KMS Support for CSFLE in Message Viewer

[MSeal]

Users

• Development manager tasked with ensuring a team is successful in using streaming data
• Developer on a team tasked with building new features using streaming data
• Developer at an org who manages a streaming platform while building new features that use streaming data
• Developer tasked with building pipelines for use in business analytics
• Other: [User type] tasked with [primary goal in the realm of streaming data]

Problems

1. When a message is client side encrypted the Topic Message Viewer in VS Code can't decode the contents

Solutions

1. Adding the ability to register a KMS key or use a managed key automatically would enable the sidecar to decrypt messages.

Goals

1. Be able to view KMS encrypted messages in the extension
2. Work with CSFLE feature to enable usability while maintaining security

Non-Goals

1. Generating new KMS keys
2. Controlling CSFLE settings
3. Leaking KMS keys outside of the secret store / sidecar memory

Background

A nice to have would be to be able to configure the KMS key used by CSFLE within VS Code such that the fields are decrypted in the message browser AND/OR have the encrypted field appear as is along with the rest of the fields without encryption (similar to the message browser in Confluent Cloud Portal).

Proposal

Start with the ability for the extension to have a setting to save a key to the secret store like we do web certificates. Share those with the sidecar process to enable message parsing on consume message API calls.

[derek1ee]

I feel there are two pieces of work here.

1. Only the encrypted field stays encrypted and rest are still viewable, like the Confluent Cloud web experience. This feels more like a bug. Why does the entire value appears to be encrypted (not decoded?)?

2. Support KMS to decode encrypted fields. This could be lower priority compare to Add templates for some types of issues and discussions #1, with the assumption being that fields are not encrypted during development w/ test data (which is the focus of the VS code extension), but encrypted before going to prod with real data.