A Kafka-protocol aware proxy.
See our compatibility matrix
helm repo add conduktor https://helm.conduktor.io
helm repo update
helm install my-gateway conduktor/conduktor-gateway
This section defines the image to be used.
Name | Description | Value |
---|---|---|
gateway.image.registry |
Docker registry to use | docker.io |
gateway.image.repository |
Image in repository format (conduktor/conduktor-gateway) | conduktor/conduktor-gateway |
gateway.image.tag |
Image tag | 3.5.2 |
gateway.image.pullPolicy |
Kubernetes image pull policy | IfNotPresent |
This section contains configuration of the Conduktor Gateway.
Name | Description | Value |
---|---|---|
gateway.replicas |
number of gateway instances to be deployed | 2 |
gateway.secretRef |
Secret name to load sensitive env var from | "" |
gateway.extraSecretEnvVars |
Array with extra secret environment variables | [] |
gateway.secretSha256sum |
Optional sha256sum of the referenced secret. This could be set to have a automactic restart of gateway deployment if secret change | "" |
gateway.env |
Environment variables for Gateway deployment | {} |
gateway.interceptors |
Json configuration for interceptors to be loaded at startup by Gateway | [] |
gateway.portRange.start |
Start port of the gateway port range | 9092 |
gateway.portRange.count |
Max number of broker to expose | 7 |
gateway.admin.port |
Admin HTTP server port | 8888 |
gateway.jmx.enable |
Enable JMX JVM options | false |
gateway.jmx.port |
JMX port to expose by default JVM args | 9999 |
gateway.jmx.jvmArgs |
Arguments to pass to the gateway container JVM | -Dcom.sun.management.jmxremote.port={{ .Values.gateway.jmx.port }} -Dcom.sun.management.jmxremote.rmi.port={{ .Values.gateway.jmx.port }} -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=127.0.0.1 |
gateway.startupProbeDelay |
Optional delay in second before startup probe should be running (default 10) | "" |
gateway.podLabels |
Specific labels to be added to Gateway pod by deployment | {} |
gateway.podAnnotations |
Gateway pod annotations | {} |
gateway.securityContext |
Container security context | {} |
gateway.volumes |
Define user specific volumes for Gateway deployment | {} |
gateway.volumeMounts |
Define user specific volumeMounts for Gateway container in deployment | {} |
gateway.priorityClassName |
Define Gateway pods' priority based on an existing ClassName | "" |
This section is for configuring Gateway to handle certificate to manage TLS endpoint inside Gateway deployment.
Name | Description | Value |
---|---|---|
tls.enable |
Enable TLS injection into Gateway | false |
tls.secretRef |
Secret name with keystore to load | "" |
tls.keystoreKey |
Key in the secret to load as keystore | keystore.jks |
tls.keystoreFile |
File name to mount keystore as | keystore.jks |
This section contains Kubernetes services configuration.
This section specifies external service configuration
Name | Description | Value |
---|---|---|
service.external.enable |
Enable a service for external connection to Gateway | false |
service.external.type |
Type of load balancer | ClusterIP |
service.external.ip |
IP to configure | "" |
service.external.annotations |
{} |
|
service.external.admin |
Enable admin exposition on external service | false |
service.external.jmx |
Enable jmx exposition on external service | false |
This section specify internal service configuration
Name | Description | Value |
---|---|---|
service.internal.annotations |
{} |
This section contains Kubernetes ingress configuration.
Name | Description | Value |
---|---|---|
ingress.enabled |
Enable ingress for Gateway | false |
ingress.pathType |
Ingress path type | ImplementationSpecific |
ingress.apiVersion |
Force Ingress API version (automatically detected if not set) | "" |
ingress.hostname |
Default host for the ingress record | gateway.local |
ingress.ingressClassName |
IngressClass that will be used to implement the Ingress (Kubernetes 1.18+) | "" |
ingress.path |
Default path for the ingress record | / |
ingress.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
ingress.tls |
Enable TLS configuration for the host defined at ingress.hostname parameter |
false |
ingress.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
ingress.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
ingress.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
ingress.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
ingress.secrets |
Custom TLS certificates as secrets | [] |
ingress.extraRules |
Additional rules to be covered with this ingress record | [] |
Gateway embed metrics to be installed within you cluster if your have the correct capabilities (Prometheus and Grafana operators).
