About this guide
This guide covers installing, configuring, securing, and operating the Kroxylicious Proxy in a non-Kubernetes environment. Refer to other Kroxylicious guides for information on running the proxy on Kubernetes using the Kroxylicious Operator, or for advanced topics such as plugin development.
1. Kroxylicious Proxy overview
Kroxylicious is an Apache Kafka protocol-aware ("Layer 7") proxy designed to enhance Kafka-based systems. Through its filter mechanism it allows additional behavior to be introduced into a Kafka-based system without requiring changes to either your applications or the Kafka cluster itself. Built-in filters are provided as part of the solution.
Functioning as an intermediary, the Kroxylicious mediates communication between a Kafka cluster and its clients. It takes on the responsibility of receiving, filtering, and forwarding messages.
A Java API provides a convenient means for implementing custom logic within the proxy.
1.1. Why use proxies?
Proxies are a powerful and flexible architectural pattern. For Kafka, they can be used to add functionality to Kafka clusters which is not available out-of-the-box with Apache Kafka. In an ideal world, such functionality would be implemented directly in Apache Kafka. But there are numerous practical reasons that can prevent this, for example:
-
Organizations having very niche requirements which are unsuitable for implementation directly in Apache Kafka.
-
Functionality which requires changes to Kafka’s public API and which the Apache Kafka project is unwilling to implement. This is the case for broker interceptors, for example.
-
Experimental functionality which might end up being implemented in Apache Kafka eventually. For example using Kroxylicious it’s easier to experiment with alternative transport protocols, such as Quic, or operating system APIs, such as io_uring, because there is already support for this in Netty, the networking framework on which Kroxylicious is built.
1.1.1. How Kroxylicious works
First let’s define the concepts in the landscape surrounding Kroxylicious.
-
Kafka Client, or Client refers to any client application using a Kafka Client library to talk to a Kafka Cluster.
-
Kafka Cluster or Cluster refers to a cluster comprising one or more Kafka Brokers.
-
Downstream refers to the area between Kafka Client and Kroxylicious.
-
Upstream refers to the area between Kroxylicious and a Kafka Cluster.
Now let’s define some concepts used within Kroxylicious itself.
Virtual cluster
The Virtual Cluster is the downstream representation of a Kafka Cluster. At the conceptual level, a Kafka Client connects to a Virtual Cluster. Kroxylicious proxies all communications made to the Virtual Cluster through to a (physical) Kafka Cluster, passing it through the Filter Chain.
Virtual cluster gateway
Each virtual cluster has one or more dedicated gateways, which Kafka clients use to establish connections.
Each gateway exposes a bootstrap endpoint, which the Kafka Client must specify in its configuration as the bootstrap.servers property.
In addition to the bootstrap endpoint, the gateway automatically exposes broker endpoints. There is one broker endpoint for each broker of the physical cluster. When the Client connects to a broker endpoint, Kroxylicious proxies all communications to the corresponding broker of the (physical) Kafka Cluster.
Kroxylicious automatically intercepts all the Kafka RPC responses that contain a broker address. It rewrites the address so that it refers to the corresponding broker endpoint of the Virtual Cluster. This means when the Kafka Client goes to connect to, say broker 0, it does so through the Virtual Cluster.
Defining multiple gateways for a virtual cluster is useful when exposing it across different network segments. For example, in Kubernetes, you might configure one gateway for on-cluster traffic and another for off-cluster traffic.
Target cluster
The Target Cluster is the definition of physical Kafka Cluster within the Kroxylicious itself.
A Virtual Cluster has exactly one Target Cluster.
There can be a one-to-one relationship between Virtual Clusters and Target Clusters. The other possibility is many-to-one, where many Virtual Clusters point to the same Target Cluster. The many-to-one pattern is exploited by filters such as the Multi-tenancy filter.
A one-to-many pattern, where one Virtual Cluster points to many Target Clusters (providing amalgamation), is not a supported use-case.
Filter chain
A Filter Chain consists of an ordered list of pluggable protocol filters.
A protocol filter implements some logic for intercepting, inspecting and/or manipulating Kafka protocol messages.
Kafka protocol requests (such as Produce requests) pass sequentially through each of the protocol filters in the
chain, beginning with the 1st filter in the chain and then following with the subsequent filters, before being
forwarded to the broker.
When the broker returns a response (such as a Produce response) the protocol filters in the chain are invoked in the
reverse order (that is, beginning with the nth filter in the chain, then the n-1th and so on) with each having the
opportunity to inspect and/or manipulating the response. Eventually a response is returned to the client.
The description above describes only the basic capabilities of the protocol filter. Richer features of filters are described later.
As mentioned above, Kroxylicious takes the responsibility to rewrite the Kafka RPC responses that carry broker address
information so that they reflect the broker addresses exposed by the Virtual Cluster. These are the
Metadata,
DescribeCluster and
FindCoordinator responses. This processing is
entirely transparent to the work of the protocol filters. Filter authors are free to write their own filters that
intercept these responses too.
Filter composition
An important principal for the protocol filter API is that filters should compose nicely. That means that filters generally don’t know what other filters might be present in the chain, and what they might be doing to messages. When a filter forwards a request or response it doesn’t know whether the message is being sent to the next filter in the chain, or straight back to the client.
Such composition is important because it means a proxy user can configure multiple filters (possibly written by several filter authors) and expect to get the combined effect of all of them.
It’s never quite that simple, of course. In practice they will often need to understand what each filter does in some detail in order to be able to operate their proxy properly, for example by understanding whatever metrics each filter is emitting.
1.1.2. Implementation
The proxy is written in Java, on top of Netty.
The usual ChannelHandlers provided by the Netty project are used where appropriate (e.g. SSL support uses SslHandler), and Kroxylicious provides Kafka-specific handlers of its own.
The Kafka-aware parts use the Apache Kafka project’s own classes for serialization and deserialization.
Protocol filters get executed using a handler-per-filter model.
