Configure Authentication for Confluent Manager for Apache Flink¶
By default, Confluent Manager for Apache Flink® installs with authentication disabled. CMF supports mutual TLS (mTLS) authentication only.
mTLS provides two-way authentication to ensure that traffic between clients and the CMF node is secure, and that content from both directions can be trusted. For a review of mTLS and RBAC terminology, see Terminology.
Example¶
The following configuration file shows how to provision Confluent Manager for Apache Flink with a keystore and truststore to specify mTLS for all communication. It also shows how to configure a mounted volume to store certificates. You pass the configuration file to Helm when you install CMF.
# mtls-values.yaml
cmf:
ssl:
keystore: /store/my-keystore
keystore-password: # Optional in case the key store is password protected
trust-store: /store/my-trust-store
trust-store-password: # Optional in case the trust store is password protected
client-auth: need # Indicates clients with valid certificate are required
authentication:
type: mtls
config:
auth.ssl.principal.mapping.rules: # Optional to extract a specific principal from the certificate https://docs.confluent.io/platform/current/security/authentication/mutual-tls/tls-principal-mapping.html
# Example to mount the certificate stores into your installation
mountedVolumes:
volumes:
- name: certificates
azureFile:
secretName: azure-secret
shareName: aksshare
readOnly: true
volumeMounts:
- name: certificates
mountPath: /store
When you make the helm install call, use the -f flag to pass the YAML file with the security information
like the following:
helm upgrade --install cmf confluent/confluent-manager-for-apache-flink \
-f mtls-values.yaml