Configure Listeners in Kubernetes

You can fine-tune client interactions with Redpanda by customizing internal and external listener configurations.

Anatomy of a listener

Listeners are gateways for client communications in Redpanda. Redpanda uses TCP sockets for client connections, where each TCP socket consists of:

  • IP address or DNS name: The unique network identifier of the Redpanda server. This can be a local address or a public address for cloud-based services.

  • Port: A specific entry point for network traffic. Redpanda listens on designated ports for client connections.

Clients must specify both the IP address or DNS name and port for a successful connection, such as 203.0.113.5:9093.

The Redpanda Helm chart defines two listeners by default:

Listener Description

default

Internal connections. These endpoints use internal addresses assigned to brokers by Kubernetes through the headless ClusterIP Service.

external

External connections. These endpoints are accessible through addresses configured in the external.domain and/or external.addresses settings in the Helm values.

For example, these are the default settings for the internal Kafka API listener:

listeners:
  kafka:
    port: 9093
    authenticationMethod:
    tls:
      enabled: true
      cert: default
      requireClientAuth: false
  • listeners.kafka.port: The container port for internal client connections.

  • listeners.kafka.authenticationMethod: The authentication method to use when the top-level auth.sasl.enabled setting is true. Default is sasl.

  • listeners.kafka.tls.enabled: Whether TLS is enabled for this listener when the top-level tls.enabled setting is true for all listeners.

  • listeners.kafka.tls.cert: The TLS certificates that this listener should use to secure client connections. TLS certificates are defined in tls.certs.

  • listeners.kafka.tls.requireClientAuth: Whether mTLS is enabled.

These are the settings for the external Kafka API listener:

listeners:
  kafka:
    external:
      default:
        enabled: true
        port: 9094
        # -- If undefined, `listeners.kafka.external.default.port` is used.
        advertisedPorts:
        - 31092
        tls:
          enabled: true
          cert: external
        # default is "sasl"
        authenticationMethod:
  • listeners.kafka.external.default.port: The container port for external client connections.

  • listeners.kafka.external.default.advertisedPorts: The node port that is routed to listeners.kafka.external.default.port. This port is opened in Kubernetes Services when external.service.enabled is true.

  • listeners.kafka.external.default.authenticationMethod: The authentication method to use when the top-level auth.sasl.enabled setting is true. Default is sasl.

  • listeners.kafka.external.default.tls.enabled: Whether TLS is enabled for this listener when the top-level tls.enabled setting is true for all listeners.

  • listeners.kafka.external.default.tls.cert: The TLS certificates that this listener should use to secure client connections. TLS certificates are defined in tls.certs.

Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. If you configure a TLS listener for the Kafka API, you must configure listeners.schemaRegistry.tls and listeners.http.tls. All APIs, except the internal RPC port, support multiple listeners.

Customize the external node ports

Each listener has separate ports for internal and external connections. To customize the external node ports for each listener, replace <port> with the port that you want to use.

Redpanda doesn’t validate the configured port numbers. Make sure to verify the following:

  • Your configured port numbers are within the range that is assigned for node ports in your Kubernetes cluster.

  • Your Kubernetes cluster is accessible through your desired node port range. You may need to edit your inbound firewall rules.

  • Your configured port numbers are not in use by any other service.

For the default ports, see the Redpanda Helm Chart Specification

For example, to customize the node ports for the external Kafka API listener:

custom-kafka-port.yaml
listeners:
  kafka:
    external:
      default:
        advertisedPorts:
        - <port>

Configure TLS certificates

A Redpanda cluster provides granular control over the TLS certificates used by different listeners. This level of flexibility enables you to ensure the required level of security for each listener. For example, you can use a self-signed certificate for the internal RPC listener, while using a public certificate authority (CA) certificate for other listeners such as the Kafka API.

All listeners must use the same certificate if mTLS is enabled. Redpanda on Kubernetes does not support configuring different TLS certificates for mTLS-enabled listeners, or mixed configurations where some listeners use mTLS and others do not.
  • Internal listeners: By default, all internal listeners use the self-signed certificate defined globally in the tls.certs.default configuration. To customize the certificates for each internal listener, you can edit the listeners.<listener-name>.tls.cert setting.

  • External listeners: By default, all external listeners use the self-signed certificate defined globally in the tls.certs.external configuration. To customize the certificates for each internal listener, you can edit the listeners.<listener-name>.external.default.tls.cert setting.

Here’s an example that configures two certificates:

The external Admin API listener is configured with the public-ca-cert certificate. The internal Kafka API listener is configured with the private-ca-cert certificate, and the other listeners are configured with the default self-signed certificate.

multiple-certs-tls.yaml
tls:
  enabled: true
  certs:
    public-ca-cert:
      issuerRef:
        name: <issuer-name>
        kind: Issuer
      caEnabled: false
    private-ca-cert:
      secretRef:
        name: <secret-name>
      caEnabled: true
    default:
      caEnabled: true
listeners:
  admin:
    external:
      default:
        tls:
          cert: public-ca-cert
  kafka:
    tls:
      cert: private-ca-cert
  http:
    tls:
      cert: default
  rpc:
    tls:
      cert: default
  schemaRegistry:
    tls:
      cert: default

Disable external access

You can disable external access for all listeners or for individual listeners.

To disable external access for all listeners:

disable-external-access.yaml
external:
  enabled: false

To disable external access for a specific listener, set listeners.<listener-name>.external.default to false. For example, to disable external access to the Kafka API listener:

disable-external-kafka-api.yaml
listeners:
  kafka:
    external:
      default:
        enabled: false