confluent-kafka-fips
packaged by Chainguard

Last changed

Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

confluent-kafka-fips

A wolfi-based image tailored for Confluent Kafka, incorporating the required bouncycastle FIPS modules (bcfips) to facilitate operation in FIPS mode.

Both OpenJDK and Confluent Kafka have been configured to harness the BouncyCastle FIPS API at their core. The included bcfips module meets FIPS 140-2 compliance requirements and is accredited under: FIPS certificate 4616.

Disclaimers

Configuring Confluent Kafka to operate in FIPS mode is complex. This document attempts to condense the instructions for demonstration purposes, and should not be treated as replacements for official documentation:

CLASSPATH

This image sets the CLASSPATH environment variable to point towards the bcfips libraries:


export CLASSPATH="/usr/share/java/bouncycastle-fips/*"

If you override the CLASSPATH, you will need to ensure to include this path.

KRaft vs Zookeeper

Confluent Kafka supports both KRaft and Zookeeper for operation. Howevever the project is moving away from Zookeeper, and recommends using KRaft. For that reason, as well as to simplify the configuration steps, this document assumes the use of KRaft.

If you opt to use Zookeeper, refer to the upstream documentation for additional steps and instructions required.

Step 1: Create BCFKS keystore

If you already have BCKFS keystores, you can skip this step, but you'll neeed it available for step 2.

Running Confluent Kafka in FIPS mode, requires the use of a FIPS compliant BCKFS keystores. These needs to be created separately to launching the Confluent Kafka container image(s).

The BCKFS keystores needs to be generated on a separate image which do NOT have BCFIPS JDK running in strict mode - this is due to the keytool application being hardcoded to pass a new SecureRandom(), which will not be permitted in strict mode.

Example using a wolfi-base container to generate a bckfs keystore:


docker run -v $(pwd):/tmp/keystore -it cgr.dev/chainguard/wolfi-base:latest sh
...

apk update && apk add curl openjdk-17-default-jvm
echo "securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS" > kc-keystore.java.security

# https://www.bouncycastle.org/fips-java for latest `bc-fips` version
curl https://downloads.bouncycastle.org/fips-java/bc-fips-<VERSION>.jar \
-o bc-fips.jar

keytool -v -keystore /tmp/keystore/server.keystore \
  -J--add-exports=java.base/sun.security.provider=ALL-UNNAMED \
  -storetype bcfks \
  -providername BCFIPS \
  -alias CARoot \
  -storepass '<DESIRED-KEYSTORE-PASSWORD>' \
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
  -providerpath bc-fips.jar \
  -genkeypair -sigalg SHA512withRSA -keyalg RSA \
  -dname CN=localhost \
  -J-Djava.security.properties=kc-keystore.java.security

Step 2: Running Confluent Kafka

After generating the necessary keystores and truststores, launch Confluent Kafka and mount these:


docker run -it --rm \
  -v $(pwd)/server.keystore.bcfks:/etc/kafka/secrets/server.keystore.bcfks \
  -v $(pwd)server.truststore.bcfks:/etc/kafka/secrets/server.truststore.bcfks \
  --name "${CONTAINER_NAME}" \
  -h kafka-kraft \
  -p "${KAFKA_PORT}":9092 \
  -e KAFKA_NODE_ID=1 \
  -e KAFKA_LISTENER_SECURITY_PROTOCOL_MAP='CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT' \
  -e KAFKA_ADVERTISED_LISTENERS='PLAINTEXT://kafka-kraft:29092,PLAINTEXT_HOST://localhost:9092' \
  -e KAFKA_JMX_PORT=9101 \
  -e KAFKA_JMX_HOSTNAME=localhost \
  -e KAFKA_PROCESS_ROLES='broker,controller' \
  -e KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1 \
  -e KAFKA_CONTROLLER_QUORUM_VOTERS='1@kafka-kraft:29093' \
  -e KAFKA_LISTENERS='PLAINTEXT://kafka-kraft:29092,CONTROLLER://kafka-kraft:29093,PLAINTEXT_HOST://0.0.0.0:9092' \
  -e KAFKA_INTER_BROKER_LISTENER_NAME='PLAINTEXT' \
  -e KAFKA_CONTROLLER_LISTENER_NAMES='CONTROLLER' \
  -e KAFKA_SSL_KEYSTORE_TYPE='BCFIPS' \
  -e KAFKA_SSL_KEYSTORE_LOCATION='/etc/kafka/secrets/server.keystore.bcfks' \
  -e KAFKA_SSL_KEYSTORE_PASSWORD='<KEYSTORE-PASSWORD>' \
  -e KAFKA_SSL_TRUSTSTORE_TYPE='BCFIPS' \
  -e KAFKA_SSL_TRUSTSTORE_LOCATION='/etc/kafka/secrets/server.truststore.bcfks' \
  -e KAFKA_SSL_TRUSTSTORE_PASSWORD='<TRUSTSTORE-PASSWORD>' \
  -e CLUSTER_ID='MkU3OEVBNTcwNTJENDM2Qk' \
  cgr.dev/chainguard/confluent-kafka-fips:latest

Licenses

Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement

Compliance

Chainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.

SLSA compliance at Chainguard

This image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.

PCI DSS at Chainguard

This is a FIPS validated image for FedRAMP compliance.

This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.

Learn more about STIGs Get started with STIGs

Related images

confluent-kafka

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

confluent-kafka-fips
packaged by Chainguard