> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Deployment considerations

> Deploy Conduktor Gateway: choose network routing, load balancing, Kafka connection, and client security before deploying to Docker or Kubernetes.

Deploying Conduktor <Tooltip tip="A Kafka proxy that deploys extensible plugins for encryption, filtering, and data processing.">Gateway</Tooltip> involves making several decisions, based on your requirements and goals.

Gateway exposes Kafka clients through one or more **listeners**. Each listener has its own routing, network bindings and security protocol. Most deployments need a single listener.

Follow these steps to configure your Gateway deployment:

1. [Configure listeners](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listeners) - set up the network endpoints clients use to reach Gateway
2. [Define load balancing](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/load-balancing) - select internal or external load balancing
3. [Connect Gateway to Kafka](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/connect-to-kafka) - configure the upstream Kafka connection
4. [Configure listener security](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listener-security) - pick the security protocol and authentication mechanism for each listener
5. [Decide on Virtual Clusters](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/virtual-clusters) - enable logical cluster isolation (optional)

We also recommend that you [configure Gateway for failover](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/failover).

If applicable, [set up Gateway for multi-clusters](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/multi-clusters).

Gateway requires a license key to start which has to be [provided as an environment variable](/guide/conduktor-in-production/manage-licenses/gateway).

## Secure Gateway before going live

Before deploying Gateway to production:

<Steps>
  <Step title="Configure client authentication">
    Set up authentication mechanisms (SASL, mTLS, or OAuth) on each listener. [Configure listener security](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listener-security).
  </Step>

  <Step title="Set the user pool secret">
    Set `GATEWAY_USER_POOL_SECRET_KEY` to a random base64 encoded value of 256 bits when using local service accounts. Generate the key using `openssl rand -base64 32` to ensure tokens aren't forged.
  </Step>

  <Step title="Configure TLS certificates">
    Configure TLS certificates for encrypted communication between clients and Gateway. Set up keystores and truststores according to your security protocol.
  </Step>

  <Step title="Secure administrative API access">
    Configure credentials in `GATEWAY_ADMIN_API_USERS` and set `GATEWAY_SECURED_METRICS` to require authentication for the HTTP management API. [See HTTP API configuration](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#http-api).
  </Step>
</Steps>

## Troubleshoot

### Custom CA certificates for KMS

If you use a Key Management Service (KMS) with custom SSL/TLS certificates (for example, Vault KMS with self-signed certificates or internal certificate authorities), Gateway needs to trust the certificate authority.

Gateway is a Java application, so you need to configure a custom Java truststore that includes your CA certificate.

#### Steps to configure custom CA for KMS

1. **Create a truststore with your CA certificate**

Use the Java `keytool` command to create a truststore and import your CA certificate:

```bash theme={null}
keytool -import \
  -trustcacerts \
  -alias my-kms-ca \
  -file /path/to/your/ca-certificate.crt \
  -keystore /path/to/truststore.jks \
  -storepass yourpassword \
  -storetype JKS \
  -noprompt
```

2. **Mount the truststore into the Gateway container**

Mount your truststore file to a location in the Gateway container (for example, `/opt/conduktor/truststore.jks`).

<Tabs>
  <Tab title="Docker Compose">
    ```yaml theme={null}
    services:
      conduktor-gateway:
        image: conduktor/conduktor-gateway:latest
        ports:
          - 6969:6969
        volumes:
          - /path/on/host/truststore.jks:/opt/conduktor/truststore.jks:ro
        environment:
          KAFKA_BOOTSTRAP_SERVERS: kafka1:9092,kafka2:9092
          JAVA_TOOL_OPTIONS: >-
            -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks
            -Djavax.net.ssl.trustStorePassword=yourpassword
            -Djavax.net.ssl.trustStoreType=JKS
    ```
  </Tab>

  <Tab title="Kubernetes">
    ```yaml theme={null}
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: gateway-truststore
    binaryData:
      truststore.jks: <base64-encoded-truststore-content>
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: conduktor-gateway
    spec:
      template:
        spec:
          containers:
          - name: gateway
            image: conduktor/conduktor-gateway:latest
            env:
            - name: JAVA_TOOL_OPTIONS
              value: >-
                -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks
                -Djavax.net.ssl.trustStorePassword=yourpassword
                -Djavax.net.ssl.trustStoreType=JKS
            volumeMounts:
            - name: truststore
              mountPath: /opt/conduktor/truststore.jks
              subPath: truststore.jks
              readOnly: true
          volumes:
          - name: truststore
            configMap:
              name: gateway-truststore
    ```
  </Tab>
</Tabs>

3. **Set the `JAVA_TOOL_OPTIONS` environment variable**

Configure Gateway to use the custom truststore by setting:

```bash theme={null}
JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword -Djavax.net.ssl.trustStoreType=JKS"
```

<Note>
  The `JAVA_TOOL_OPTIONS` environment variable is a standard Java mechanism that applies the truststore configuration to all Java SSL/TLS connections made by Gateway, including connections to KMS services.
</Note>

#### Verify the configuration

After restarting Gateway, check the startup logs to confirm the truststore is being used:

```
Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/opt/conduktor/truststore.jks -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=JKS
```

If Gateway successfully connects to your KMS service, the configuration is correct.

## Related resources

* [Manage service accounts](/guide/tutorials/manage-gateway-service-accounts)
* [Resource reference](/guide/reference/gateway-reference)
* [Configure encryption and decryption](/guide/tutorials/configure-encryption)
* [Give us feedback/request a feature](https://conduktor.io/roadmap) <Icon icon="up-right-from-square" />
