Configure Networking for Confluent for Kubernetes Blueprints¶
This document describes the networking options you can configure in Confluent for Kubernetes (CFK) Blueprints to enable external access to Kafka and other Confluent Platform components.
The following are the external access methods CFK Blueprints supports. Once you enable external access using one method and deploy Confluent, you cannot change to another external access method.
-
Clients connect to Confluent Platform using the Kubernetes provider’s load balancer.
-
A Kubernetes Ingress controller manages clients’ connection to Confluent Platform using host-based routing.
-
Clients connect to Confluent Platform using OpenShift routes.
After you set a global external access method in a Blueprint, (a ConfluentPlatformBlueprint custom resource), you can set provider-specific (for example, AWS or GCP) detail information in Kubernetes clusters (KubernetesCluster custom resources).
For example configurations, see CFK GitHub repo.
Configure DNS for external access¶
For external access, Confluent Platform requires fully qualified domain names (FQDNs) to be
configured to the REST and Kafka listeners endpoints. FQDN is made of
<subdomain>.<domain>
.
For all the supported external access types, you can use one of the following methods to create and configure FQDNs:
CFK Blueprints generates FQDNs for Confluent Platform endpoints.
Generated FQDNs are in the following format:
<prefix>-<uid>.<region>.<cluster-name>.<domain>
You provide subdomains and listener prefixes to form FQDNs for Confluent Platform endpoints.
CFK Blueprints generates FQDN¶
In this mode, the Orchestrator generates an FQDN, using a unique id, prefix, region, cluster name, and domain.
Configure the ConfluentPlatformBlueprint custom resource (CR) as follows:
kind: ConfluentPlatformBlueprint
spec:
dnsConfig:
domain: --- [1]
providerType: blueprint --- [2]
blueprint:
generateFQDNWithSchema:
addRegionName: --- [3]
addClusterName: --- [4]
- [1] Required. Specify the domain name of your Kubernetes cluster.
- [2] Required to specify that CFK Blueprints generates FQDNs.
- [3] Specify whether to add the region name to the FQDNs.
- [4] Specify whether to add the cluster name to the FQDNs.
With this scheme, CFK Blueprints generates FQDNs in the
<prefix>-<uid>.<region>.<clusterName>.<domain>
pattern, using the following
values:
<prefix>
:For Kafka listeners:
spec.confluentPlatform.kafkaListeners.external.externalAccess.dnsConfig.prefix
If the prefix field is not configured,
kafka
is used as a prefix value.For example, using
kafak
as the prefix value, the bootstrap prefix value will bekafka
and broker prefix will bekafka0
…kafkaN
whereN
is the replica value.For other Confluent components:
spec.components..externalAccess.dnsConfig.prefix
If not configured, standard names, such as
schemaregistry
,mds
, are used.
<uid>
: An internally generated, unique 5-digit number.<region>
:spec.dnsConfig.blueprint.generateFQDNWithSchema.addRegionName
If
addRegionName
field istrue
([3]), the Orchestrator will check the KubernetesCluster CR mapped to find the region name. If the region name is missing in that CR, the deployment will fail.<clusterName>
:spec.dnsConfig.blueprint.generateFQDNWithSchema.clusterName
If
addClusterName
istrue
([4]), the Orchestrator will check the KubernetesCluster CR mapped to find the cluster name.<domain>
comes fromspec.dnsConfig.domain
boolean field. This field is required.
If TLS is enabled, Blueprint-managed certificates will generate the Subject Alternative Name (SAN).
Provide subdomain for FQDN¶
In this mode, you must specify the subdomain in the Deployment CR for each Confluent Platform endpoint.
To standardize FQDNs across Confluent Platform for a given Blueprint, you can specify a regular expression in the ConfluentPlatformBlueprint CR to validate subdomains.
Configure the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint spec: dnsConfig: domain: --- [1] providerType: deployment --- [2] deployment: subDomainRegex: --- [3]
- [1] Required. Specify the domain name of your Kubernetes cluster.
- [2] Required to use the provided subdomain name from deployments.
- [3] Required. Specify the regular expression for subdomains. For example,
to enforce all the subdomain names start with
cpc
, set this tocpc+
.
Specify the subdomain in each Confluent component cluster CR.
