Clusters
Overview
Use our interactive guide to learn how to connect your Kafka cluster, Schema Registry and Kafka Connect
In the Clusters sections of the Settings, you can add, update, and delete Kafka cluster configurations.
By default, only users belonging to the Admin group, or having the Can manage Cluster configurations permission, will be able to view and manage the clusters.
To create a new cluster configuration, click on the "Create cluster" button in the top right-hand corner.
To edit an existing cluster configuration, select it from the list. You will then be able to adjust the name & color, technical ID, bootstrap servers, and additional properties. You can also enable Schema Registry and Kafka Connect for the cluster.
Connect to a secure Kafka cluster
Conduktor leverages the default Apache Kafka Java Clients, and therefore we use the same configuration properties.
When the Conduktor Console needs to connect to a secure Kafka cluster, you must specify the values from your config.properties file.
For example:
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username='<username>' password='<password>';
If your configuration references keystore or truststore path, check the Client Certificate Authentication documentation.
Connect to a Confluent cluster
Via your Confluent cluster dashboard, select the Clients tab within Data integration.
Select Java as the language.
Create the Kafka cluster API key. You also have the option to create the Schema Registry API Key if you are using Schema Registry.
Copy the configuration to your clipboard.
You can now go back to Conduktor Console to configure your Kafka cluster. You can fill the bootstrap servers, and paste your configuration as Advanced properties.
You can test the connection and if successful, you will see a green Connected label.
Click Create Configuration to save your cluster.
Connect to an Aiven cluster
When connecting to an Aiven cluster, you have two options.
Option 1: With SSL
To connect to your Aiven cluster using SSL, you need to provide the Access Key, Access Certificate, and CA Certificate. You also need the cluster Bootstrap server, labelled as Service URI within the Aiven console.
In the Console, after having filled the bootstrap server, you'll have to upload the CA certificate in order to connect to your Aiven cluster.
Then, simply select SSL as authentication method, and paste the Access Key and Access Certificate in the corresponding fields.
The configuration should look like this:
Option 2: With SASL_SSL
To connect to your Aiven cluster using SASL_SSL, you need to provide the Bootstrap server labelled as Service URI, User, and Password. You can find these in the Aiven console.
The configuration in the Console should look like this:
Connect to a MSK cluster
For connecting to MSK, you first need to create an IAM user.
After that, you have to give it permissions to connect to your MSK cluster.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kafka:*", "kafka-cluster:*"],
"Resource": "*"
}
]
}
Finally, generate an access key.
In the Console, fill the Bootstrap server and select AWS IAM as an authentication method. You now have two options: Either you inherit the credentials from your environment (with environment variables) or you can fill the Access Key and Secret Key.
The configuration should look like this in the Console:
Connect to a Cloudera cluster
These instructions are for a setup with SASL_SSL and PLAIN mechanisms.
- To administer the Cloudera Kafka Cluster, you have to have a workload user with ownership of the Data Hub cluster configured. Make sure to note the username and password information of this user:
-
Download the certificates from Cloudera:
-
Cloudera Certificates are CRT formatted files and need to be converted to a JKS file for console to connect. To convert the file please use the java keytool, command below is an example based on the screenshots above.
keytool -import -keystore zeke-test2-cdp-env.jks -alias zeke-test2-cdp-env -file zeke-test2-cdp-env.crt
-
In the Cloudera platform, open the firewalls for the Kafka brokers and schema registry.
-
In Conduktor Console, go to Clusters, select the newly created Cloudera one and add the certs to your environment or click Upload certificate to manually upload them.
-
Once you've added your certs to Console, configure the cluster in the below screenshot. Use the workload user and password from the first step.
Here's a fully automated turnkey example.
Connect to a Google Cloud cluster
You can connect to Google Cloud Managed Service for Apache Kafka using the SASL_SSL protocol or the PLAIN mechanism with one of the following options.
Option 1: Use a service account
Go to Google Cloud docs for instructions.
Option 2: Use an access token
First, get an access token:
gcloud auth login --no-launch-browser
gcloud auth print-access-token
Then, use that token with the following parameters:
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="PRINCIPAL_EMAIL_ADDRESS" \
password="ACCESS_TOKEN_VALUE";
When authenticating incoming connections to the cluster, managed service for Apache Kafka checks that:
- the access token is valid and has not expired
- the provided username matches the principal email that the access token is associated with
- the access token's principal has the
managedkafka.clusters.connectpermission (included in roles/managedkafka.client) on the cluster