Configure Network Encryption using Confluent for Kubernetes Blueprints¶
To secure network communications of Confluent components, Confluent for Kubernetes (CFK) Blueprints supports Transport Layer Security (TLS), an industry-standard encryption protocol.
This document describes how to configure TLS encryption and how to manage encryption certificates. For security concepts in Confluent Platform, see Security.
In CFK Blueprints, network encryption is not enabled by default. To have a secure deployment of Confluent Platform, encrypted network communication is always recommended. You can enable TLS encryption for Kafka listeners, REST interfaces for other components, and external services, such as LDAP, Proxy, and Confluent Cloud.
All the internal certificates between Confluent Platform components are managed by CFK Blueprints automatically. These certificates are configured via CFK Blueprints-managed certificate authority (CA) or user-provided CA. In this release, some components, namely Connect and Kafka REST Proxy, don’t have the capability to have different internal and external certificates.
The following types of TLS certificates are supported:
- Auto-generated certificates
CFK Blueprints by default uses auto-generated certificates for internal and external communication. These auto-generated certificates are created either via user-provided CA or Blueprint-managed CA.
This is recommended if Confluent Platform components are configured without external access or in a private network.
- User-provided certificates
If you need to enable access to Confluent services from an external-to-Kubernetes domain, it is recommended that you provide your own certificates.
This type of certificates are managed at the Blueprint level in the ConfluentPlatformBlueprint CR.
Use the following custom resources (CRs) to configure TLS and certificates:
CertificateStoreConfig CR
A CertificateStoreConfig CR contains information about the CA and certificates.
A CertificateStoreConfig has to be deployed before the ConfluentPlatformBlueprint and cluster CRs.
One CertificateStoreConfig can only be used by one ConfluentPlatformBlueprint.
ConfluentPlatformBlueprint CR
The confluentPlatformBlueprints CR defines the global certificate management strategy for all deployments. Each Deployment can override this at the deployment level for external communication.
Confluent cluster CRs, namely, ConnectCluster, ControlCenterCluster, KafkaCluster, KafkaRestProxyCluster, KsqlDBCluster, SchemaRegistryCluster, and ZookeeperCluster.
These are also referred to as Deployment CRs in this document.
For external TLS communication, you can provide certificates in the
ConfluentPlatformBlueprint CR or in the Confluent cluster CR. You specify the
desired option in the ConfluentPlatformBlueprint CR
(tlsConfig.providerType
).
For internal communications among Confluent Platform components and Kafka brokers, CFK Blueprints auto-generates internal TLS certificates, using either auto-generated or user-provided CA. And CFK Blueprints takes care of the safe rolling of Confluent Platform when an internal certificate updates.
The high-level workflow to create certificates and enable TLS is:
- To use auto-generated CA and auto-generated certificates:
- In the ConfluentPlatformBlueprint CR, configure for auto-generated CA.
- In the ConfluentPlatformBlueprint CR, configure for auto-generated certificates.
- To use user-provided custom CA and auto-generated certificate:
- Have the custom CA you want to use.
- Create a Kubernetes secret containing the custom CA key pair.
- Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
- In the ConfluentPlatformBlueprint CR, configure for custom CA.
- In the ConfluentPlatformBlueprint CR, configure for auto-generated certificates.
- To use user-provided server certificates:
- Have the custom CA you want to use.
- Create a Kubernetes secret containing the custom CA key pair.
- Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
- In the ConfluentPlatformBlueprint CR, configure for custom CA.
- Have the custom server certificates you want to use.
- Create a Kubernetes secret containing the custom server certificates.
- Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
- In the ConfluentPlatformBlueprint CR, configure for custom certificates.
- If you set the certificate provider type to Deployment in the previous step, configure the certificates in the cluster CRs.
Enable TLS¶
To enable TLS for Confluent Platform, set tlsConfig.providerType
in the
confluentPlatformBlueprints CR.
For configuration details for tlsConfig
, see the subsequent sections.
For Kafka listers, namely, custom listeners, external listener, and internal listener:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: customListeners: tlsConfig: --- [1] providerType: --- [2] externalListener: tlsConfig: --- [1] providerType: --- [2] internalListener: tlsConfig: --- [1] providerType: --- [2]
For ZooKeeper:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: zookeeper: tlsConfig: --- [1] providerType: --- [2]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: tlsConfig: --- [1] providerType: --- [2]
[1] Add the
tlsConfig
section to enable TLS for the listeners/endpoints.[2] Required. Specify where the TLS certificates are provided:
blueprint
if you will provide the certificates in the Blueprint CR.deployment
if you will provide the certificates in the component cluster Deployment CRs.
