Charmed Kafka K8s Documentation - Reference Listeners

Kafka listeners

Charmed Kafka comes with a set of listeners that can be enabled to allow for inter- and intra-cluster communication.

  • Internal listeners are used for internal traffic and exchange of information between Kafka brokers
  • Client listeners are used for clients within the Kubernetes cluster,
  • External listeners are used for clients outside the Kubernetes cluster.

Listeners are optionally enabled based on the relations created on particular charm endpoints. Each listener is characterized by a specific port, scope, security protocol and authentication mechanism.

In the following table, we summarize the protocols, the port, and the relation that each listener is bound to. Note that based on whether a certificates relation is present, one of two mutually exclusive types of listeners can be opened.

Security protocol Authentication mechanism Driving endpoints Port Scope Listener name
SASL_PLAINTEXT SCRAM-SHA-512 cluster 19092 INTERNAL INTERNAL_SASL_PLAINTEXT_SCRAM_SHA_512
SASL_SSL SCRAM-SHA-512 cluster + certificates 19093 INTERNAL INTERNAL_SASL_SSL_SCRAM_SHA_512
SASL_PLAINTEXT SCRAM-SHA-512 kafka-client 9092 CLIENT CLIENT_SASL_PLAINTEXT_SCRAM_SHA_512
SASL_SSL SCRAM-SHA-512 kafka-client + certificates 9093 CLIENT CLIENT_SASL_SSL_SCRAM_SHA_512
SSL SSL (trusted-certificate|trusted-ca) + certificates 9094 CLIENT CLIENT_SSL_SSL
SASL_PLAINTEXT OAUTHBEARER kafka-client + oauth 9095 CLIENT CLIENT_SASL_PLAINTEXT_OAUTHBEARER
SASL_SSL OAUTHBEARER kafka-client + oauth + certificates 9096 CLIENT CLIENT_SASL_SSL_OAUTHBEARER
SASL_PLAINTEXT SCRAM-SHA-512 kafka-client 29092 EXTERNAL EXTERNAL_SASL_PLAINTEXT_SCRAM_SHA_512
SASL_SSL SCRAM-SHA-512 kafka-client + certificates 29093 EXTERNAL EXTERNAL_SASL_SSL_SCRAM_SHA_512
SSL SSL (trusted-certificate|trusted-ca) + certificates 29094 EXTERNAL EXTERNAL_SSL_SSL
SASL_PLAINTEXT OAUTHBEARER kafka-client + oauth 29095 EXTERNAL EXTERNAL_SASL_PLAINTEXT_OAUTHBEARER
SASL_SSL OAUTHBEARER kafka-client + oauth + certificates 29096 EXTERNAL EXTERNAL_SASL_SSL_OAUTHBEARER

Note: Since cluster is a peer-relation, one of the two INTERNAL_* listeners is always enabled.