1.1.3. Deployment topologies
The proxy supports a range of possible deployment topologies. Which style is used depends on what the proxy is meant to achieve, architecturally speaking. Broadly speaking a proxy instance can be deployed:
- As a forward proxy
-
Proxying the access of one or more clients to a particular cluster/broker that might also accessible (to other clients) directly.
Topic-level encryption provides one example use case for a forward proxy-style deployment. This might be applicable when using clients that don’t support interceptors, or if an organization wants to apply the same encryption policy in a single place, securing access to the keys within their network.
- As a reverse proxy
-
Proxying access for all clients trying to reach a particular cluster/broker.
Transparent multi-tenancy provides an example use case for a reverse proxy. While Apache Kafka itself has some features that enable multi-tenancy, they rely on topic name prefixing as the primary mechanism for ensuring namespace isolation. Tenants have to adhere to the naming policy and know they’re a tenant of a larger shared cluster.
Transparent multi-tenancy means each tenant has the illusion of having their own cluster, with almost complete freedom over topic and group naming, while still actually sharing a cluster.
We can further classify deployment topologies in how many proxy instances are used. For example:
-
Single proxy instance (sidecar)
-
Proxy pool
1.2. Compatibility
1.2.1. APIs
Kroxylicious follows Semantic Versioning rules. While we are still in the initial development phase (denoted by a major version 0), we still take API compatibility very seriously. We aim to provide at least two minor releases between deprecation and the removal of that deprecated item.
We also consider our configuration file syntax a public API (though not the Java model backing it). As such, the syntax follows the same Semantic Versioning and deprecation rules.
Kubernetes custom resources are a public API, and we are making every effort to evolve Kroxylicious custom resources in line with Kubernetes best practices. Kubernetes resources have their own versioning scheme, which is independent of the Kroxylicious proxy service version. As a result, we may reach version 1.0.0 of Kroxylicious while still using alpha or beta versions of the custom resources.
Third-party plugins
Kroxylicious supports loading third-party plugins to extend the core functionality of the project. While these plugins are configured and loaded as first-class entities within Kroxylicious, we cannot guarantee the compatibility of their APIs or configuration properties.
We do however hold filters and plugins provided by the project to the same standards as the rest of the public API.
1.2.2. Wire protocol
Kroxylicious offers the same backwards and forwards compatibility guarantees as Apache Kafka. We support the same range of client and broker versions as the official Apache Kafka Java client.
2. Configuring proxies
Fine-tune your deployment by configuring proxies to include additional features according to your specific requirements.
2.1. Outline of a Kroxylicious configuration
The following example shows the overall outline of a simple Kroxylicious configuration.
While not complete (as indicated by # …), it illustrates the essential structure.
filterDefinitions: (1)
- name: example (2)
type: org.example.filter.Example (3)
config: (4)
# ...
defaultFilters: (5)
- example
virtualClusters: (6)
- name: my-cluster-proxy
targetCluster: (7)
# ...
gateways: (8)
- name: ...
# ...
# ...| 1 | A list of named filter definitions. |
| 2 | A filter definition called example. The definitions must each have a unique name. |
| 3 | The name of the filter class implementation for the example filter. Required. |
| 4 | The configuration for the example filter instance. Usually required for non-trivial filters. |
| 5 | A list of default filters. It’s possible to override this list at the virtual cluster level. |
| 6 | List of virtual clusters specified by name, with cluster-specific configurations. |
| 7 | Configuration of the actual Kafka cluster that is proxied by the 'my-cluster-proxy' virtual cluster. |
| 8 | Configuration of the gateways for this virtual cluster. |
2.2. Defining filters
Filters in Kroxylicious can be defined globally with filterDefinitions, applied by default using defaultFilters, or customized for specific virtual clusters.
The following example shows how these elements work together flexibly:
filterDefinitions:
- name: encryption
type: RecordEncryption
config:
# ...
- name: validation
type: RecordValidation
config:
# ...
- name: special-encryption
type: RecordEncryption
config:
# ...
defaultFilters:
- validation
- encryption
virtualClusters:
- name: my-proxy-with-default-filters
# ...
- name: my-proxy-with-custom-filters
filters:
- validation
- special-encryption
# ...
# ...-
The order of definitions in
filterDefinitionsdoes not matter. -
Each filter definition in
filterDefinitionsmust have a uniquename, but you can have multiple definitions with the same type and different configurations (as withencryptionandspecial-encryptionin the example). -
The order of
defaultFiltersdetermines the sequence in which the filters are applied to incoming client requests. In the example, records are first validated and then encrypted. -
The
defaultFiltersare used for all virtual clusters which don’t define their ownfilters, such asmy-proxy-with-default-filters. -
The
defaultFiltersproperty is optional. It is useful when all virtual clusters must use the same filters. There’s no need to specify it if all virtual clusters have specificfiltersdefined. -
When a virtual cluster has defined
filters, likemy-proxy-with-custom-filters, then those filters are used instead of thedefaultFilters. -
When using
defaultFiltersor a virtual cluster’sfiltersto reference a filter definition, you must define a filter with the corresponding name infilterDefinitions.
2.3. Configuring virtual clusters
A Kafka cluster is represented by the proxy as a virtual cluster. Clients communicate with the virtual cluster rather than the actual cluster. When Kroxylicious is deployed, it includes configuration to create virtual clusters.
A virtual cluster has exactly one target cluster, but many virtual clusters can target the same cluster.
Each virtual cluster targets a single listener on the target cluster, so multiple listeners on the Kafka side are represented as multiple virtual clusters by the proxy.
Clients connect to a virtual cluster using a bootstrapServers address.
The virtual cluster has a bootstrap address that maps to each broker in the target cluster.
When a client connects to the proxy, communication is proxied to the target broker by rewriting the address.
Responses back to clients are rewritten to reflect the appropriate network addresses of the virtual clusters.
You can secure virtual cluster connections from clients and to target clusters.
Kroxylicious accepts keys and certificates in PEM (Privacy Enhanced Mail), PKCS #12 (Public-Key Cryptography Standards), or JKS (Java KeyStore) keystore format.
