Skip to content
Kannika

Confluent Schema Registry

This page describes how to configure a SchemaRegistry resource for the Confluent Schema Registry API. The resource is used to define the connection details to a registry, that is compatible with the Confluent Schema Registry API .

Synopsis

Section titled “Synopsis”
apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    description: "An optional description"
    # ssl configuration is optional.
    sslConf:
      # Explicitly set, but assumed 'true' if not present.
      enabled: true
      # Optional. Configure an explicit CA for server authentication.
      caCertificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: ca.crt
      # Optional. Set a client certificate if the server requires it.
      certificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.crt
      # Optional. Set a client key if the server requires it. PKCS#8 only.
      privateKeyPemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.key
      # Optional. Set the password to unlock the client's private key
      privateKeyPasswordFrom:
        secretKeyRef:
          name: tls-key-password
          key: password

Authentication

Section titled “Authentication”

The Confluent API is accessible using HTTP Basic authentication scheme, and/or mTLS depending on the registry configuration. You will likely need to define a corresponding Credentials resource and reference it in your SchemaRegistryBackup.

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: http-basic-creds
spec:
  httpBasic:
    usernameFrom:
      secretKeyRef:
        name: http-basic-creds-secret
        key: username
    passwordFrom:
      secretKeyRef:
        name: http-basic-creds-secret
        key: password
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: http-basic-creds-secret
data:
  username: <username base64>
  password: <password base64>

Using SSL/TLS

Section titled “Using SSL/TLS”

To enable SSL/TLS, you need to define the sslConf property in accordance with your particular situation.

apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    sslConf:
      # Explicitly set, but assumed 'true' if not present.
      enabled: true
      # Optional. Configure an explicit CA for server authentication.
      caCertificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: ca.crt
      # Optional. Set a client certificate if the server requires it.
      certificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.crt
      # Optional. Set a client key if the server requires it. PKCS#8 only.
      privateKeyPemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.key
      # Optional. Set the password to unlock the client's private key
      privateKeyPasswordFrom:
        secretKeyRef:
          name: tls-key-password
          key: password

Using the default CA

Section titled “Using the default CA”

In the most simple case, define sslConf with an enabled: true property:

apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    sslConf:
      enabled: true

This is enough when:

  • the server doesn’t require additional authentication from the client (through a client certificate),
  • the server’s certificate can be validated with the ca-certificates package included in Kannika Armory’s image,

Server authentication

Section titled “Server authentication”

If the server’s certificate needs to be validated with a custom CA (self-signed certificate), then use the caCertificatePemFrom field to reference a secret in PEM format.

apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    sslConf:
      caCertificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: ca.crt

Client authentication

Section titled “Client authentication”

In some rare cases, the server may require TLS authentication from the client. In this situation, load the certificate and key in a secret and configure sslConf accordingly:

apiVersion: kannika.io/v1alpha
kind: SchemaRegistry
metadata:
  name: confluent-registry
spec:
  confluent:
    url: https://somewhere.out.there
    sslConf:
      enabled: true
      certificatePemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.crt
      privateKeyPemFrom:
        secretKeyRef:
          name: tls-secret
          key: tls.key
  • explicitly set using a secret in PEM format with caCertificatePemFrom.