For the Kafka cluster, pass the subdomain for Kafka REST and listeners in the KafkaCluster CR:
kind: KafkaCluster spec: externalAccess: kafkaRest: kafka: dnsConfig: subdomain: --- [1] listeners: external: dnsConfig: bootstrapPrefix: --- [2] brokerPrefix: --- [3]
- [1] Required. The Kafka cluster subdomain name.
- [2] Optional. Kafka bootstrap server prefix. The default value is
kafka
. - [3] Optional. Kafka broker prefix. The default value is
b
.
For other Confluent components’ HTTP configurations, set the subdomain name in the component cluster CR:
kind: <component>Cluster spec: externalAccess: dnsConfig: subdomain: --- [1]
- [1] Required. The component cluster subdomain name.
Configure external access using the Load Balancer¶
When configured to use load balancers, CFK Blueprints creates a load balancer for each broker in addition to a load balancer for the bootstrap server. For N number of Kafka brokers, CFK Blueprints creates N+1 number of load balancer services:
- One as the bootstrap service for the initial connection and for receiving the metadata about the Kafka cluster.
- Other N services, one for each broker, address the brokers directly.
Note
Kafka brokers and ZooKeeper maintain a constant connection that can be broken if a load balancer is used for ZooKeeper. Do not configure a load balancer for ZooKeeper.
To configure load balancers, set the settings as specified in the following steps and apply the CRs.
Specify the load balancer access in the ConfluentPlatformBlueprint CR.
For Kafka:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: global: externalAccessType: loadBalancer --- [1] externalListener: externalAccess: enabled: true --- [2] loadBalancer: annotations: --- [3] labels: --- [4] advertisedPort: --- [5] externalTrafficPolicy: --- [6]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: externalAccess: type: loadBalancer --- [1] loadBalancer: annotations: --- [3] labels: --- [4] advertisedPort: --- [5] externalTrafficPolicy: --- [6]
[1] Required.
[2] Required to enable external access.
[3] Optional. Kubernetes annotations for this service.
[4] Optional. Kubernetes labels for this service.
[5] Optional. Specify the external port for client access. If not configured, the same internal/external port is configured for the component. Information about the port can be retrieved through the status API.
The default value is
443
.[6] Optional. Valid options are
Local
andCluster
for the external traffic policy.
In the KubernetesCluster CR, specify any necessary annotations or labels for the load balancer access in the Confluent Platform Kubernetes cluster. The configurations in the KubernetesCluster CR takes precedence over the configurations in the ConfluentPlatformBlueprint CR.
kind: KubernetesCluster spec: network: loadBalancer: annotations: labels:
Add DNS entries.
Once the external load balancers are created, you add DNS entries for Kafka brokers, the Kafka bootstrap service, and other Confluent Platform components to your DNS table (or the method you use to get DNS entries recognized by your provider environment).
Get the status of the component cluster deployment CR, such as KafkaCluster, ConnectCluster, etc.
kubectl get <component cluster CR type> <component CR name> -oyaml -n <namespace>
An example output for Kafka:
kind: KafkaCluster status: listeners: - externalAccess: advertisedExternalEndpoint: bootstrap: dnsEndpoint: kafka.example.com:9092 ipAddress: 34.118.13.45 broker: - dnsEndpoint: b0.example.com:9092 ipAddress: 34.116.201.170 - dnsEndpoint: b1.example.com:9092 ipAddress: 34.118.67.170 - dnsEndpoint: b2.example.com:9092 ipAddress: 34.116.245.44
An example output for other components:
kind: ConnectCluster status: externalAccess: advertisedExternalEndpoint: dnsEndpoint: connect.example.com:443 ipAddress: 34.118.17.160 url: https://connect.example.com:443
Add a DNS entry with each
dnsEndpoint
andipAddress
in the status output.Using the example status output, you would add the following DNS entries:
DNS name External IP b0.example.com 34.116.201.170 b1.example.com 34.118.67.170 b2.example.com 34.116.245.44 kafka.example.com 34.118.13.45 connect.example.com 34.118.17.160
Configure external access using Ingress¶
When you configure Kafka for host-based static access, the Kafka advertised listeners are set up with the broker prefix and the domain name.
