Skip to main content
Gateway can be configured to communicate with multiple Kafka clusters and expose their topics to your partners. You can:
  • direct partners to a single endpoint,
  • provide them with access to topics in multiple Kafka clusters and
  • expose topics using aliases that can be different from actual topic names.
To set up Gateway to support multi-clusters, you should:
  1. Configure one main cluster which will be used by Gateway to store its internal state.
  2. Set up any number of upstream physical Kafka clusters that you want to expose through Gateway.
You can do this using the configuration file or with environment variables.
If you’re using partner virtual clusters to share data with external third parties, be aware that cluster IDs (e.g., clusterA, clusterB) may appear in the bootstrap server address or client logs.To prevent unintended exposure, avoid using sensitive names/information in cluster IDs.
  • Use a configuration file
  • Use environment variables
Specify your main and upstream cluster configurations, along with a gateway.roles entry to mark the upstream clusters.
cluster-config.yaml
config:
  main:
    bootstrap.servers: '<main_bootstrap_servers>:9092'
    security.protocol: 'SASL_SSL'
    sasl.mechanism: 'PLAIN'
    sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="<main_api_key>" password="<main_api_secret>";'
  clusterA:
    bootstrap.servers: '<clusterA_bootstrap_servers>:9092'
    security.protocol: 'SASL_SSL'
    sasl.mechanism: 'PLAIN'
    sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="<clusterA_api_key>" password="<clusterA_api_secret>";'
    gateway.roles: 'upstream' # Note: may be omitted as upstream is the default (used to differentiate from failover clusters)
  clusterB:
    bootstrap.servers: '<clusterB_bootstrap_servers>:9092'
    security.protocol: 'SASL_SSL'
    sasl.mechanism: 'PLAIN'
    sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="<clusterB_api_key>" password="<clusterB_api_secret>";'
    gateway.roles: 'upstream' # Note: may be omitted as upstream is the default (used to differentiate from failover clusters)
Then, mount the cluster config file in the Gateway container using the configuration GATEWAY_BACKEND_KAFKA_SELECTOR:
GATEWAY_BACKEND_KAFKA_SELECTOR: 'file : { path: /cluster-config.yaml}'

Partner virtual clusters

These steps are for setting up a partner virtual cluster manually. Alternatively, to simplify the process, we recommend creating a Partner Zone which supports multi-clusters. You can also Check out the tutorial on creating Partner Zones with multi-cluster Gateway.

1. Create a partner virtual cluster

First, create a new partner virtual cluster.
For partner virtual clusters, aclEnabled has to be true and superUsers must not be empty.
  • CLI
  • API
Create this YAML file:
mypartner.yaml
---
kind: VirtualCluster
apiVersion: gateway/v2
metadata:
  name: mypartner
spec:
  aclEnabled: true
  superUsers:
    - super-user
  type: Partner
Then, apply it:
conduktor apply -f mypartner.yaml

2. Alias your topics

Finally, create aliases for existing topics in the partner virtual cluster.
Alias topics within a partner virtual cluster can only point to topics from the same physical cluster.
  • CLI
  • API
Create this YAML file:
alias-topics.yaml
---
kind: AliasTopic
apiVersion: gateway/v2
metadata:
  name: topic1
  vCluster: mypartner
spec:
  physicalName: internal-topic-name1
  physicalCluster: clusterA
---
kind: AliasTopic
apiVersion: gateway/v2
metadata:
  name: topic2
  vCluster: mypartner
spec:
  physicalName: internal-topic-name2
  physicalCluster: clusterA
Then, apply it:
conduktor apply -f alias-topics.yaml

3. Create service accounts

Once the virtual cluster is created and contains the topics to expose to your partners, you’ll need to create service accounts and configure ACLs (Access Control Lists). Create two service accounts for the partner virtual cluster: one super user and one partner user. The super user will manage ACLs and grant permissions to the partner user, who will use their account to access the exposed topics.
  • CLI
  • API
service-accounts.yaml
---
kind: GatewayServiceAccount
apiVersion: gateway/v2
metadata:
  name: super-user
  vCluster: mypartner
spec:
  type: LOCAL
---
kind: GatewayServiceAccount
apiVersion: gateway/v2
metadata:
  name: partner-user
  vCluster: mypartner
spec:
  type: LOCAL
Then, apply it:
conduktor apply -f service-accounts.yaml
In order to connect to Gateway using these service accounts, you need to get their associated password.
conduktor run generateServiceAccountToken \
  --username super-user \
  --v-cluster mypartner \
  --life-time-seconds 100000000

conduktor run generateServiceAccountToken \
  --username partner-user \
  --v-cluster mypartner \
  --life-time-seconds 100000000
Put the admin credentials in a file called mypartner-super-user.properties:
mypartner-super-user.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="super-user" password="$SUPER-USER-PASSWORD";
And the partner credentials in a file called mypartner-partner-user.properties:
mypartner-partner-user.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="partner-user" password="$PARTNER-USER-PASSWORD";

4. Create ACLs for the service accounts

Before creating ACLs, you need to know how to reach this partner virtual cluster. For that, make the following request: 
curl \
  --silent \
  --user "admin:conduktor" \
  "http://localhost:8888/gateway/v2/virtual-cluster/mypartner"
This will return something like this, with the bootstrap address and client properties: 
{
  "kind": "VirtualCluster",
  "apiVersion": "gateway/v2",
  "metadata": {
    "name": "mypartner"
  },
  "spec": {
    "aclEnabled": true,
    "superUsers": [ "super-user" ],
    "type": "Partner",
    "bootstrapServers": "<partner_virtual_cluster_bootstrap_address>",
    "clientProperties": {
      "security.protocol": "SASL_PLAINTEXT",
      "sasl.mechanism": "PLAIN",
      "sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username={{username}} password={{password}};"
    }
  }
}
From there, you have everything you need to create ACLs for the partner service accounts: 
# The partner can consume all the topics of this partner virtual cluster
kafka-acls --bootstrap-server <partner_virtual_cluster_bootstrap_address> \
  --command-config mypartner-super-user.properties \
  --add \
  --allow-principal User:partner-user \
  --consumer \
  --topic "*" \
  --group partner-app

# The partner can produce and consume from the topic1 alias topic
kafka-acls --bootstrap-server <partner_virtual_cluster_bootstrap_address> \
  --command-config mypartner-super-user.properties \
  --add \
  --allow-principal User:partner-user \
  --producer \
  --topic topic1

5. Test partner virtual cluster access

Now that the partner user has the correct ACLs, you can use their credentials to interact with the alias topics and verify that the permissions are correctly set. 
kafka-console-producer --bootstrap-server localhost:6974 \
  --topic topic1 \
  --producer.config mypartner-partner-user.properties

kafka-console-consumer --bootstrap-server localhost:6974 \
  --topic topic2 \
  --consumer.config mypartner-partner-user.properties \
  --group partner-app \
  --from-beginning
Once confirmed, simply share the mypartner-partner-user.properties file and the correct bootstrap server details with your partner.