Deploying Conduktor Gateway
Configure network - choose between port-based or host-based (SNI) routingDefine load balancing - select internal or external load balancingConnect Gateway to Kafka - configure authentication and protocolsConfigure Gateway to accept client connections - set up security protocols and authentication mechanismsDecide on Virtual Clusters - enable logical cluster isolation (optional)
We also recommend that you configure Gateway for failover .
If applicable, set up Gateway for multi-clusters .
Troubleshoot Custom CA certificates for KMS If you use a Key Management Service (KMS) with custom SSL/TLS certificates (for example, Vault KMS with self-signed certificates or internal certificate authorities), Gateway needs to trust the certificate authority.
Gateway is a Java application, so you need to configure a custom Java truststore that includes your CA certificate.
Create a truststore with your CA certificate
Use the Java keytool command to create a truststore and import your CA certificate:
keytool -import \ -trustcacerts \ -alias my-kms-ca \ -file /path/to/your/ca-certificate.crt \ -keystore /path/to/truststore.jks \ -storepass yourpassword \ -storetype JKS \ -noprompt
Mount the truststore into the Gateway container
Mount your truststore file to a location in the Gateway container (for example, /opt/conduktor/truststore.jks).
Docker Compose
Kubernetes
services : conduktor-gateway : image : conduktor/conduktor-gateway:latest ports : - 6969:6969 volumes : - /path/on/host/truststore.jks:/opt/conduktor/truststore.jks:ro environment : KAFKA_BOOTSTRAP_SERVERS : kafka1:9092,kafka2:9092 JAVA_TOOL_OPTIONS : > - -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS apiVersion : v1 kind : ConfigMap metadata : name : gateway-truststore binaryData : truststore.jks : <base64-encoded-truststore-content> --- apiVersion : apps/v1 kind : Deployment metadata : name : conduktor-gateway spec : template : spec : containers : - name : gateway image : conduktor/conduktor-gateway:latest env : - name : JAVA_TOOL_OPTIONS value : > - -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS volumeMounts : - name : truststore mountPath : /opt/conduktor/truststore.jks subPath : truststore.jks readOnly : true volumes : - name : truststore configMap : name : gateway-truststore
Set the JAVA_TOOL_OPTIONS environment variable
Configure Gateway to use the custom truststore by setting:
JAVA_TOOL_OPTIONS = "-Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS" The JAVA_TOOL_OPTIONS environment variable is a standard Java mechanism that applies the truststore configuration to all Java SSL/TLS connections made by Gateway, including connections to KMS services.
Verify the configuration After restarting Gateway, check the startup logs to confirm the truststore is being used:
Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=JKS If Gateway successfully connects to your KMS service, the configuration is correct.
