Manage Confluent Admin REST Class¶
This topic describes how to configure and manage Confluent Admin REST class endpoints in Confluent for Kubernetes (CFK).
When managing Kafka topics using the KafkaTopic custom resource (CR), managing Confluent RBAC role bindings using the ConfluentRolebinding custom resource (CR), or using the automatic cluster shrinking feature, you need to first set up an Admin REST Class custom resource (CR) to specify which REST endpoint to use.
If you have one Kafka cluster that you are managing, it’s recommended to create a
default KafkaRestClass CR in the same namespace, with the name
will then be picked up as the default option by any KafkaTopic CR or
ConfluentRolebinding CR that you create.
You can configure multiple KafkaRestClass CRs to manage topics and role bindings across different Kafka clusters.
Create an Admin REST Class CR¶
Create a KafkaRestClass CR to configure the Admin REST Class:
kind: KafkaRestClass metadata: name: ---  namespace: ---  spec: kafkaClusterRef: ---  name: namespace: kafkaRest: ---  endpoint: ---  authentication: type: ---  basic: bearer: tls: ---  secretRef: ---  directoryPathInContainer: ---  kafkaClusterID: --- 
 Name of the KafkaRestClass CR.
 Namespace of the KafkaRestClass CR.
  Provide either
kafkaRest.endpointto explicitly specify the Kafka cluster.
If both are omitted, the Kafka cluster in the same namespace is used. If there are more than one Kafka cluster in the same namespace, the CR creation will error out.
 Name of the Kafka cluster.
If authentication is required, configure the
spec.kafkaRest.authenticationsection in the CR. For example:
spec: kafkaClusterRef: name: kafka namespace: operator-test kafkaRest: authentication: type: basic basic: secretRef: mds-admin-client
 Admin REST Class configuration.
If you need to specify a Kafka cluster REST endpoint that is not in the same Kubernetes cluster, you need to specify the
 Admin REST Class endpoint. If not specified, CFK tries to discover the Kafka cluster in the same Kubernetes cluster.
 Authentication type.
See Basic authentication, Bearer authentication, and mTLS authentication for details.
The TLS configuration  is required when you set the authentication type to
 TLS client configuration. Required when the MDS is running in the HTTPS mode. Specify either
 The name of the secret that contains the TLS certificates.
See Provide TLS keys and certificates in PEM format for the expected keys in the TLS secret. Only the PEM format is supported for Admin REST.
 The directory path in the container where the required certificates are injected by Vault.
See Provide TLS keys and certificates in PEM format for the expected keys. Only the PEM format is supported for Admin REST.
 Required when connecting to Confluent Cloud. The id of the Kafka cluster.