TLS and HTTP Basic Authentication among Confluent Control Center Components

Confluent Control Center internally integrates with Prometheus and Alertmanager to deliver its comprehensive monitoring and alerting functionalities, processing relevant data from sources such as broker/KRaft controller metrics. This section describes how TLS and HTTP Basic authentication setup can be added for secure communication among a Kafka broker, Confluent Control Center, Prometheus, and Alertmanager.

Note

TLS and HTTP Basic authentication setup is supported for Confluent Control Center (Legacy) with Confluent Platform versions 7.5.x and later.

Password generation

Generate a username and password for Prometheus and Alertmanager.

  1. Create a Python script to generate a hash from a password.

    import getpass
import bcrypt
password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

    This CLI script prompts for the password and returns the hash.

  2. Save the script to a file named gen-pass.py and run it:

    python3 gen-pass.py

    You should see output like this:

    password:
$2b$12$hNf2lSsxfm0.i4a.1kVpSOVyBCfIB51VRjgBUyv6kdnyTlgWj81Ay

  3. Save the Prometheus password hash the script returned for use later.

  4. Run the script a second time to generate a hashed password for the Alertmanager also.

  5. Save the Alertmanager hash returned by the script for use later.

  6. Edit the following web-config.yml files and add the hashed password to the corresponding user_name field.

    for Prometheus

    /etc/confluent-control-center/web-config-prom.yml

    for Alertmanager

    /etc/confluent-control-center/web-config-am.yml

    The configuration you add should look like this:

    basic_auth_users:
  user_name: password_hash

For detailed information about securing Prometheus see the Prometheus documentation Securing Prometheus API and UI endpoints using basic auth.

Set up self-signed certificates

Two certificates are required: an SSL certificate and an SSL Key certificate.

  1. To generate self-signed certificate for Prometheus and Alertmanager, follow the SSL certificate generation instructions in the Prometheus documentation.

    Instead of a self-signed certificate, you can have your certificates signed by a trusted Certificate Authority (CA).

  2. Edit the web-config.yml files and update user_name field with the corresponding password.

    for Prometheus

    /etc/confluent-control-center/web-config-prom.yml

    for Alertmanager

    /etc/confluent-control-center/web-config-am.yml

    The configuration you add should look like this:

    # Prometheus example
tls_server_config:
    cert_file: /home/prometheus/certs/example.com/example.com.crt
    key_file: /home/prometheus/certs/example.com/example.com.key
basic_auth_users:
    user_name: password_hash

# Alertmanager example
tls_server_config:
    cert_file: /home/prometheus/certs/example.com/example.com.crt
    key_file: /home/prometheus/certs/example.com/example.com.key
basic_auth_users:
    user_name: password_hash

  3. Start and restart Prometheus.

    systemctl enable alertmanager
systemctl start alertmanager

  4. Start and restart Alertmanager.

    systemctl enable alertmanager
systemctl start alertmanager

  5. Test your setup using the following curl command to check your certificate configuration.

    curl --cacert {path_to_ssl_certificate/path_to_ca_cert} \
  https://{prometheus-url}:9090/api/v1/label/job/values \
  -u {username}:{password}

    A successful command returns the following:

    {"status":"success","data":["prometheus"]}

Configure Prometheus, Alternmanager, and Confluent Control Center

Confluent Control Center brokers and KRaft controllers emit metrics to Prometheus, Alertmanager receives, processes, and routes these alerts to Confluent Control Center. Use the following steps to configure secure communication among the Confluent Control Center machine, the brokers/controllers, Prometheus, and Alertmanager.

  1. If you are running Confluent Platform 7.5.0 through 7.9.0 version, you must install SSL certificates in the Java truststore. If you running Confluent Platform 7.9.1 version or later, skip this step and go to the next.

    1. Install Prometheus SSL certificates in Java truststore with the prometheus alias.

      keytool -import -trustcacerts -alias prometheus -file {path_to_prometheus_ssl_cert/path_to_ca_cert} -keystore truststore.jks -storepass <password>

  2. On the Confluent Control Center machine, install Prometheus SSL certificate in Java truststore with the keytool command.

    sudo keytool -import -alias mycert -keystore {path_to_java_trustore} -file {path_to_prometheus_ssl_cert}

    For example:

    sudo keytool -import -alias mycert -keystore /usr/lib/jvm/java-1.17.0-openjdk-amd64/lib/security/cacerts -file /home/ubuntu/ca.crt

  3. Update the Confluent Control Center properties file with the following configuration:

    #Prometheus TLS config
confluent.controlcenter.prometheus.ssl.truststore.location=<jks-path>
confluent.controlcenter.prometheus.ssl.truststore.password=<password>
confluent.controlcenter.prometheus.alias.name=<prometheus-alias>

#Alertmanager TLS Config
confluent.controlcenter.alertmanager.ssl.truststore.location=<jks-path>
confluent.controlcenter.alertmanager.ssl.truststore.password=<password>
confluent.controlcenter.alertmanager.alias.name=<alertmanager-alias>

  4. Edit the broker and controller configurations with the credentials for Prometheus as follows:

    confluent.telemetry.exporter._c3.api.key={prometheus_username}
confluent.telemetry.exporter._c3.api.secret={prometheus_password}

  5. Update the Prometheus configuration file, /etc/confluent-control-center/prometheus-generated.yml, with the following:

    alerting:
    alertmanagers:
        - static_configs:
            - targets:
            - localhost:9093
        scheme: https
        tls_config:
            ca_file: "{path_to_alertmanager_ssl_cert/path_to_ca_cert_file}"
        basic_auth:
            username: "{alertmanager_username}"
            password: "{alertmanager_password}"