Skip to main content
Deploying Conduktor involves making several decisions, based on your requirements and goals. Follow these steps to configure your Gateway deployment:
  1. Configure network - choose between port-based or host-based (SNI) routing
  2. Define load balancing - select internal or external load balancing
  3. Connect Gateway to Kafka - configure authentication and protocols
  4. Configure Gateway to accept client connections - set up security protocols and authentication mechanisms
  5. Decide on Virtual Clusters - enable logical cluster isolation (optional)
We also recommend that you configure Gateway for failover. If applicable, set up Gateway for multi-clusters.

Secure Gateway before going live

Before deploying Gateway to production:
1

Configure client authentication

Set up authentication mechanisms (SASL, mTLS, or OAuth) for client connections. Configure client connections.
2

Set the user pool secret

Set GATEWAY_USER_POOL_SECRET_KEY to a random base64 encoded value of 256 bits when using local service accounts. Generate the key using openssl rand -base64 32 to ensure tokens aren’t forged.
3

Configure TLS certificates

Configure TLS certificates for encrypted communication between clients and Gateway. Set up keystores and truststores according to your security protocol.
4

Secure administrative API access

Configure credentials in GATEWAY_ADMIN_API_USERS and set GATEWAY_SECURED_METRICS to require authentication for the HTTP management API. See HTTP API configuration.

Troubleshoot

Custom CA certificates for KMS

If you use a Key Management Service (KMS) with custom SSL/TLS certificates (for example, Vault KMS with self-signed certificates or internal certificate authorities), Gateway needs to trust the certificate authority. Gateway is a Java application, so you need to configure a custom Java truststore that includes your CA certificate.

Steps to configure custom CA for KMS

  1. Create a truststore with your CA certificate
Use the Java keytool command to create a truststore and import your CA certificate: 
keytool -import \
  -trustcacerts \
  -alias my-kms-ca \
  -file /path/to/your/ca-certificate.crt \
  -keystore /path/to/truststore.jks \
  -storepass yourpassword \
  -storetype JKS \
  -noprompt
  1. Mount the truststore into the Gateway container
Mount your truststore file to a location in the Gateway container (for example, /opt/conduktor/truststore.jks). 
services:
  conduktor-gateway:
    image: conduktor/conduktor-gateway:latest
    ports:
      - 6969:6969
    volumes:
      - /path/on/host/truststore.jks:/opt/conduktor/truststore.jks:ro
    environment:
      KAFKA_BOOTSTRAP_SERVERS: kafka1:9092,kafka2:9092
      JAVA_TOOL_OPTIONS: >-
        -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks
        -Djavax.net.ssl.trustStorePassword=yourpassword
        -Djavax.net.ssl.trustStoreType=JKS
  1. Set the JAVA_TOOL_OPTIONS environment variable
Configure Gateway to use the custom truststore by setting: 
JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS"
The JAVA_TOOL_OPTIONS environment variable is a standard Java mechanism that applies the truststore configuration to all Java SSL/TLS connections made by Gateway, including connections to KMS services.

Verify the configuration

After restarting Gateway, check the startup logs to confirm the truststore is being used: 
Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=JKS
If Gateway successfully connects to your KMS service, the configuration is correct.