Production Kafka with Strimzi

Your development cluster works perfectly on Docker Desktop. One broker, ephemeral storage, no authentication. But production is a different world.

In production, Kafka clusters must survive broker failures without data loss. They must encrypt traffic to prevent eavesdropping. They must authenticate clients to prevent unauthorized access. And they must have enough resources to handle peak load without throttling.

The gap between your development setup and production readiness is significant. Chapter 4 got Kafka running quickly. This chapter makes it production-grade.

Development vs Production: The Gap

Before diving into configuration, understand what changes between environments:

Every difference addresses a specific production failure mode. Let's configure each one.

Separate Controller and Broker Node Pools

In Chapter 4, you deployed a single node running both controller and broker roles. This works for development but creates problems in production:

1. Blast radius: A controller failure takes down message processing
2. Scaling constraints: Controllers don't need to scale like brokers
3. Resource contention: Controller metadata operations compete with broker I/O

Production clusters separate these roles into dedicated node pools.

Controller Node Pool

Controllers manage cluster metadata through Raft consensus. They don't handle client traffic.

Key production settings:

Broker Node Pool

Brokers handle producer/consumer traffic and store message data. They scale based on throughput requirements.

Key production settings:

Why Separate Pools?

The separation creates independent failure domains:

Benefits:

• Scale brokers independently (add broker-3, broker-4 for more throughput)
• Controller failure doesn't stop message processing (existing brokers continue)
• Different resource profiles (controllers need less memory, brokers need more)

TLS Encryption

In development, you used the plain listener on port 9092. Production traffic should be encrypted.

Update Kafka CRD for TLS

Key security settings:

How Strimzi Handles Certificates

Strimzi automatically manages TLS certificates:

1. Cluster CA: Signs broker certificates; clients verify server identity
2. Clients CA: Signs client certificates (for mTLS); brokers verify client identity
3. Auto-renewal: Strimzi rotates certificates before expiration

You don't need to manually create certificates. Strimzi's Entity Operator handles the PKI lifecycle.

To extract the CA certificate for clients:

Clients use this CA certificate to verify they're connecting to the real Kafka cluster, not an impersonator.

SCRAM-SHA-512 Authentication

TLS encrypts traffic but doesn't identify clients. Add authentication so only authorized clients can connect.

Create KafkaUser with ACLs

ACL breakdown:

Apply the user:

Output:

Retrieve Credentials

Strimzi stores the generated password in a Kubernetes Secret:

For a Python producer, you'd configure authentication like this:

Critical settings for authenticated connections:

Resource Limits and Requests

Production clusters need explicit resource boundaries. Without them:

• Pods get OOMKilled during traffic spikes
• Other workloads starve when Kafka uses all available resources
• Capacity planning becomes guesswork

Sizing Guidelines

JVM heap sizing rules:

• Set -Xmx to half the memory limit
• Leave the other half for OS page cache (critical for read performance)
• Set -Xms equal to -Xmx for predictable performance

Example for a broker with 8Gi memory limit:

Persistent Storage Configuration

Production data must survive pod restarts. Configure storage classes that match your cloud provider:

Key settings:

Storage Sizing Formula

Round up and add 20% headroom for operational flexibility.

Complete Production Configuration

Here's the full production deployment combining all security and reliability settings:

Verifying Production Readiness

After applying the production configuration:

Expected output:

Migration Path: Development to Production

If you have an existing development cluster, here's the migration approach:

1. Create new production node pools alongside existing dual-role pool
2. Apply updated Kafka CRD with new listeners and replication settings
3. Wait for Strimzi to redistribute partitions to new brokers
4. Create KafkaUser resources for all clients
5. Update client configurations to use TLS + authentication
6. Remove development node pool once all traffic migrated

Strimzi handles partition redistribution automatically when you add brokers. The migration can be done with zero downtime.

---

Reflect on Your Skill

You built a kafka-events skill in Chapter 1. Test and improve it based on what you learned.

Test Your Skill

Identify Gaps

Ask yourself:

• Did my skill include TLS listener configuration and certificate management?
• Did it cover SCRAM user authentication and ACL setup?

Improve Your Skill

If you found gaps:

---

Try With AI

You've configured production Kafka with security and reliability features. Now explore how to validate and optimize your configuration.

Prompt 1: Security Audit

What you're learning: Security configuration involves tradeoffs between usability and protection. AI can help you understand your threat model and prioritize hardening efforts.

Prompt 2: Capacity Planning

What you're learning: Capacity planning requires understanding the relationship between throughput, retention, replication, and resources. AI can teach you the formulas while applying them to your specific scenario.

Prompt 3: Troubleshooting Production Issues

What you're learning: Production debugging requires correlating symptoms with root causes. AI can help you develop a systematic troubleshooting methodology for distributed systems.

Safety note: Always test configuration changes in a staging environment before production. Incorrect authentication or replication settings can cause client failures or data loss. Keep your development cluster configuration separate so you can iterate quickly without risking production.