mTLS Authentication for Confluent Control Center Monitoring and Alerting¶
Confluent Control Center internally integrates with Prometheus and Alertmanager to deliver its comprehensive monitoring and alerting functionalities, processing relevant data from sources such as broker/KRaft controller metrics. This section describes how to configure mTLS for secure communication among Kafka broker, Confluent Control Center, Prometheus, and the Alertmanager.
Note
This mTLS configuration is supported for Confluent Control Center with Confluent Platform versions 7.9.1 and later.
Certificate configuration¶
For mTLS setup Confluent Platform requires these certificates:
- an SSL certificate
- an SSL Key
- a root CA certificate (this can be self-signed)
Update the corresponding certificate details in these configuration files.
- For Prometheus update:
/etc/confluent-control-center/web-config-prom.yml- For Alertmanager update:
/etc/confluent-control-center/web-config-am.yml
The configuration should appear as follows:
tls_server_config: cert_file: /home/prometheus/certs/example.com/example.com.crt key_file: /home/prometheus/certs/example.com/example.com.key ca_file: /path/to/ca.crt min_version: TLS12 client_auth_type: RequireAndVerifyClientCert
Start and restart Prometheus.
systemctl enable prometheus systemctl start prometheus
Start and restart Alertmanager.
systemctl enable alertmanager systemctl start alertmanager
Test your certificate configuration with the following
curlcommand:curl --cacert {path_to_ca_certificate} \ --cert {path_to_client_certificate} \ --key {path_to_client_key} \ https://{prometheus-url}:9090/api/v1/label/job/values
A successful command returns the following:
{"status":"success","data":["prometheus"]}
Configure Confluent Control Center, brokers, controllers, Prometheus, and Alertmanager¶
In this section, you update configurations in the Confluent Control Center broker and KRaft controller files to support secure communicate with Prometheus and Alertmanager. You also configure metrics in Prometheus.
Update the Confluent Control Center properties file with the following configuration:
#Prometheus mTLS config confluent.controlcenter.prometheus.ssl.truststore.location=<jks-path> confluent.controlcenter.prometheus.ssl.truststore.password=<jks-password> confluent.controlcenter.prometheus.alias.name=<prometheus-alias> confluent.controlcenter.prometheus.ssl.key.password=<password> confluent.controlcenter.prometheus.ssl.keystore.location=<keystore-path> confluent.controlcenter.prometheus.ssl.keystore.password=<keystore-password> confluent.controlcenter.prometheus.basic.auth.user.info=<username>:<password> #Alertmanager mTLS Config confluent.controlcenter.alertmanager.alias.name=<alertmanager-alias> confluent.controlcenter.alertmanager.ssl.truststore.location=<jks-path> confluent.controlcenter.alertmanager.ssl.truststore.password=<jks-password> confluent.controlcenter.alertmanager.ssl.key.password=<password> confluent.controlcenter.alertmanager.ssl.keystore.location=<keystore-path> confluent.controlcenter.alertmanager.ssl.keystore.password=<keystore-password> confluent.controlcenter.alertmanager.basic.auth.user.info=<username>:<password>
For detailed instructions on these and other required properties and more, see Enable mTLS in Kafka.
Configure the broker and KRaft controllers to emit metrics to Prometheus.
confluent.metrics.reporter.security.protocol=SSL confluent.metrics.reporter.ssl.key.password=<key-password> confluent.metrics.reporter.ssl.keystore.location=<keystore-location> confluent.metrics.reporter.ssl.keystore.password=<keystore-password> confluent.metrics.reporter.ssl.truststore.location=<truststore-location> confluent.metrics.reporter.ssl.truststore.password=<truststore-password>
Update the
/etc/confluent-control-center/prometheus-generated.ymlconfiguration file in Prometheus to send alerts to Alertmanager.alerting: alertmanagers: - scheme: https static_configs: - targets: - <ip-address>:9093 tls_config: ca_file: <ca-cert-path> cert_file: <prometheus-crt> key_file: <prometheus-key>