This feature is available with Conduktor Exchange only.
Partner Zones
Partner Zones allow you to share Kafka topics with external partners selectively and securely. You can:- set up dedicated zones with customized access to Kafka topics
- create a single source of truth because data isn’t duplicated
- reduce operational costs, since you don’t have to keep data streams synchronized

Prerequisites
Before creating a Partner Zone, you have to:- use Conduktor Console 1.37.0 or later
- use Conduktor Gateway 3.12.0 or later with the following configurations:
GATEWAY_SECURITY_PROTOCOL
set toSSL
,SASL_SSL
, orSASL_PLAINTEXT
GATEWAY_SECURITY_MODE
set toGATEWAY_MANAGED
GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED
set totrue
GATEWAY_FEATURE_FLAGS_MANDATORY_VCLUSTER
set totrue
. Find out more about this environment variable and what service account has to be setup.
- use a service account to connect to Gateway, that can access the topics you want to share
- be logged in as an admin to Console UI, or using an admin token for the CLI
- in Console, configure your Gateway cluster and fill in the Provider tab with Gateway API credentials
Partner Zones currently have the following limitations:
- Local service accounts cannot be revoked, they only expire on their time-to-live. If you need to revoke access to your partner after issuing a local service account credential, you will have to delete the Partner Zone.
Create a Partner Zone
You can create a Partner Zone from the Console UI, or the Conduktor CLI.Use the Console UI to create a Partner Zone in just a few steps.
- In Conduktor Console, go to Settings > Partner Zones and click +New zone.
- Define the Partner Zone details:
- Add a descriptive name for the zone.
- The Technical ID will be auto-populated as you type in the name. This is used to identify this zone in CLI/API. You may choose your own ID if you prefer.
- Service account will also be auto-generated based on the name but you can edit this as required. Service accounts are used to define permissions on Kafka resources, these permissions are mapped to ACL (Access Control List) entries.
- (Optional) Enter a relevant URL for your partner.
- (Optional) Enter a Description to explain your reasons/requirements for sharing data.
- (Optional) Specify contact details of the beneficiary/recipient of this Partner Zone.
- Select Gateway to choose the one you want to use, then select an available cluster under the Gateway and click Continue.
- Find out how to configure Gateway for multiple clusters.
- Only clusters that have also been configured in Console will be available to select. See the Partner Zone multi-cluster tutorial on how to configure the underlying clusters in Console.
- Choose what and how to share:
- Select the Kafka topics to include in this Partner Zone, you can filter topics by custom labels you’ve defined or search for a topic by name.
- Select Read/Write. By default, any topics that are shared, will be shared with Read-only access, but you can additionally allow Write access.
- (Optional) Rename topics to how you want the consumer to read them by hovering over the name of any topic being shared, and selecting the pencil button.
- Continue when done.
- Select the preferred authentication mechanism to connect to the Partner Zone. Enter the service account name required to connect to the Partner Zone.
- For credentials managed by OAuth, the service account name has to match the “sub” claim in the token.
- (Optional) Protect your cluster by limiting clients with Traffic Control Policies. Limit their rate of producing, consuming or committing offsets.
- Review the details and if you’re happy with the data you’re about to share, click Create.
- name and URL
- the number of topics shared
- Gateway details
- the status:
- Pending: means the configuration isn’t deployed or refreshed yet. It may need to wait for the next reconciliation, which is configurable via the environment variables
- Ready: shows that the configuration is up-to-date on Gateway
- Failed: indicates that something unexpected happened during the creation. Check that the connected Gateway is active
- the date the zone was last updated
Edit a Partner Zone
To edit a Partner Zone you can either:Click Continue when done.
- go to the Partner Zone page list view, and click the three dots on the right-hand side then select Edit
- or go to a specific Partner Zone’s details view, click the Edit button in the top right corner.
- update Partner Zone details (name, URL, description and contact details)
- manage topics - add new ones or change topic aliases
- change traffic control policies or transformations
Change zone details
- Name (hover over the name and click the pencil button)
- URL
- Description
- Contact details
Manage topics
- Add new topics (follow the steps from creating a Partner Zone)
- Change shared topic alias
If you change a topic alias after it’s been shared with a partner, they won’t be able to find the topic anymore and get an error. Only change shared topic names if you’re sure that your partners are not using this topic.
- Remove existing topics from the Partner Zone (click the trash can button next to the relevant topic under the Topics section).
At least one topic has to exist in a Partner Zone, so you won’t be able to delete the last topic via the UI. If you have to, delete that Partner Zone.
Update traffic control policies
Expand the Traffic control policies section by clicking on it. You can toggle the switch next to the policy you want to enable/disable and update the value.Click Save in the top right corner when done.Delete a Partner Zone
To delete a Partner Zone you can either:
- go to the Partner Zone page list view, and click the three dots on the right-hand side then click the trash can button
- or go to a specific Partner Zone’s details view, click the trash can button in the top right corner.
DELETE
to confirm the deletion. This cannot be undone.Troubleshoot
What does the Partner Zone status mean?
What does the Partner Zone status mean?
The status of a Partner Zone may be one of the following:
- Pending: the configuration isn’t deployed or refreshed yet
- Ready: the configuration is up-to-date on Gateway
- Failed: something unexpected happened during the deployment. Check that the connected Gateway is active
My Partner Zone creation failed, how do I find out what the issue is?
My Partner Zone creation failed, how do I find out what the issue is?
To check the status, use the API to GET the state of the Partner Zone, or check the Gateway and Console logs.
Does Generate password invalidate the previously issued credentials of a service account?
Does Generate password invalidate the previously issued credentials of a service account?
No, you can’t invalidate issued credentials - they instead have a set time to live. If you’re concerned about any issued credentials, delete and re-create the Partner Zone, then re-issue fresh credentials. We recommend deploying Partner Zones using the IaC (Infrastructure as Code) approach. Find out more about this resource.
Audit log events
Event type | Description |
---|---|
Admin.PartnerZone.Create | A Partner Zone is created. |
Admin.PartnerZone.Update | A Partner Zone is updated. |
Admin.PartnerZone.Delete | A Partner Zone is deleted. |
Admin.PartnerZone.TokenCreate | A token is created for accessing a Partner Zone. |