2.4. Configuring virtual cluster gateways
Clients connect to a virtual cluster gateway. Each gateway provides a bootstrap address for the initial connection. The gateway also facilitates communication between clients and proxied brokers. This can be implemented in two ways:
- Port Identifies Node
-
The gateway binds separate ports—one for each broker as well as an additional one for the bootstrap address. Clients make connections to the different port numbers to interact with each broker.
- SNI Host Identifies Node
-
The gateway assigns a unique hostname to each broker. Clients make connections to these distinct hostnames to interact with the respective brokers. The gateway uses SNI (Server Name Indication) to identify the target broker for the client’s connection.
| You must make sure that the gateway’s bootstrap address and generated broker addresses are resolvable and routable by the Kafka Client. You must also make sure firewall rules permit traffic to required port numbers. |
2.4.1. Port Identifies Node
In the Port Identifies Node scheme, the virtual cluster opens a separate port for each proxied broker in addition to a separate port for the bootstrap.
By default, this scheme assumes that the target cluster comprises three nodes with broker ids 0..2. If this is inadequate, additional configuration can be provided describing the broker topology of the target broker.
This scheme can be used with both plain and TLS downstream connections.
This scheme works best with straightforward configurations where the target cluster uses a known minimum broker ID and uses stable sets of broker IDs. For more complex cases, it is recommended to use the SNI Host Identifies Node scheme.
| When using this scheme, you have the responsibility to avoid port number collision. Ensure that each gateway has its own range of port numbers and these do not overlap with the range used by another gateway, or the gateway of another virtual cluster. |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
portIdentifiesNode:
bootstrapAddress: localhost:9192 (1)
# ...
# ...| 1 | The bootstrap address used by Kafka clients. |
With the example configuration above, the gateway exposes a target cluster of up to three brokers with node ids 0, 1, 2.
The advertised address is defaulted to that of the bootstrap host name.
Port numbers are assigned sequentially beginning at bootstrap port number + 1.
The gateway exposes the following three broker addresses:
| Node Id | Broker Address |
|---|---|
0 |
localhost:9193 |
1 |
localhost:9194 |
2 |
localhost:9195 |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
portIdentifiesNode:
bootstrapAddress: localhost:9192 (1)
advertisedBrokerAddressPattern: mycluster.example.com (2)
brokerStartPort: 9200 (3)
# ...
# ...| 1 | The bootstrap address used by Kafka clients. |
| 2 | (Optional) The advertised broker address pattern used to form broker addresses. If not defined, it defaults to the hostname part of the bootstrap address. |
| 3 | (Optional) The starting number for the broker port range. Defaults to the port of the bootstrap address plus 1. |
With the example configuration above, the gateway exposes a target cluster of up to three brokers with node ids 0, 1, 2.
The advertised broker address is defined as mycluster.example.com.
Port numbers are assigned sequentially beginning at 9200.
The gateway exposes the following three broker addresses:
| Node Id | Broker Address |
|---|---|
0 |
mycluster.example.com:9200 |
1 |
mycluster.example.com:9201 |
2 |
mycluster.example.com:9203 |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
portIdentifiesNode:
bootstrapAddress: localhost:9192 (1)
advertisedBrokerAddressPattern: mycluster.example.com (2)
nodeIdRanges: (3)
- name: mixed
start: 1
end: 3
- name: brokers
start: 100
end: 103
# ...
# ...| 1 | The bootstrap address used by Kafka clients. |
| 2 | (Optional) The advertised broker address pattern used to form broker addresses. If not defined, it defaults to the hostname part of the bootstrap address. |
| 3 | (Optional) One or more node id ranges. If omitted, it defaults to a single range of node IDs 0..2 (inclusive). |
With the example configuration above, the gateway exposes a target cluster of up to six nodes with node ids 1..3 and 101..103.
The advertised broker address is defined as mycluster.example.com.
Port numbers are assigned sequentially beginning at 9193 (bootstrap port number + 1).
The gateway exposes the following six broker addresses:
| Node Id | Broker Address |
|---|---|
1 |
mycluster.example.com:9193 |
2 |
mycluster.example.com:9194 |
3 |
mycluster.example.com:9195 |
101 |
mycluster.example.com:9196 |
102 |
mycluster.example.com:9197 |
103 |
mycluster.example.com:9198 |
2.4.2. SNI Host Identifies Node
In the SNI Host Identifies Node scheme, unique broker hostnames are used to know where to route the traffic. As this scheme relies on SNI (Server Name Indication), which is a TLS extension, TLS connections are required. It cannot be used with plain text connections.
In this scheme, you can either share the port across multiple virtual cluster gateways or assign a separate port for each virtual cluster gateway. However, you cannot use a port that is already assigned to a virtual cluster gateway using the Port Identifies Node scheme.
| When using this scheme, you have the responsibility to make sure that DNS for bootstrap and brokers resolve to an IP address that is routed to the proxy. Wildcard DNS is one way to achieve this. |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
sniHostIdentifiesNode:
bootstrapAddress: mycluster.example.com:9192 (1)
advertisedBrokerAddressPattern: mybroker-$(nodeId).mycluster.example.com (2)
tls:
key: ... (3)
# ...
# ...| 1 | The bootstrap address used by Kafka clients. |
| 2 | The advertised broker address pattern used to form broker addresses. It must include the placeholder $(nodeId) which is substituted for the node ID. |
| 3 | TLS configuration. |
With the example configuration above, the gateway accepts all traffic on port 9192.
Any TLS connections received with the SNI of mycluster.example.com are routed as bootstrap.
Any connections received with SNI matching mybroker-$(nodeId).mycluster.example.com are routed to the upstream broker with the same node ID.
The configuration exposes a target cluster with any number of brokers. It does not need prior knowledge of the node IDs used by the brokers.
