the Kafka URL is still managed outside of Kubernetes-native Secret references and deployments become more complex.
This requires additional custom logic and tooling, which is error-prone and difficult to scale across environments.
None of these alternatives provide a clean, native, and secure way to integrate with standard Kubernetes Secret workflows.
Additional context
Supporting Secret references for the Kafka URL would align Argo Events more closely with established Kubernetes conventions and common enterprise practices. Similar patterns are already widely adopted across the Kubernetes ecosystem (e.g. Deployments, Pods, and controllers supporting Secret and ConfigMap references).
This feature would be especially valuable in environments where secrets are centrally managed and automatically rotated, as it would allow Argo Events to consume updated connection details without requiring changes to EventBus manifests.
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.