Manage TLS certificates¶
This section describes how to manage keys and certificates that TLS relies on to establish trusted connections. Once configured, CFK Blueprints provides full certificates lifecycle management for Confluent Platform.
Configure certificate authority key pair¶
Configure a certificate authority (CA) that will sign the certificates.
If using a custom CA key pair:
Create a Kubernetes secret that contains the CA key pair:
kubectl create secret tls <secret name> \ --cert=/path/to/ca.pem \ --key=/path/to/ca-key.pem \ --namespace <namespace>
Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
Configure the CA in the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint spec: internalCAKeyPair: --- [1] providerType: --- [2] blueprint: type: --- [3] auto: caConfig: --- [4] certDurationInDays: --- [5] renewBeforeInDays: --- [6] sans: --- [7] certificateConfig: --- [8] certDurationInDays: --- [9] renewBeforeInDays: --- [10] sans: --- [11] custom: --- [12] certificateConfig: --- [13] certDurationInDays: --- [14] renewBeforeInDays: --- [15] sans: --- [16] certificateStoreConfig name: --- [17]
[1] Required. Even when using user-provided certificates, this section is used to generate internal certificates for Confluent Platform component.
[2] Required. Specify where the CA key pair is specified. Set to
blueprint
.[3] Specify if the CA is auto-generated by CFK Blueprints (
auto
) or user-provided (custom
).[4] Specify CA lifecycle management info in this section.
[5] Set to the number of days for which the auto-generated CA key pair is valid. The default is five years.
[6] Set to the renewal time for auto-generated CA key pair. The default is 30 days.
[7] SANs to be added for all auto-generated CA key pair CFK Blueprints. Use this only for adding wild card SANs.
Modifying this setting will roll all Confluent clusters and will regenerate the certificates for all Confluent Platform clusters managed by CFK Blueprints.
[8] Specify lifecycle management info for the auto-generated certificates in this section.
[9] Set to the number of days for which the auto-generated certificates are valid. The default is one year.
[10] Set to the renewal time for auto-generated certificates. The default is 30 days.
[11] SANs to be added for all auto-generated certificates|. Use this only for adding wild card SANs.
Modifying this setting will roll all Confluent clusters and will regenerate the certificates for all Confluent Platform clusters managed by CFK Blueprints.
[12] Required if [1] (
type
) is set tocustom
.[13] Specify lifecycle management info for the user-provided certificates in this section.
[14] Set to the number of days for which the custom certificates are valid. The default is one year.
[15] Set to the renewal time for custom certificates. The default is 30 days.
[16] SANs to be added for all custom certificates. Use this only for adding wild card SANs.
[17] Required if [1] (
type
) is set tocustom
. The certificate store that you created in the previous step to hold the CA key pair.
Use auto-generated TLS certificates¶
You can use auto-generated certificates to encrypt internal and external Confluent Platform communications. With the CA you provided or auto-generated, CFK Blueprints automates provisioning, securing, and operating certificates for internal networking communications.
In the confluentPlatformBlueprints CR, specify that the TLS certificates are provided in the Blueprint.
To use auto-generated certificates, do not specify
tlsConfig.certificateStoreConfig
.For Kafka listers, namely, custom listeners, external listener, and internal listener:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: customListeners: tlsConfig: --- [1] providerType: blueprint --- [2] externalListener: tlsConfig: --- [1] providerType: blueprint --- [2] internalListener: tlsConfig: --- [1] providerType: blueprint --- [2]
For ZooKeeper:
kind: ConfluentPlatformBlueprint spec: confluentPlatform zookeeper: tlsConfig: --- [1] providerType: blueprint --- [2]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: tlsConfig: --- [1] providerType: blueprint --- [2]
[1] Set the
tlsConfig
to enable TLS for the listeners/endpoints.[2] Required. Specify where the TLS certificates come from. Set to
blueprint
to use auto-generated certificates.
Use user-provided TLS certificates¶
When you provide custom TLS certificates, CFK Blueprints takes the provided files and configures Confluent components accordingly.
You are responsible for managing user-provided certificates.
The information about a certificate is available on /status
of the cluster
CR.
Any certificate changes will trigger safe rolling, including impacted dependencies Confluent components. Use extra care when changing Kafka certificates as it impacts all dependent Confluent components.