The gateway exposes the following broker addresses:
| Node Id | Broker Address |
|---|---|
0 |
mybroker-0.mycluster.example.com:9192 |
… |
… |
n |
mybroker-n.mycluster.example.com:9192 |
Both the advertisedBrokerAddressPattern and bootstrapAddress configuration parameters accept the $(virtualClusterName) replacement token,
which is optional. If included, $(virtualClusterName) is replaced with the name of the gateway’s virtual cluster.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
sniHostIdentifiesNode:
bootstrapAddress: mycluster.example.com:9192 (1)
advertisedBrokerAddressPattern: mybroker-$(nodeId).mycluster.example.com:443 (2)
tls:
key: ... (3)
# ...
# ...| 1 | The bootstrap address used by Kafka clients. |
| 2 | The advertised broker address pattern and port number used to form broker addresses. It must include the placeholder $(node) which will be substituted for the node id. |
| 3 | TLS configuration. |
With the example configuration above, Kroxylicious is instructed to listen on port 9192, but advertise brokers of this virtual cluster as being available on port 443. This feature is useful where a network intermediary (such as another proxy or load balancer) is port forwarding.
The gateway exposes the following broker addresses:
| Node Id | Broker Address |
|---|---|
0 |
mybroker-0.mycluster.example.com:443 |
… |
… |
n |
mybroker-n.mycluster.example.com:443 |
| Single port operation may have cost advantages when using load balancers of public clouds, as it allows a single cloud provider load balancer to be shared across all virtual clusters. |
2.5. Securing connections from clients
To secure client connections to virtual clusters, configure TLS within the virtual cluster gateway by doing the following:
-
Obtain a server certificate for the virtual cluster from a Certificate Authority (CA).
Ensure the certificate matches the names of the virtual cluster gateway’s bootstrap and broker addresses.
This may require wildcard certificates and Subject Alternative Names (SANs). -
Provide the TLS configuration using the
tlsproperties in the virtual cluster gateway’s configuration to enable it to present the certificate to clients. Depending on your certificate format, apply one of the following examples. -
For mutual TLS, use the
trustproperties to configure the virtual cluster gateway to use TLS client authentication. -
If required, you can restrict the TLS protocols and cipher suites that are used to form the TLS connection.
Examples below illustrate how these steps may be done.
| TLS is recommended for production configurations. |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
key:
storeFile: <path>/server.p12 (1)
storePassword:
passwordFile: <path>/store.password (2)
keyPassword:
passwordFile: <path>/key.password (3)
storeType: PKCS12 (4)
# ...| 1 | PKCS #12 store containing the private-key and certificate/intermediates of the virtual cluster gateway. |
| 2 | Password to protect the PKCS #12 store. |
| 3 | (Optional) Password for the key. If a password is not specified, the keystore’s password is used to decrypt the key too. |
| 4 | (Optional) Keystore type. If a keystore type is not specified, the default JKS (Java Keystore) type is used. |
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
key:
privateKeyFile: <path>/server.key (1)
certificateFile: <path>/server.crt (2)
keyPassword:
passwordFile: <path>/key.password (3)
# ...| 1 | Private key of the virtual cluster gateway. |
| 2 | Public certificate of the virtual cluster gateway. |
| 3 | (Optional) Password for the key. |
You can configure the virtual cluster gateway to require that clients present a certificate for authentication. The virtual cluster gateway verifies that the client’s certificate is signed by one of the CA certificates contained in a trust store. If verification fails, the client’s connection is refused.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
key:
# ...
trust:
storeFile: <path>/trust.p12 (1)
storePassword:
passwordFile: <path>/trust.password (2)
storeType: PKCS12 (3)
trustOptions:
clientAuth: REQUIRED (4)
# ...| 1 | PKCS #12 store containing CA certificate(s) used to verify that the client’s certificate is trusted. |
| 2 | (Optional) Password to protect the PKCS #12 store. |
| 3 | (Optional) Keystore type. If a keystore type is not specified, the default JKS (Java Keystore) type is used. |
| 4 | (Optional) Client authentication mode.
If set to REQUIRED, the client must present a valid certificate.
If set to REQUESTED, the client is requested to present a certificate. If presented, the certificate is validated. If the client chooses not to present a certificate the connection is still allowed.
If set to NONE, client authentication is disabled.
If a client authentication mode is not specified, then the default behaviour is REQUIRED. |
| The client’s identity, as established through TLS client authentication, is currently not relayed to the target cluster. For more information, see the related issue. |
You can restrict the TLS protocols by specifying either an allow list of TLS protocols to be enabled, or a deny list of TLS protocols to be disallowed from the platform’s default. If both an allow and a deny list are specified, the resulting list of TLS protocols includes only those protocols from the allow list that are not in the deny list. If neither list is specified, the virtual cluster uses the default TLS protocols provided by the platform.
When the client connects, it negotiates the highest mutually acceptable TLS protocol with the virtual cluster. If the two have no protocols in common, the connection fails.
The names of the TLS protocols are defined by Java specification.
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
# ...
protocols:
allowed: (1)
- TLSv1.3
- TLSv1.2| 1 | List of allowed TLS protocols. |
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
# ...
protocols:
denied: (1)
- TLSv1.1| 1 | List of disallowed TLS protocols. |
You can restrict the TLS cipher suite by specifying either an allow list of cipher suites to be enabled, in preference order, or a deny list of ciphers suites to be disallowed from the platform’s default. If both an allow and a deny list are specified, the resulting list of cipher suites includes only those ciphers from the allow list that are not in the deny list. If neither list is specified, the virtual cluster uses the default cipher suites (and preference order) provided by the platform.
When the client connects, it negotiates the most preferred mutually acceptable cipher suite with the virtual cluster. If the two have no cipher suites in common, the connection fails.
The names of the cipher suite are defined by Java specification.
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
# ...
cipherSuites:
allowed: (1)
- TLS_ECDHE_ECDSA_WITH_AES_256_CCM
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM| 1 | List of allowed cipher suites in preference order. |
virtualClusters:
- name: my-cluster-proxy
# ...
gateways:
- name: mygateway
# ...
tls:
# ...
cipherSuites:
denied: (1)
- TLS_KRB5_WITH_3DES_EDE_CBC_MD5| 1 | List of disallowed cipher suites. |
2.6. Securing connections to target clusters
To secure connections from the virtual cluster to the upstream cluster, configure the target cluster’s TLS setting by doing the following:
-
If the upstream is using a private CA, use the
trustproperties to configure a truststore for the target cluster. -
If you want to use mutual TLS, specify the certificate with the
keyproperty to identify the virtual cluster to the upstream. -
If required, you can restrict the TLS protocols and cipher suites that are used to form the TLS connection.
| TLS is recommended on Kafka clients and virtual clusters for production configurations. |
Examples below illustrate how these steps may be done.
