Manage Confluent Admin REST API¶
This topic describes how to configure and manage Confluent Admin REST API endpoints in Confluent for Kubernetes (CFK).
When managing Kafka topics using the KafkaTopic custom resource (CR), managing Confluent RBAC role bindings using the ConfluentRolebinding custom resource (CR), or using the automatic cluster shrinking feature, you need to first set up an Admin REST API custom resource (CR) to specify which REST endpoint to use.
If you have one Kafka cluster that you are managing, it’s recommended to create a
default KafkaRestClass CR in the same namespace, with the name default
. This
will then be picked up as the default option by any KafkaTopic CR or
ConfluentRolebinding CR that you create.
You can configure multiple KafkaRestClass CRs to manage topics and role bindings across different Kafka clusters.
Create an Admin REST API CR¶
Create a KafkaRestClass CR to configure the Admin REST API:
kind: KafkaRestClass
metadata:
name: --- [1]
namespace: --- [2]
spec:
kafkaClusterRef: --- [3]
name:
namespace:
kafkaRest: --- [4]
endpoint: --- [5]
authentication:
type: --- [6]
basic:
bearer:
tls: --- [7]
secretRef: --- [8]
directoryPathInContainer: --- [9]
kafkaClusterID: --- [10]
[1] Name of the KafkaRestClass CR.
default
is recommended.[2] Namespace of the KafkaRestClass CR.
[3] [5] Provide either
kafkaClusterRef
orkafkaRest.endpoint
to explicitly specify the Kafka cluster.If both are omitted, the Kafka cluster in the same namespace is used. If there are more than one Kafka cluster in the same namespace, the CR creation will error out.
[3] Name of the Kafka cluster.
If authentication is required, configure the
spec.kafkaRest.authentication
section in the CR. For example:spec: kafkaClusterRef: name: kafka namespace: operator-test kafkaRest: authentication: type: basic basic: secretRef: mds-admin-client
[4] Admin REST API configuration.
If you need to specify a Kafka cluster REST endpoint that is not in the same Kubernetes cluster, you need to specify the
kafkaRest
configuration.[5] Admin REST API endpoint. If not specified, CFK tries to discover the Kafka cluster in the same Kubernetes cluster.
[6] Authentication type.
basic
,bearer
, andmtls
are supported.See Basic authentication, Bearer authentication, and mTLS authentication for details.
The TLS configuration [7] is required when you set the authentication type to
mtls
.[7] TLS client configuration. Required when the MDS is running in the HTTPS mode. Specify either
secretRef
ordirectoryPathInContainer
.[8] The name of the secret that contains the TLS certificates.
See Provide TLS keys and certificates in PEM format for the expected keys in the TLS secret. Only the PEM format is supported for Admin REST.
[9] The directory path in the container where the required certificates are injected by Vault.
See Provide TLS keys and certificates in PEM format for the expected keys. Only the PEM format is supported for Admin REST.
[10] Required when connecting to Confluent Cloud. The id of the Kafka cluster.