Configure Node Ports to Access Confluent Components

When you configure Confluent components with the NodePort service for external client access, Kubernetes allocates a different port on each node of Confluent components. Each Kafka broker, the bootstrap service, and each component is accessible on a separate port.

For a Kafka cluster with N brokers, (N+1) number of NodePort services are created:

• One for the bootstrap server for the initial connection
• N services, one for each broker, for subsequent direct connections to the brokers

For a RBAC-enabled Kafka cluster with N brokers, if you enable external access to MDS, (N+2) number of NodePort services are created:

• One for the bootstrap server for the initial connection
• One for the MDS on the bootstrap server
• N services, one for each broker, for subsequent direct connections to the brokers

For the additional configuration steps required to allow external access to Metadata Service (MDS), see Configure Networking for RBAC.

To use NodePort services for external communication:

1. Create a DNS record using the address of one or more of the nodes in your Kubernetes cluster.

2. To configure Kafka with node ports, set the following in the Kafka custom resource (CR) and apply the configuration:

   spec:
     listeners:
       external:
         externalAccess:
           type: nodePort
           nodePort:
             nodePortOffset:     --- [1]
   
             host:               --- [2]
   

   • [1] Required. The value should be be in the range between 30000 and 32767, inclusive.

     If you change this value on a running cluster, you must roll the cluster.

   • [2] Required. Specify the FQDN that will be used to configure all advertised listeners.

     If you change this value on a running cluster, you must roll the cluster.

3. To configure other Confluent components with node ports, set the following in their CRs and apply the configuration:

   spec:
     externalAccess:
       type: nodePort
       nodePort:
         nodePortOffset:         --- [1]
   
         host:                   --- [2]
   
         sessionAffinity:        --- [3]
         sessionAffinityConfig:  --- [4]
           clientIP:
             timeoutSeconds:     --- [5]
   
     configOverrides:
       server:
         - advertised.listeners= --- [6]
   

   The access endpoint of each Confluent Platform component will be: <host>:<nodePortOffset>

   • [1] Required. The value should be in the range between 30000 and 32767, inclusive.

     If you change this value on a running cluster, you must roll the cluster.

   • [2] Required. Specify the FQDN that will be used to configure all advertised listeners.

     If you change this value on a running cluster, you must roll the cluster.

   • [3] Required for consumer REST Proxy to enable client IP-based session affinity.

     For REST Proxy to be used for Kafka consumers, set to ClientIP. See Kubernetes Service for more information about session affinity.

   • [4] Contains the configurations of session affinity if set sessionAffinity: ClientIP in [3].

   • [5] Specifies the seconds of ClientIP type session sticky time. The value must be bigger than 0 and less than or equal to 86400 (1 day).

     Default value is 10800 (3 hours).

   • [6] Set to the external DNS name used for node port. This configuration is used to generate absolute URLs in V3 responses. The HTTP and HTTPS protocols are supported.

4. Create firewall rules to allow connections at the NodePort range that you plan to use. For the steps to create firewall rules, see Using Google Cloud firewall rules.

5. Verify the NodePort services are correctly created by listing the services in the namespace using the following command:

   kubectl get services -n <namespace> | grep NodePort
   

For a tutorial scenario on configuring external access using NodePort, see the quickstart tutorial for using node port.