Using an empty object ({}) enables TLS using the platform’s defaults. This means that platform trust, and
default protocols and cipher suites will be used. This option is suitable if the upstream cluster is using a TLS
certificate signed by a public CA and the platform’s defaults are suitable.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls: {}
# ...If it is using a TLS certificate signed by a private CA, you must add truststore configuration for the target cluster. The example illustrates using PKCS #12 format. PEM format is supported too.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
trust:
storeFile: <path>/trust.p12 (1)
storePassword:
passwordFile: <path>/store.password (2)
storeType: PKCS12 (3)
# ...| 1 | PKCS #12 store for the public CA certificate of the Kafka cluster. |
| 2 | Password to access the public Kafka cluster CA certificate. |
| 3 | (Optional) Keystore type. If a keystore type is not specified, the default JKS (Java Keystore) type is used. |
For mutual TLS, add a keystore configuration for the virtual cluster. The following example uses a PEM format server certificate and key pair. PKCS #12 keystore format is supported too.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
key:
privateKeyFile: <path>/client.key (1)
certificateFile: <path>/client.crt (2)
# ...| 1 | Private key of the virtual cluster. |
| 2 | Public CA certificate of the virtual cluster. |
The TLS protocols and cipher suites available to the TLS connection may also be configured.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
# ...
protocols:
allowed: (1)
- TLSv1.3
- TLSv1.2| 1 | List of allowed TLS protocols. |
virtualClusters:
- name: my-cluster-proxy
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
# ...
protocols:
denied: (1)
- TLSv1.1| 1 | List of disallowed TLS protocols. |
virtualClusters:
- name: my-cluster-proxy
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
# ...
cipherSuites:
allowed: (1)
- TLS_ECDHE_ECDSA_WITH_AES_256_CCM
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM| 1 | List of allowed cipher suites. |
virtualClusters:
- name: my-cluster-proxy
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
# ...
cipherSuites:
denied: (1)
- TLS_KRB5_WITH_3DES_EDE_CBC_MD5| 1 | List of disallowed cipher suites. |
For the purposes of testing (that is, outside a production environment), you can set the insecure property to true
to disable TLS trust checks (hostname verification and certificate validation) so that the Kroxylicious can connect to
any Kafka cluster.
virtualClusters:
- name: my-cluster-proxy
targetCluster:
bootstrapServers: dev-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093
tls:
trust:
insecure: true
# ...2.7. Configuring other Virtual Cluster settings
2.7.1. Per-virtual cluster logging
You can enable low level logging on a per-virtual cluster basis.
The logNetwork property controls logging of information about requests and responses at the network level, before they’ve been decoded into Kafka requests and responses.
The logFrames property controls logging of the decoded requests and responses.
# ...
virtualClusters:
- name: my-cluster-proxy
# ...
logNetwork: true (1)
logFrames: true (2)
# ...| 1 | Enables low-level network logging for the virtual cluster. |
| 2 | Enables low-level protocol frame logging for the virtual cluster. |
2.8. Configuring other top level settings
2.8.1. Management HTTP endpoints
The proxy can run an HTTP server for exposing basic management information.
This is configured with the top level management property.
management property# ... (filterDefinitions, virtualClusters etc)
management:
bindAddress: 0.0.0.0 (1)
port: 9190 (2)
endpoints: (3)
prometheus: {} (4)| 1 | The address the HTTP server should bind to. Defaults to 0.0.0.0. |
| 2 | The port the HTTP server should bind to. Defaults to 9190. |
| 3 | Control over the exposed endpoints |
| 4 | If present and not null, exposes a Prometheus scrape endpoint at path /metrics. |
2.9. Example Kroxylicious configuration
-
Virtual clusters that represent the Kafka clusters
-
Network addresses for broker communication in a Kafka cluster
-
Filters to introduce additional functionality to the Kafka deployment
In this example, configuration for the Record Encryption filter is shown.
filterDefinitions: (1)
- name: encryption
type: RecordEncryption (2)
config: (3)
kms: VaultKmsService
kmsConfig:
vaultTransitEngineUrl: https://vault.vault.svc.cluster.local:8200/v1/transit
vaultToken:
passwordFile: /opt/proxy/server/token.txt
tls: (4)
key:
storeFile: /opt/cert/server.p12
storePassword:
passwordFile: /opt/cert/store.password
keyPassword:
passwordFile: /opt/cert/key.password
storeType: PKCS12
selector: TemplateKekSelector
selectorConfig:
template: "$(topicName)"
defaultFilters:
- encryption
virtualClusters: (5)
- name: my-cluster-proxy (6)
targetCluster:
bootstrapServers: my-cluster-kafka-bootstrap.kafka.svc.cluster.local:9093 (7)
tls: (8)
trust:
storeFile: /opt/proxy/trust/ca.p12
storePassword:
passwordFile: /opt/proxy/trust/ca.password
gateways: (9)
- name: mygateway
sniHostIdentifiesNode: (10)
bootstrapAddress: my-cluster-proxy.kafka:9092 (11)
advertisedBrokerAddressPattern: broker$(nodeId).my-cluster-proxy.kafka
tls: (12)
key:
storeFile: /opt/proxy/server/key-material/keystore.p12
storePassword:
passwordFile: /opt/proxy/server/keystore-password/storePassword| 1 | A list of named filter configurations. |
| 2 | The type of filter, which is the Record Encryption filter using Vault as the KMS in this example. |
| 3 | The configuration specific to the type of filter. |
| 4 | If required, you can also specify the credentials for TLS authentication with the KMS, with key names under which TLS certificates are stored. |
| 5 | Virtual cluster configuration. |
| 6 | The name of the virtual cluster. |
| 7 | The bootstrap address of the target physical Kafka Cluster being proxied. |
| 8 | TLS configuration for the connection to the target cluster. |
| 9 | The gateway of the virtual cluster defining how the virtual cluster is presented to the network. |
| 10 | The identification scheme used to route traffic to brokers, which can be sniHostIdentifiesNode or portIdentifiesNode. |
| 11 | The hostname and port of the bootstrap used by the Kafka clients to connect to the gateway. The hostname must be resolved by the clients. |
| 12 | TLS encryption used by the gateway for securing connections with the clients. |
3. Built-in filters
Kroxylicious comes with a suite of built-in filters designed to enhance the functionality and security of your Kafka clusters.
