In this workflow scenario, you'll set up a Confluent Platform cluster with full TLS network encryption, using auto-generated certs.
Before continuing with the scenario, ensure that you have set up the prerequisites.
Set the tutorial directory under the directory you downloaded this Github repo:
export TUTORIAL_HOME=<Github repo directory>/security/autogenerated-tls_only
This workflow scenario assumes you are using the namespace confluent.
Set up the Helm Chart:
helm repo add confluentinc https://packages.confluent.io/helm
Install Confluent For Kubernetes using Helm:
helm upgrade --install operator confluentinc/confluent-for-kubernetes -n confluent
Check that the Confluent For Kubernetes pod comes up and is running:
kubectl get pods
Confluent For Kubernetes provides auto-generated certificates for Confluent Platform components to use for TLS network encryption. You'll need to generate and provide a Certificate Authority (CA).
Generate a CA pair to use:
openssl genrsa -out $TUTORIAL_HOME/ca-key.pem 2048
openssl req -new -key $TUTORIAL_HOME/ca-key.pem -x509 \
-days 1000 \
-out $TUTORIAL_HOME/ca.pem \
-subj "/C=US/ST=CA/L=MountainView/O=Confluent/OU=Operator/CN=TestCA"
Create a Kubernetes secret for the certificate authority:
kubectl create secret tls ca-pair-sslcerts \
--cert=$TUTORIAL_HOME/ca.pem \
--key=$TUTORIAL_HOME/ca-key.pem -n confluent
Deploy Confluent Platform:
kubectl apply -f $TUTORIAL_HOME/confluent-platform-tls-only.yaml
Check that all Confluent Platform resources are deployed:
kubectl get confluent -n confluent
To connect Kafka clients to the deployed Confluent Platform, you'll need to provide the client configurations to use. This can be provided as a Kubernetes secret that client applications running on Kubernetes can use.
Get the status of the Kafka CR:
kubectl describe kafka -n confluent
In the output of the previous command, view the internal client config:
Listeners:
Internal:
Client: bootstrap.servers=kafka.confluent.svc.cluster.local:9071
security.protocol=SSL
ssl.truststore.location=/mnt/sslcerts/truststore.jks
ssl.truststore.password=<<jksPassword>>
Create the kafka.properties file in $TUTORIAL_HOME with the above.
The auto-generated certs will create a truststore and mount it on all Confluent
Platform component pods at /mnt/sslcerts/truststore.jks.
The default truststore password is mystorepassword.
bootstrap.servers=kafka.confluent.svc.cluster.local:9071
security.protocol=SSL
ssl.truststore.location=/mnt/sslcerts/truststore.jks
ssl.truststore.password=mystorepassword
Create a configuration secret for client applications to use:
kubectl create secret generic kafka-client-config-secure \
--from-file=$TUTORIAL_HOME/kafka.properties -n confluent
Now that you've got the infrastructure set up, deploy the producer client app.
The producer app is packaged and deployed as a pod on Kubernetes. The required
topic is defined as a KafkaTopic custom resource in
$TUTORIAL_HOME/secure-producer-app-data.yaml.
This app takes the above client configuration as a Kubernetes secret. The secret is mounted to the app pod file system, and the client application reads the configuration as a file.
kubectl apply -f $TUTORIAL_HOME/secure-producer-app-data.yaml -n confluent
Use Control Center to monitor the Confluent Platform, and see the created topic and data.
kubectl port-forward controlcenter-0 9021:9021 -n confluent
Browse to Control Center:
https://localhost:9021
Check that the elastic-0 topic was created and that messages are being produced to the topic.
kubectl delete -f $TUTORIAL_HOME/secure-producer-app-data.yaml -n confluent
kubectl delete -f $TUTORIAL_HOME/confluent-platform-tls-only.yaml -n confluent
kubectl delete secret kafka-client-config-secure -n confluent
kubectl delete secret ca-pair-sslcerts -n confluent
helm delete operator -n confluent