Apache Kafka
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
3/stable | 185 | 23 Oct 2024 | |
3/candidate | 188 | 13 Nov 2024 | |
3/beta | 188 | 13 Nov 2024 | |
3/edge | 191 | 20 Nov 2024 |
juju deploy kafka --channel 3/edge
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
How to enable encryption
Deploy a TLS Provider charm
To enable encryption, you should first deploy a TLS certificates Provider charm. The Kafka and ZooKeeper charms implements the Requirer side of the tls-certificates/v1
charm relation.
Therefore, any charm implementing the Provider side could be used.
One possible option, suitable for testing, could be to use the self-signed-certificates
, although this setup is however not recommended for production clusters.
To deploy a self-signed-certificates
charm:
# deploy the TLS charm
juju deploy self-signed-certificates --channel=edge
# add the necessary configurations for TLS
juju config self-signed-certificates ca-common-name="Test CA"
Please refer to this post for an overview of the TLS certificates Providers charms and some guidance on how to choose the right charm for your use-case.
Enable TLS on Kafka and ZooKeeper
juju relate <tls-certificates> zookeeper
juju relate <tls-certificates> kafka:certificates
where <tls-certificates>
is the name of the TLS certificate provider charm deployed.
Note If Kafka and ZooKeeper are already related, they will start renegotiating the relation to provide each other certificates and enable/open to correct ports/connections. Otherwise relate them after the both relations with the
<tls-certificates>
.
Manage keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key
action.
# Updates can be done with auto-generated keys with
juju run kafka/<unit_id> set-tls-private-key
Passing keys to external/internal keys should only be done with base64 -w0
not cat
, as follows
# generate shared internal key
openssl genrsa -out internal-key.pem 3072
# apply keys on each unit
juju run kafka/<unit_id> set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
To disable TLS remove the relation
juju remove-relation kafka <tls-certificates>
juju remove-relation zookeeper <tls-certificates>
where <tls-certificates>
is the name of the TLS certificate provider charm deployed.