3.1. Record Encryption filter
The Kroxylicious Record Encryption filter enables encryption-at-rest for Apache Kafka clusters. For information on using the filter, see the Kroxylicious Record Encryption guide.
3.2. (Preview) Multi-tenancy filter
Kroxylicious’s Multi-tenancy filter presents a single Kafka cluster to tenants as if it were multiple clusters. Operations are isolated to a single tenant by prefixing resources with an identifier.
| This filter is currently in incubation and available as a preview. We would not recommend using it in a production environment. |
The Multi-tenancy filter works by intercepting all Kafka RPCs (remote procedure calls) that reference resources, such as topic names and consumer group names:
- Request path
-
On the request path, resource names are prefixed with a tenant identifier.
- Response path
-
On the response path, the prefix is removed.
Kafka RPCs that list resources are filtered so that only resources belonging to the tenant are returned, effectively creating a private cluster experience for each tenant.
To set up the filter, configure it in Kroxylicious.
| While the Multi-tenancy filter isolates operations on resources, it does not isolate user identities across tenants. User authentication and ACLs (Access Control Lists) are shared across all tenants, meaning that identity is not scoped to individual tenants. For more information on open issues related to this filter, see Kroxylicious issues. |
| For more information on Kafka’s support for multi-tenancy, see the Apache Kafka website. |
3.2.1. (Preview) Setting up the Multi-tenancy filter
This procedure describes how to set up the Multi-tenancy filter by configuring it in Kroxylicious.
The filter dynamically prefixes resource names to create isolation between tenants using the same Kafka cluster.
The prefix representing a tenant is taken from the name of the virtual cluster representing the tenant.
For example, if the virtual cluster is named tenant-1, the prefix is tenant-1.
Each tenant must be represented by a unique virtual cluster, and virtual cluster names must be globally unique within the Kroxylicious configuration.
This means that the same virtual cluster name cannot be used to represent different Kafka clusters.
-
An instance of Kroxylicious. For information on deploying Kroxylicious, see the samples and examples.
-
A config map for Kroxylicious that includes the configuration for creating virtual clusters and filters.
-
A virtual cluster definition for each tenant using the Kafka cluster. You need at least two virtual clusters to apply multi-tenancy.
-
Configure a
MultiTenanttype filter.filterDefinitions: - name: my-multi-tenant-filter type: MultiTenant config: prefixResourceNameSeparator: "." (1)1 The separator used for the prefix. If a separator is not specified, -is the default.Currently, only the prefix with separator is validated. -
Verify that multi-tenancy filtering has been applied.
For example, create a topic through each virtual cluster and check that the topics are prefixed with the name of the corresponding virtual cluster.
For more information, see the example for a Kubernetes environment.
3.3. (Preview) Record Validation filter
The Record Validation filter validates records sent by a producer. Only records that pass the validation are sent to the broker. This filter can be used to prevent poison messages—such as those containing corrupted data or invalid formats—from entering the Kafka system, which may otherwise lead to consumer failure.
The filter currently supports two modes of operation:
-
Schema Validation ensures the content of the record conforms to a schema stored in an Apicurio Registry.
-
JSON Syntax Validation ensures the content of the record contains syntactically valid JSON.
Validation rules can be applied to check the content of the Kafka record key or value.
If the validation fails, the product request is rejected and the producing application receives an error response. The broker will not receive the rejected records.
| This filter is currently in incubation and available as a preview. We would not recommend using it in a production environment. |
3.3.1. (Preview) Setting up the Record Validation filter
This procedure describes how to set up the Record Validation filter. Provide the filter configuration and rules that the filter uses to check against Kafka record keys and values.
-
An instance of Kroxylicious. For information on deploying Kroxylicious, see the samples and examples.
-
A config map for Kroxylicious that includes the configuration for creating a virtual cluster.
-
Apicurio Registry (if wanting to use Schema validation).
-
Configure a
RecordValidationtype filter.
filterDefinitions:
- name: my-record-validation
type: RecordValidation
config:
rules:
- topicNames: (1)
- <topic name>
keyRule:
<rule definition> (2)
valueRule:
<rule definition> (3)
defaultRule: (4)
keyRule:
<rule definition> (2)
valueRule:
<rule definition> (3)| 1 | List of topic names to which the validation rules will be applied. |
| 2 | Validation rules that are applied to the record’s key. |
| 3 | Validation rules that are applied to the record’s value. |
| 4 | (Optional) Default rule that is applied to any topics for which there is no explict rule defined. |
Replace the token <rule definition> in the YAML configuration with either a Schema Validation rule or a JSON Syntax Validation rule depending on your requirements.
The Schema Validation rule validates that the key or value matches a schema identified by its global ID within an Apicurio Schema Registry.
If the key or value does not adhere to the schema, the record will be rejected.
Additionally, if the kafka producer has embedded a global ID within the record it will be validated against the global ID defined by the rule. If they do not match, the record will be rejected. See the
Apicurio documentation for details
on how the global ID could be embedded into the record.