You need to explicitly configure external access to Kafka, for example, using the NGINX ingress controller.
This method requires:
- The Confluent Platform components are configured with TLS for Ingress access.
- An Ingress controller that supports SSL passthrough is configured in the Control Plane where the Orchestrator is installed.
To configure Ingress, set the settings as specified in the following steps and apply the CRs.
Specify the Ingress access in the ConfluentPlatformBlueprint CR.
For Kafka:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: global: externalAccessType: ingress --- [1] externalListener: externalAccess: enabled: true --- [2] ingress: annotations: --- [3] labels: --- [4] advertisedPort: --- [5]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: externalAccess: type: ingress --- [1] ingress: annotations: --- [3] labels: --- [4] advertisedPort: --- [5]
[1] Required.
[2] Required to enable external access.
[3] Optional. Kubernetes annotations for this service.
Example annotations for NGINX:
annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTPS
[4] Optional. Kubernetes labels for this service.
[5] Optional. Specify the external port for the clients’ consumption. The default value is
443
.
In the KubernetesCluster CR, specify any necessary annotations and labels for the Ingress access in the Confluent Platform Kubernetes cluster:
kind: KubernetesCluster spec: network: ingress: annotations: labels:
Add DNS entries.
Get the external IP of the Ingress controller load balancer, using the following command:
kubectl get services -n <namespace>
Get the status of the component cluster deployment CR, such as KafkaCluster, ConnectCluster, etc.
kubectl get <component cluster CR type> <component CR name> -oyaml -n <namespace>
Use the external IP address of the Ingress controller to add a DNS entry with each
dnsEndpoint
(in the status output above) for your DNS service provider:For example:
DNS name ExternalIP b0.example.com 34.71.198.214 b1.example.com 34.71.198.214 b2.example.com 34.71.198.214 kafka.example.com 34.71.198.214 connect.example.com 34.71.198.214
Configure external access using Routes¶
CFK Blueprints supports OpenShift routes for exposing Confluent Platform component services to the outside of the OpenShift platform.
When you configure Confluent components with routes, CFK Blueprints creates a route resource for the Confluent component service, and external clients access the service at the HTTPS port, 443.
When using a route, you must configure the Confluent component with TLS.
To configure routes, set the settings as specified in the following steps and apply the CRs.
Specify the route access in the ConfluentPlatformBlueprint CR.
For Kafka:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: kafkaListeners: global: externalAccessType: route --- [1] externalListener: externalAccess: enabled: true --- [2] route: annotations: --- [3] labels: --- [4] wildcardPolicy: --- [5]
For other Confluent Platform components:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: http: externalAccess: type: route --- [1] route: annotations: --- [3] labels: --- [4] wildcardPolicy: --- [5]
[1] Required.
[2] Required to enable external access.
[3] Optional. Kubernetes annotations for this service.
[4] Optional. Kubernetes labels for this service.
[5] Set this to define a route that covers all hosts within a domain. Valid options are
Subdomain
andNone
. The default value isNone
.
In the KubernetesCluster CR, specify any necessary annotations and labels for the route access in the Confluent Platform Kubernetes cluster:
kind: KubernetesCluster spec: network: route: annotations: labels:
Add DNS entries.
Once the routes are created, you add a DNS entry associated with component routes to your DNS table (or whatever method you use to get DNS entries recognized by your provider environment).
Get the IP address of the OpenShift router load balancer.
The HAProxy load balancer serves as the router for route services, and generally, HAProxy runs in the
openshift-ingress
namespace.oc get svc --namespace openshift-ingress
An example output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.84.52 20.189.181.8 80:31294/TCP,443:32145/TCP 42h router-internal-default ClusterIP 172.30.184.233 <none> 80/TCP,443/TCP,1936/TCP 42h
From the above example, we see the external-ip of the router is 20.189.181.8.
Get the DNS names of the Confluent Platform components:
oc get routes
Use the external IP to add a DNS entry with each
dnsEndpoint
(in the status output above) your DNS service provider:For example:
DNS name ExternalIP b0.example.com 20.189.181.8 b1.example.com 20.189.181.8 b2.example.com 20.189.181.8 kafka.example.com 20.189.181.8 connect.example.com 20.189.181.8