Configure Authentication for Confluent Manager for Apache Flink¶

By default, Confluent Manager for Apache Flink® (CMF) installs with authentication disabled. CMF supports mutual TLS (mTLS) authentication and OAuth authentication only.

mTLS authentication¶

mTLS provides two-way authentication to ensure that traffic between clients and the CMF node is secure, and that content from both directions can be trusted. For a review of mTLS and RBAC terminology, see Terminology.

Example¶

The following configuration file shows how to provision Confluent Manager for Apache Flink with a keystore and truststore to specify mTLS for all communication. It also shows how to configure a mounted volume to store certificates. You pass the configuration file to Helm when you install CMF.

# mtls-values.yaml
 cmf:
 ssl:
     keystore: /store/my-keystore
     keystore-password: # Optional in case the key store is password protected
     trust-store: /store/my-trust-store
     trust-store-password: # Optional in case the trust store is password protected
     client-auth: need # Indicates clients with valid certificate are required
 authentication:
     type: mtls
     config:
     auth.ssl.principal.mapping.rules: # Optional to extract a specific principal from the certificate https://docs.confluent.io/platform/current/security/authentication/mutual-tls/tls-principal-mapping.html

 # Example to mount the certificate stores into your installation
 mountedVolumes:
 volumes:
     - name: certificates
     azureFile:
     secretName: azure-secret
     shareName: aksshare
     readOnly: true
 volumeMounts:
     - name: certificates
     mountPath: /store
Copy

When you make the helm install call, use the -f flag to pass the YAML file with the security information like the following:

helm upgrade --install cmf confluent/confluent-manager-for-apache-flink \
-f mtls-values.yaml
Copy

OAuth authentication¶

Note

OAuth is available starting with Confluent Platform version 7.9, but only with REST APIs. It is NOT available with the confluent CLI or the Confluent for Kubernetes operator.

Starting with Confluent Platform version 7.9, the CMF server can be configured for Open Authentication (OAuth) to secure its services.

Example¶

The following configuration file shows how to provision Confluent Manager for Apache Flink with OAuth authentication.

# oauth-values.yaml
 cmf:
 authentication:
     type: oauth
     config:
         oauthbearer.jwks.endpoint.url: <jwks-endpoint-url>
         token.issuer: Confluent
         oauthbearer.expected.issuer: <idp-issuer-url>
         oauthbearer.sub.claim.name: <sub-claim-name>
         oauthbearer.groups.claim.name: <groups-claim-name>
         oauthbearer.expected.audience: <audience>
         public.key.path: /path/to/metadata-public-key
         confluent.metadata.bootstrap.server.urls: <mds-url>:<mds-port>
         confluent.metadata.http.auth.credentials.provider: OAUTHBEARER
         confluent.metadata.oauthbearer.token.endpoint.url: <idp-token-url>
         confluent.metadata.oauthbearer.login.client.id: <client-id-for-cmf>
         confluent.metadata.oauthbearer.login.client.secret: <client-secret-for-cmf>
Copy

Configure Authentication for Confluent Manager for Apache Flink¶

mTLS authentication¶

Example¶

OAuth authentication¶

Example¶

Related content¶