The filter supports extracting ID’s from either the Apicurio globalId record header or from the initial bytes of the serialized content itself.
schemaValidationConfig:
apicurioGlobalId: 1001 (1)
apicurioRegistryUrl: http://registry.local:8080 (2)
allowNulls: true (3)
allowEmpty: true (4)| 1 | Apicurio registry global ID identifying the schema that will be enforced. |
| 2 | Apicurio Registry endpoint. |
| 3 | if true, the validator allows keys and or values to be null. The default is false. |
| 4 | if true, the validator allows keys and or values to be empty. The default is false. |
| Schema validation mode currently has the capability to enforce only JSON schemas (issue) |
The JSON Syntax Validation rule validates that the key or value contains only syntactically correct JSON.
syntacticallyCorrectJson:
validateObjectKeysUnique: true (1)
allowNulls: true (2)
allowEmpty: true (3)| 1 | If true, the validator enforces that objects keys must be unique. The default is false. |
| 2 | if true, the validator allows keys and or values to be null. The default is false. |
| 3 | if true, the validator allows keys and or values to be empty. The default is false. |
3.4. OAUTHBEARER validation
OauthBearerValidation filter enables a validation on the JWT token received from client before forwarding it to cluster.
If the token is not validated, then the request is short-circuited. It reduces resource consumption on the cluster when a client sends too many invalid SASL requests.
3.4.1. How to use the filter
There are two steps to using the filter.
-
Configuring the filter within Kroxylicious.
Configuring the filter within Kroxylicious.
filterDefinitions:
- name: my-oauth-filter
type: OauthBearerValidation
config:
jwksEndpointUrl: https://oauth/JWKS (1)
jwksEndpointRefreshMs: 3600000 (2)
jwksEndpointRetryBackoffMs: 100 (3)
jwksEndpointRetryBackoffMaxMs: 10000 (4)
scopeClaimName: scope (5)
subClaimName: sub (6)
authenticateBackOffMaxMs: 60000 (7)
authenticateCacheMaxSize: 1000 (8)
expectedAudience: https://first.audience, https//second.audience (9)
expectedIssuer: https://your-domain.auth/ (10)| 1 | The OAuth/OIDC provider URL from which the provider’s JWKS (JSON Web Key Set) can be retrieved. |
| 2 | The (optional) value in milliseconds for the broker to wait between refreshing its JWKS (JSON Web Key Set) cache that contains the keys to verify the signature of the JWT. |
| 3 | The (optional) value in milliseconds for the initial wait between JWKS (JSON Web Key Set) retrieval attempts from the external authentication provider. |
| 4 | The (optional) value in milliseconds for the maximum wait between attempts to retrieve the JWKS (JSON Web Key Set) from the external authentication provider. |
| 5 | This (optional) setting can provide a different name to use for the scope included in the JWT payload’s claims. |
| 6 | This (optional) setting can provide a different name to use for the subject included in the JWT payload’s claims. |
| 7 | The (optional) maximum value in milliseconds to limit the client sending authenticate request. Setting 0 will never limit the client. Otherwise, an exponential delay is added to each authenticate request until the authenticateBackOffMaxMs has been reached. |
| 8 | The (optional) maximum number of failed tokens kept in cache. |
| 9 | The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences. |
| 10 | The (optional) setting for the broker to use to verify that the JWT was created by the expected issuer. |
Note: OauthBearer config follows kafka’s properties
4. Community filters
Community contributed filters are showcased in the Community Gallery.
| These filters are contributed by the community and are not managed or maintained by the Kroxylicious team. Use them at your own risk. |
5. Monitoring proxies
Kroxylicious supports key observability features to help you understand the performance and health of your proxy instances.
The Kroxylicious Proxy supports real-time monitoring and alerting by emitting system metrics. You can configure metric emission within the proxy and integrate it with a monitoring system like Prometheus to ingest and analyze the data.
The Kroxylicious Proxy writes a log so that its actions may be understood over time. You can adjust log levels and customize logging as described in this section.
5.1. Introducing metrics
If you want to introduce metrics to your Kroxylicious deployment, you can configure an insecure HTTP and Prometheus endpoint (at /metrics).
Add the following to the ConfigMap resource that defines the Kroxylicious configuration:
management:
endpoints:
prometheus: {}By default, the HTTP endpoint listens on 0.0.0.0:9190.
You can change the bind address and port as follows:
management:
bindAddress: 127.0.0.1
port: 9999
endpoints:
prometheus: {}5.2. Overview of proxy metrics
The proxy provides metrics for both connections and messages. These metrics are categorized into downstream (client-side) and upstream (broker-side) groups They allow users to assess the impact of the proxy and its filters on their Kafka system.
-
Connection metrics count the connections made from the downstream (incoming connections from the clients) and the connection made by the proxy to upstream (outgoing connections to the Kafka brokers).
-
Message metrics count the number of Kafka protocol request and response messages that flow through the proxy.
5.2.1. Connection metrics
Connection metrics count the TCP connections made from the client to the proxy (kroxylicious_client_to_proxy_request_total) and from the proxy to the broker (kroxylicious_proxy_to_server_connections_total).
These metrics count connection attempts, so the connection count is incremented even if the connection attempt ultimately fails.
In addition to the count metrics, there are error metrics.
* If an error occurs whilst the proxy is accepting a connection from the client the kroxylicious_client_to_proxy_errors_total metric is incremented by one.
* If an error occurs whilst the proxy is attempting a connection to a broker the kroxylicious_proxy_to_server_errors_total metric is incremented by one.
Connection and connection error metrics include the following labels: virtual_cluster (the virtual cluster’s name) and node_id (the broker’s node ID).
When the client connects to the boostrap endpoint of the virtual cluster, a node ID value of bootstrap is recorded.
The kroxylicious_client_to_proxy_errors_total metric also counts connection errors that occur before a virtual cluster has been identified.
For these specific errors, the virtual_cluster and node_id labels are set to an empty string ("").
Error conditions signaled within the Kafka protocol response (such as RESOURCE_NOT_FOUND or UNKNOWN_TOPIC_ID) are not classed as errors by these metrics.
|
| Metric Name | Type | Labels | Description |
|---|---|---|---|
|
Counter |
|
Incremented by one every time a connection is accepted from a client by the proxy. |
|
Counter |
|
Incremented by one every time a connection is closed due to any downstream error. |
|
Counter |
|
Incremented by one every time a connection is made to the server from the proxy. |
|
Counter |
|
Incremented by one every time a connection is closed due to any upstream error. |
5.2.2. Message metrics
Message metrics count, and record the sizes of, the Kafka protocol requests and responses that flow through the proxy.