Name | Description | Value |
---|---|---|
metrics.alerts.enable |
Enable Prometheus alerts if Prometheus alerts rules is supported on cluster | false |
metrics.checklyAlerts.enable |
Enable alerts for checky jobs if Prometheus rules is supported on cluster | false |
metrics.prometheus.enable |
Enable ServiceMonitor Prometheus operator configuration for metrics scrapping | false |
metrics.prometheus.annotations |
Additional custom annotations for the ServiceMonitor | {} |
metrics.prometheus.labels |
Extra labels for the ServiceMonitor | {} |
metrics.prometheus.jobLabel |
The name of the label on the target service to use as the job name in Prometheus | app.kubernetes.io/name |
metrics.prometheus.metricRelabelings |
Configure metric relabeling in ServiceMonitor | {} |
metrics.prometheus.relabelings |
Configure relabelings in ServiceMonitor | {} |
metrics.prometheus.extraParams |
Extra parameters in ServiceMonitor | {} |
metrics.grafana.enable |
Enable Grafana dashboards to installation | false |
metrics.grafana.labels |
Additional custom labels for Grafana dashboard ConfigMap | {} |
metrics.grafana.datasources.prometheus |
Prometheus datasource to use for metric dashboard | prometheus |
metrics.grafana.datasources.loki |
Loki datasource to use for log dashboard | loki |
Shared Kubernetes configuration of the chart.
Name | Description | Value |
---|---|---|
serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
serviceAccount.name |
The name of the ServiceAccount to use. | "" |
serviceAccount.annotations |
Additional Service Account annotations (evaluated as a template) | {} |
serviceAccount.automountServiceAccountToken |
Automount service account token for the server service account | true |
commonLabels |
Labels to be applied to all resources created by this chart | {} |
nodeSelector |
Container node selector | {} |
tolerations |
Container tolerations | [] |
affinity |
Container affinity | {} |
Enable and configure chart dependencies if not available in your deployment.
Name | Description | Value |
---|---|---|
kafka.enabled |
Deploy a kafka along side gateway (This should only used for testing purpose) | false |
The following values.yaml
file can be used to set up Gateway to proxy traffic to a Confluent Cloud cluster:
gateway:
env:
# Configure connection to Confluent Cloud
KAFKA_BOOTSTRAP_SERVERS: pkc-xxxxx.region.provider.confluent.cloud:9092
KAFKA_SASL_MECHANISM: PLAIN
KAFKA_SECURITY_PROTOCOL: SASL_SSL
KAFKA_SASL_JAAS_CONFIG: org.apache.kafka.common.security.plain.PlainLoginModule required username="<your API key>" password="<your API secret>";
# Configure Client -> Gateway
GATEWAY_SECURITY_PROTOCOL: DELEGATED_SASL_PLAINTEXT
# clients will be able to authenticate to Gateway with the Confluent Cloud API keys/secrets, no TLS on Gateway
portRange:
start: 9099
count: 100 # to accomodate large shared (Basic or Standard) Confluent Cloud clusters
See Gateway Documentation for a list of environment variables that can be used. In particular, the Client to Gateway Authentication page details the different authentication mechanisms that can be used with Gateway.
values.yaml :
ingress:
enabled: true
ingressClassName: "nginx"
hostname: conduktor-gateway.mycompany.com
tls: false
selfSigned: false
values.yaml :
ingress:
enabled: true
ingressClassName: "nginx"
hostname: conduktor-gateway.mycompany.com
tls: true
selfSigned: true
values.yaml :
ingress:
enabled: true
ingressClassName: "nginx"
hostname: conduktor-gateway.mycompany.com
tls: true
selfSigned: false
ingress.annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
values.yaml :
ingress:
enabled: true
ingressClassName: "nginx"
hostname: conduktor-gateway.mycompany.com
tls: true
selfSigned: false
secrets:
- name: my-tls-secret
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
NOTE: The example is for a truststore
but the same technique could be applied if you need to configure a keystore
.
It's recommended to load your certificates as secrets.
kubectl create secret generic gateway-cert \
--from-file=./my.truststore
We can then proceed to mount the secret as a volume.
Note the mountPath
which is where our cert will be accessible from.
gateway:
volumes:
- name: truststore
secret:
secretName: gateway-cert
items:
- key: kafka.truststore.jks
path: kafka.truststore.jks
volumeMounts:
- name: truststore
mountPath: /etc/gateway/tls/truststore/
readonly: true
Finally, we can configure our truststore location
gateway:
env:
KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/gateway/tls/truststore/kafka.truststore.jks