Manage Confluent Admin REST Class for Confluent Platform Using Confluent for Kubernetes

This topic describes how to configure and manage Confluent Admin REST class endpoints in Confluent for Kubernetes (CFK).

When managing Kafka topics using the KafkaTopic custom resource (CR), managing Confluent RBAC role bindings using the ConfluentRolebinding custom resource (CR), or using the automatic cluster shrinking feature, you need to first set up an Admin REST Class custom resource (CR) to specify which REST endpoint to use.

If you have one Kafka cluster that you are managing, it’s recommended to create a default KafkaRestClass CR in the same namespace, with the name default. This will then be picked up as the default option by any KafkaTopic CR or ConfluentRolebinding CR that you create.

You can configure multiple KafkaRestClass CRs to manage topics and role bindings across different Kafka clusters.

Create an Admin REST Class CR

Create a KafkaRestClass CR to configure the Admin REST Class:

kind: KafkaRestClass
metadata:
  name:                          --- [1]
  namespace:                     --- [2]
spec:
  kafkaClusterRef:               --- [3]
    name:
    namespace:
  kafkaRest:                     --- [4]
    endpoint:                    --- [5]
    authentication:
      type:                      --- [6]
      basic:
      bearer:
      oauth:
    tls:                         --- [7]
      secretRef:                 --- [8]
      directoryPathInContainer:  --- [9]
    kafkaClusterID:              --- [10]

  • [1] Name of the KafkaRestClass CR. default is recommended.

  • [2] Namespace of the KafkaRestClass CR.

  • [3] [5] Provide either kafkaClusterRef or kafkaRest.endpoint to explicitly specify the Kafka cluster.

    If both are omitted, the Kafka cluster in the same namespace is used. If there are more than one Kafka cluster in the same namespace, the CR creation will error out.

  • [3] Name of the Kafka cluster.

    If authentication is required, configure the spec.kafkaRest.authentication section in the CR. For example:

    spec:
  kafkaClusterRef:
    name: kafka
    namespace: operator-test
  kafkaRest:
    authentication:
      type: basic
      basic:
        secretRef: mds-admin-client

  • [4] Admin REST Class configuration.

    If you need to specify a Kafka cluster REST endpoint that is not in the same Kubernetes cluster, you need to specify the kafkaRest configuration.

  • [5] Admin REST Class endpoint. If not specified, CFK tries to discover the Kafka cluster in the same Kubernetes cluster.

  • [6] Authentication type. basic, bearer, mtls, and oauth are supported.

    See Basic authentication, Bearer authentication, mTLS authentication, and OAuth/OIDC authentication for details.

    The TLS configuration [7] is required when you set the authentication type to mtls.

  • [7] TLS client configuration. Required when the MDS is running in the HTTPS mode. Specify either secretRef or directoryPathInContainer.

  • [8] The name of the secret that contains the TLS certificates.

    See Provide TLS keys and certificates in PEM format for the expected keys in the TLS secret. Only the PEM format is supported for Admin REST.

  • [9] The directory path in the container where the required certificates are injected by Vault.

    See Provide TLS keys and certificates in PEM format for the expected keys. Only the PEM format is supported for Admin REST.

  • [10] The id of the Kafka cluster.