Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt

Use this file to discover all available pages before exploring further.

Deploying Conduktor involves making several decisions, based on your requirements and goals. Follow these steps to configure your Gateway deployment:
  1. Configure network - choose between port-based or host-based (SNI) routing
  2. Define load balancing - select internal or external load balancing
  3. Connect Gateway to Kafka - configure authentication and protocols
  4. Configure Gateway to accept client connections - set up security protocols and authentication mechanisms
  5. Decide on Virtual Clusters - enable logical cluster isolation (optional)
We also recommend that you configure Gateway for failover. If applicable, set up Gateway for multi-clusters. Gateway requires a license key to start which has to be provided as an environment variable.

Secure Gateway before going live

Before deploying Gateway to production:
1

Configure client authentication

Set up authentication mechanisms (SASL, mTLS, or OAuth) for client connections. Configure client connections.
2

Set the user pool secret

Set GATEWAY_USER_POOL_SECRET_KEY to a random base64 encoded value of 256 bits when using local service accounts. Generate the key using openssl rand -base64 32 to ensure tokens aren’t forged.
3

Configure TLS certificates

Configure TLS certificates for encrypted communication between clients and Gateway. Set up keystores and truststores according to your security protocol.
4

Secure administrative API access

Configure credentials in GATEWAY_ADMIN_API_USERS and set GATEWAY_SECURED_METRICS to require authentication for the HTTP management API. See HTTP API configuration.

Troubleshoot

Custom CA certificates for KMS

If you use a Key Management Service (KMS) with custom SSL/TLS certificates (for example, Vault KMS with self-signed certificates or internal certificate authorities), Gateway needs to trust the certificate authority. Gateway is a Java application, so you need to configure a custom Java truststore that includes your CA certificate.

Steps to configure custom CA for KMS

  1. Create a truststore with your CA certificate
Use the Java keytool command to create a truststore and import your CA certificate: 
keytool -import \
  -trustcacerts \
  -alias my-kms-ca \
  -file /path/to/your/ca-certificate.crt \
  -keystore /path/to/truststore.jks \
  -storepass yourpassword \
  -storetype JKS \
  -noprompt
  1. Mount the truststore into the Gateway container
Mount your truststore file to a location in the Gateway container (for example, /opt/conduktor/truststore.jks). 
services:
  conduktor-gateway:
    image: conduktor/conduktor-gateway:latest
    ports:
      - 6969:6969
    volumes:
      - /path/on/host/truststore.jks:/opt/conduktor/truststore.jks:ro
    environment:
      KAFKA_BOOTSTRAP_SERVERS: kafka1:9092,kafka2:9092
      JAVA_TOOL_OPTIONS: >-
        -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks
        -Djavax.net.ssl.trustStorePassword=yourpassword
        -Djavax.net.ssl.trustStoreType=JKS
  1. Set the JAVA_TOOL_OPTIONS environment variable
Configure Gateway to use the custom truststore by setting: 
JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS"
The JAVA_TOOL_OPTIONS environment variable is a standard Java mechanism that applies the truststore configuration to all Java SSL/TLS connections made by Gateway, including connections to KMS services.

Verify the configuration

After restarting Gateway, check the startup logs to confirm the truststore is being used: 
Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=JKS
If Gateway successfully connects to your KMS service, the configuration is correct.