Create a custom certificate secret¶
For user-provided custom certificates, the following TLS certificate information must be provided for each Confluent component:
- The component’s server private key
- The component’s server certificate (public key)
Create a Kubernetes secret with the certificate information for each component:
kubectl -create secret generic <secret-name> \
--from-file=tls.key=<path to the server private key for the component> \
--from-file=tls.crt=<path to the server certificate for the component> \
--namespace <namespace>
Provide custom TLS certificates in the Blueprint¶
To provide your custom certificates in the ConfluentPlatformBlueprint CR:
Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
Provide the custom certificates in the ConfluentPlatformBlueprint CR.
For Kafka listers, namely, custom listeners, external listener, and internal listener:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: customListeners: tlsConfig: --- [1] providerType: --- [2] blueprint: --- [3] certificateStoreConfig: --- [4] name: --- [5] externalListener: tlsConfig: --- [1] providerType: --- [2] blueprint: --- [3] certificateStoreConfig: --- [4] name: --- [5] internalListener: tlsConfig: --- [1] providerType: --- [2a] blueprint: --- [3] certificateStoreConfig: --- [4] name: --- [5]
For ZooKeeper:
kind: ConfluentPlatformBlueprint spec: confluentPlatform zookeeper: tlsConfig: --- [1] providerType: --- [2a] blueprint: --- [3] certificateStoreConfig: --- [4] name: --- [5]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: tlsConfig: --- [1] providerType: --- [2] blueprint: --- [3] certificateStoreConfig: --- [4] name: --- [5]
[1] Set
tlsConfig
to enable TLS for the listeners/endpoints.[2] Required. Specify where the TLS certificates come from:
blueprint
if you will provide the certificates in the Blueprint CR.deployment
if you will the certificates in the component cluster Deployment CR.
[2a] Required. For the internal listener, only
blueprint
is allowed because internal TLS is managed by the Blueprint.[3] If [2] (
providerType
) is set toblueprint
, this is required. Specifies that the Blueprint provides TLS certificates configuration.[4] Specify the section to provide your own custom certificates.
[5] Specify the name of the CertificateStoreConfig CR that you created in the previous step.
Provide custom TLS certificates in the Deployment¶
To provide your custom certificates in a Confluent cluster CR:
- Configure CA.
- Create a certificate secret.
- Create a CertificateStoreConfig CR with the reference to the secret created in the previous step.
For Kafka listers, namely, custom listeners, external listener, and internal listener, set the following in the KafkaCluster CR:
kind: KafkaCluster spec: externalAccess: kafkaListeners: listeners: custom: tlsConfig: certificateStoreConfigRef: name: --- [1] namespace: --- [2] external: tlsConfig: certificateStoreConfigRef: name: --- [1] namespace: --- [2]
For other Confluent Platform components, set the following in the component cluster CR, for example, ConnectCluster or KsqlDBCluster CR:
kind: <component>Cluster spec: externalAccess tlsConfig: certificateStoreConfigRef: name: --- [1] namespace: --- [2]
[1] Required. Specify the name of the CertificateStoreConfig CR that contains the certificates.
[2] Specify the namespace of the CertificateStoreConfig CR that you created in the previous step.
Create a certificate store¶
To inject custom certificates, create a CertificateStoreConfig CR:
kind: CertificateStoreConfig
metadata:
name: --- [1]
namespace: --- [2]
spec:
sourceType: kubernetes --- [3]
kubernetes: --- [4]
type: secret --- [5]
secret:
name: --- [6]
- [1] Required. Name of this certificate store.
- [2] Namespace for this certificate store.
- [3] Specify how the certificates are stored. Kubernetes secret is supported.
- [4] Required when [3] is set to
kubernetes
. - [5] Specify to use a Kubernetes secret to store your custom certificates.
- [6] Provide the secret that contains your custom certificates.
Update a certificate store¶
If a CertificateStoreConfig CR name is updated, CFK Blueprints will roll the appropriate Confluent Platform components.
If any content in a CertificateStoreConfig CR changes, you need to manually restart the clusters that use the CertificateStoreConfig CR. Apply the following annotation to the cluster deployment CR that uses the updated certificate:
kubectl annotate <CR type> <CR name> -n <namespace> cpc.platform.confluent.io/force-roll=”true”
Delete a certificate store¶
You cannot delete a CertificateStoreConfig CR if the CR is referenced by any CFK Blueprints object, such as a Blueprint CR.