Use these metrics to help understand: * the number of messages flowing through the proxy. * the overall volume of data through the proxy. * the effect the filters are having on the messages.
-
Downstream metrics
-
kroxylicious_client_to_proxy_request_totalcounts requests as they arrive from the client. -
kroxylicious_proxy_to_client_response_totalcounts responses as they are returned to the client. -
kroxylicious_client_to_proxy_request_size_bytesis incremented by the size of each request as it arrives from the client. -
kroxylicious_proxy_to_client_response_size_bytesis incremented by the size of each response as it is returned to the client.
-
-
Upstream metrics
-
kroxylicious_proxy_to_server_request_totalcounts requests as they go to the broker. -
kroxylicious_proxy_to_server_response_totalcounts responses as they are returned by the broker. -
kroxylicious_proxy_to_server_request_size_bytesis incremented by the size of each request as it goes to the broker. -
kroxylicious_proxy_to_server_response_size_bytesis incremented by the size of each response as it is returned by the broker.
-
The size recorded is the encoded size of the protocol message. It includes the 4 byte message size.
Filters can alter the flow of messages through the proxy or the content of the message. This is apparent through the metrics. * If a filter sends a short-circuit, or closes a connection the downstream message counters will exceed the upstream counters. * If a filter changes the size of the message, the downstream size metrics will be different to the upstream size metrics.
Message metrics include the following labels: virtual_cluster (the virtual cluster’s name), node_id (the broker’s node ID), api_key (the message type), api_version, and decoded (a flag indicating if the message was decoded by the proxy).
When the client connects to the boostrap endpoint of the virtual cluster, metrics are recorded with a node ID value of bootstrap.
| Metric Name | Type | Labels | Description |
|---|---|---|---|
|
Counter |
|
Incremented by one every time a request arrives at the proxy from a client. |
|
Counter |
|
Incremented by one every time a request goes from the proxy to a server. |
|
Counter |
|
Incremented by one every time a response arrives at the proxy from a server. |
|
Counter |
|
Incremented by one every time a response goes from the proxy to a client. |
|
Distribution |
|
Incremented by the size of the message each time a request arrives at the proxy from a client. |
|
Distribution |
|
Incremented by the size of the message each time a request goes from the proxy to a server. |
|
Distribution |
|
Incremented by the size of the message each time a response arrives at the proxy from a server. |
|
Distribution |
|
Incremented by the size of the message each time a response goes from the proxy to a client. |
5.3. Ingesting metrics
Metrics from the Kroxylicious Proxy can be ingested into your Prometheus instance.
Configure the scrape_configs property to enable
Prometheus to scrape the monitors from your proxy instances.
scrape_configs:
- job_name: 'kroxylicious'
static_configs:
- targets: ['proxyhost:9190'] (1)| 1 | The host that is running the kroxylicious instance and the port number assigned to management. |
5.4. Integrating Micrometer
Kroxylicious integrates with Micrometer for gathering metrics.
Micrometer provides a simple facade over instrumentation clients for popular observability systems, allowing you to instrument your JVM-based application code without vendor lock-in.
The following example shows how to define the CommonTagsHook and StandardBindersHook types to add a label to metrics and register a JVM metrics binder.
management:
endpoints:
prometheus: {}
micrometer:
- type: "CommonTagsHook" (1)
config:
commonTags:
zone: "euc-1a" (2)
- type: "StandardBindersHook" (3)
config:
binderNames:
- "JvmGcMetrics" (4)| 1 | Specifies the CommonTagsHook type to add common tags to all metrics. |
| 2 | Adds common tag zone euc-1a to all metrics in the global registry included with Micrometer, which appears as a label in Prometheus. |
| 3 | Specifies the StandardBindersHook type to register standard Micrometer binders. |
| 4 | Registers the JvmGcMetrics binder with the global registry. |
Prometheus is connected to the Micrometer global registry, so filters can record metrics against it as part of the Prometheus scrape data.
Using the curl localhost:9190/metrics command shows metrics as follows:
jvm_gc_memory_allocated_bytes_total{zone="euc-1a",} 0.05.4.1. Common tags
Add common tags for metrics to appear as labels in the Prometheus scrape.
- type: "CommonTagsHook"
config:
commonTags:
zone: "euc-1a"
owner: "team-a"5.4.2. Standard binders
Micrometer uses the concept of meter binders to register metrics that provide information about the state of some aspect of the application or its container. By registering standard binders included with Micrometer, you can expose metrics about the JVM and system, such as JVM memory usage and garbage collection.
micrometer:
- type: "StandardBindersHook"
config:
binderNames:
- "JvmGcMetrics"
- "JvmHeapPressureMetrics"| Name | Micrometer class |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5.4.3. Using Micrometer with filters
Use the static methods of Micrometer Metrics to register metrics with the global registry.
Alternatively, use Metrics.globalRegistry to get a reference to the global registry.
Metrics registered this way are automatically available through the Prometheus scrape endpoint.
5.5. Setting log levels
The Kroxylicious binary distribution includes log4j2 as the default logging backend.
When using the bin/kroxylicious-start.sh script from the binary distribution, you can set an environment variable to load a custom log4j2 configuration file or change the root logging level.
log4j2 fileKROXYLICIOUS_LOGGING_OPTIONS="-Dlog4j2.configurationFile=/path/to/custom/log4j2.yaml"KROXYLICIOUS_ROOT_LOG_LEVEL="DEBUG"
Setting the root log level to DEBUG or TRACE will produce very verbose logs.
|
6. Trademark notice
-
Apache Kafka is a registered trademark of The Apache Software Foundation.
-
Kubernetes is a registered trademark of The Linux Foundation.
-
Prometheus is a registered trademark of The Linux Foundation.
-
Strimzi is a trademark of The Linux Foundation.
-
Hashicorp Vault is a registered trademark of HashiCorp, Inc.
-
AWS Key Management Service is a trademark of Amazon.com, Inc. or its affiliates.
-
Fortanix and Data Security Manager are trademarks of Fortanix, Inc.