Apache Kafka - K8s
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 5 | 09 Mar 2022 | |
latest/edge | 27 | 25 Apr 2023 | |
latest/edge | 13 | 21 Oct 2022 | |
3/stable | 56 | 27 Feb 2024 | |
3/candidate | 56 | 27 Feb 2024 | |
3/beta | 56 | 27 Feb 2024 | |
3/edge | 73 | 11 Nov 2024 |
juju deploy kafka-k8s --channel 3/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
How to enable encryption
To enable encryption, you should first deploy a TLS certificates Provider charm.
Deploy a TLS Provider charm
The Kafka K8s and ZooKeeper K8s charms implement the Requirer side of the tls-certificates/v1
charm relation.
Therefore, any charm implementing the Provider side could be used.
One possible option, suitable for testing, could be to use the self-signed-certificates
, although this setup is however not recommended for production clusters.
To deploy a self-signed-certificates
charm:
# deploy the TLS charm
juju deploy self-signed-certificates --channel=edge
# add the necessary configurations for TLS
juju config self-signed-certificates ca-common-name="Test CA"
Please refer to this post for an overview of the TLS certificates Providers charms and some guidance on how to choose the right charm for your use-case.
Enable TLS on Kafka K8s and ZooKeeper K8s
juju relate <tls-certificates> zookeeper-k8s
juju relate <tls-certificates> kafka-k8s:certificates
where <tls-certificates>
is the name of the TLS certificate provider charm deployed.
Note If Kafka K8s and ZooKeeper K8s are already related, they will start renegotiating the relation to provide each other certificates and enable/open to correct ports/connections. Otherwise relate them after the both relations with the
<tls-certificates>
.
Manage keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key
action.
# Updates can be done with auto-generated keys with
juju run kafka-k8s/<unit_id> set-tls-private-key
Passing keys to external/internal keys should only be done with base64 -w0
not cat
, as follows
# generate shared internal key
openssl genrsa -out internal-key.pem 3072
# apply keys on each unit
juju run kafka-k8s/<unit_id> set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
To disable TLS remove the relation
juju remove-relation kafka-k8s <tls-certificates>
juju remove-relation zookeeper-k8s <tls-certificates>
where <tls-certificates>
is the name of the TLS certificate provider charm deployed.