Update Confluent Platform License in Confluent for Kubernetes

You can use Confluent Platform for a 30-day trial period without a license key. After 30 days, Confluent components require license keys. See Confluent Platform Licenses for information about Confluent licenses, including types of licenses.

When using Confluent for Kubernetes (CFK), you have two options to configure the license for Confluent Platform components:

Note

For Connect, Centralized Connect License does not work with the Docker image confluentinc/cp-kafka-connect-base. Use the confluentinc/cp-server-connect-base Docker image to leverage the Centralized License.

Update CFK global license

The CFK configures the global license key for Confluent components.

  1. To add or update the CFK license key, navigate to the helm sub-directory under the directory that has the downloaded the CFK bundle, and run the following command.

    To find the version image tag you wish to update the license for, see CFK Image Tags. For example, to update the license for CFK 2.6.4, use the image tag, 0.771.62. If --set image.tag=XXXX is omitted in the command, the latest version of CFK will be updated.

    helm upgrade --install confluent-operator \
      confluentinc/confluent-for-kubernetes \
      --namespace <namespace> \
      --set image.tag=XXXX \
      --set licenseKey=<CFK license key>
    

    When the above command runs, the confluent-operator-licensing secret is created with the license.txt and publicKey.pem files:

    • license.txt contains the <CFK license key> you specified in the command.
    • publicKey.pem contains the public key used to validate the signed license. This key is only used by CFK and is not used by Confluent Platform components.
  2. To use the global license set in CFK, repeat the following steps for each component that you want to apply the license to:

    1. Set the following in the component custom resource (CR):

      spec:
        license:
          globalLicense: true
      
    2. Apply the component CR change.

      If you have multiple component CRs defined in a single file, you only need to run the command once after setting spec.license.globalLicense properties in all the component CRs.

      kubectl apply -f <component CR> --namespace <namespace>
      
    3. Restart the updated components to use the global license.

      1. Find the name of the StatefulSet corresponding to the Confluent Platform cluster you want to restart:

        kubectl get statefulset --namespace <namespace>
        
      2. Using the StatefulSet name, <name-of-statefulset>, from the previous step, roll the cluster:

        kubectl rollout restart statefulset/<name-of-statefulset> \
          --namespace <namespace>
        

When using the global license, CFK creates the confluent-operator-licensing and internal-confluent-operator-licensing secrets. The secrets are used by Confluent Platform components and should not be deleted.

Update component-level licenses

You can configure the license structure at the component-level which takes precedence over the license configured by CFK.

The component-level license can be provided using one of the following methods:

The license.txt file is required to be present either in the secretRef or directoryPathInContainer path.

If both secretRef or directoryPathInContainer is configured, directoryPathInContainer takes precedence.

Component-level license configuration with Kubernetes secrets

To provide a component license key using a Kubernetes secret:

  1. Create the license.txt file with license=<your license key>:

    echo -n "license=<your license key>" > license.txt
    
  2. Create a Kubernetes secret for the license.txt file. --from-file=license.txt= should be included in the command:

    For example, with the license.txt file in the current directory:

    kubectl create secret generic confluent-license \
      --from-file=license.txt=./license.txt \
      --namespace <namespace>
    
  3. Set the secret name in the component CR. Using the previous example:

    spec:
      license:
        secretRef: confluent-license
    
  4. Apply the component CR change:

    kubectl apply -f <component CR> --namespace <namespace>
    
  5. Roll the component cluster to apply the license change.

    1. Find the name of the StatefulSet corresponding to the Confluent Platform cluster you want to restart:

      kubectl get statefulset --namespace <namespace>
      
    2. Using the StatefulSet name, <name-of-statefulset>, from the previous step, roll the cluster:

      kubectl rollout restart statefulset/<name-of-statefulset> \
        --namespace <namespace>
      

Component-level license configuration with an external secret provider

To provide a component license key using an external secret provider, such as HashiCorp Vault:

  1. Install and configure Vault.

  2. Create the license.txt file with license=<your license key>:

    echo -n "license=<your license key>" > license.txt
    
  3. Write license.txt to Vault. For example:

    cat ./license.txt | \
      vault kv put /secrets/license.txt license=-
    
  4. Set the secret name in the component CR. Using the previous example:

    spec:
      license:
        directoryPathInContainer: /vault/secrets
    
  5. Apply the component CR change:

    kubectl apply -f <component CR> --namespace <namespace>
    
  6. Roll the component cluster to apply the license change.

    1. Find the name of the StatefulSet corresponding to the Confluent Platform cluster you want to restart:

      kubectl get statefulset --namespace <namespace>
      
    2. Using the StatefulSet name, <name-of-statefulset>, from the previous step, roll the cluster:

      kubectl rollout restart statefulset/<name-of-statefulset> \
        --namespace <namespace>