Instances

Create the Instance

These steps are used to create an Instance in the Axual Self-Service.

We are writing the steps to create a dta instance using the local cluster created in the previous step.

  1. Open the instances menu and press the Add instance button

    Self-Service Instances Menu

  2. Provide the Instance Details and press the Continue button

    1. Put Dev Test Acceptance as the Name

    2. Put dta as the ShortName

    3. Put DTA Instance as the Description

    Do not fill the Instance Manager URL field, this field is for older installation. It will be removed in future releases.

  3. Press the Select cluster button

    Self-Service Add Instance Details page

  4. Select the local cluster created in the previous step and press the Apply button

    Self-Service Select Cluster page

  5. Enable the Authentication Method for this Instance

    1. Toggle the SSL (MUTUAL TLS)

    2. Upload the Signing CA used to sign your application certificate

  6. Press the Add Instance button

    Self-Service Add Instance Security

Now you have successfully created an Instance in the Self-Service

Self-Service Instance Create

Schema Registry Configuration

  1. Open the instances menu and select freshly created Dev Test Acceptance instance

    Self-Service Add Apicurio Schema Registry Details page

  2. Under the field Clusters press Configure Cluster for cluster local. A modal for configuring the Schema Registry will open

    Self-Service Add Apicurio Schema Registry Details page

    1. Put https://apicurio.axual.dta.local/apis/registry/v2 as the Schema Registry URL

    2. Select Apicurio as the Schema Registry Type

    3. Select Basic Authentication as the Authentication Method

    4. Provide the Username and Password to authenticate the Self-Service against the Schema Registry

  3. Verify the Schema Registry details and connectivity by pressing the Verify button

    Self-Service Add Apicurio Schema Registry Details page
    For Apicurio Keycloak support for an Instance/Cluster, please navigate to Apicurio Keycloak configuration steps

  4. Once verified, you can press Add listeners button to add Schema Registry Listeners. This step is optional.

    Schema Registry Listeners is a set of protocol:URL pair for setting various Schema Registry Listeners. They are used by the Kafka Clients to connect to the Schema Registry. You can add more listeners and there are no validation on our side.

  5. You can close the Instance/Cluster modal by pressing the Save button

    Self-Service Add Schema Registry Completed

  6. You can close the configuration modal

Environment Mapping

This setting allows Tenant Admin to enable or disable mapping environments under an Instance regardless of whether the user is an Environment Author.

When enabled, (which is the default), Environment Author can create an environment under that Instance.

When disabled, creation of an environment under that Instance is not allowed regardless of whether the user is an Environment Author.

If Environment Mapping is disabled for Instance 1 then:

  • No user can create a new Environment using Instance 1

  • No user can update an Environment to use Instance 1

  • No user can update an Environment using Instance 1 to use a different Instance

To enable environment mapping for an Instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Governance Settings, click on the Environment Mapping toggle

  6. Click Update Instance button

    Instance Governance Setting Section
You can also enable environment mapping when creating an instance from the Create Instance page.

Prevent Reuse of SSL certificate across a Tenant or an Instance

This setting allows Tenant Admin to enable or disable creating Application authentications using an application-principal certificate that is already used by another Application authentication.

The Instance needs to have SSL (MUTUAL TLS) enabled as Authentication Methods.

On the "Instance" edit page, a Tenant Admin can configure the Certificate reuse prevention level in three different modes.

Instance SSL Certificate Prevention modes

  • None (Default): no restriction is applied for this Instance. Multiple applications can share the same SSL certificate as their application principal.

  • Instance: restriction is applied for this Instance within its Instance scope. Multiple applications cannot share SSL certificate as their application principal defined in any Environment belonging to the Instance.

  • Tenant: restriction is applied for this Instance within its Tenant scope. Multiple applications cannot share SSL certificate as their application principal defined in any Environment belonging to the Tenant.

    The restriction is applied only to new application principals

Granular Stream Browse Permissions For An Instance

Granular stream browse permissions allow Tenant Admin to have an instance level access control over topics configured on all environments mapped to it.

When enabled, all environments in the instance will support granular authorization.

When disabled, (which is the default), all environments in the instance have the same authorization for both stream configuration and browse, which means there is no granular browse permission applied over a topic.

To enable granular stream browse permissions for an instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Governance Settings, click on the Enable granular stream browse permissions toggle

  6. Click Update Instance button

    Instance Governance Setting Section
Disabling granular stream browse permissions on an instance that had it enabled leads to deletion of all existing Permission Groups.
You can also enable granular stream browse permissions when creating an instance from the create instance page.

Topic Owner Browse Permission For An Instance

Tenant Admin can enable the Topic Owner browse permission toggle to allow the Topic Owner to browse their topics, even when the Instance has the Granular Browse Permission enabled.

To enable the Topic Owner browse permission for an instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Governance Settings

    1. click Granular stream browse permissions toggle

    2. Click the Topic Owner browse permission toggle

  6. Click Update Instance button

    Instance Governance Setting Section
    This setting can only be enabled when Granular Browse permission is enabled.

Self Approval

This setting allows Tenant Admin to enable or disable self approval for topic access requests under an Instance.

When enabled, (which is the default), users can approve their own topic access requests.

When disabled, self-approving of the topic access requests is not allowed, users approving an access request must be a different user than the user requesting access.

To change self-approval for an Instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Governance Settings, click on the Self Approval toggle

  6. Click Update Instance button

    Instance Governance Setting Section
You can also enable self-approval when creating an instance from the Create Instance page.

KSML support for an Instance

When KSML is enabled for an Instance, KSML applications can be created in the Instance.

If KSML is enabled, KSML Provisioner URL must be provided. KSML Provisioner URL is the URL of the REST application used to provision KSML applications.

To enable KSML for an instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under KSML Support, click on the Enable KSML toggle

  6. Provide KSML Provisioner URL

  7. Click Update Instance button

    Enable KSML Feature

Connect support for an Instance

When Connect is enabled for an Instance, Connect applications can be created in the Instance.

If Connect is enabled, Connect URL must be provided. Connect URL is HTTP URL of the Axual Connect REST API for managing Kafka Connectors. The URL is used to interact with the Axual Connect cluster.

To enable Connect for an instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Connect Support, click on the Enable Connect toggle

  6. Provide Connect URL

  7. Click Update Instance button

    Enable Connect Support
Please read more about installing connect plugins here: Installing Connect Plugins

Connect logging support for an Instance

When Connect logging is enabled for an Instance, Connect logging can be viewed for an Instance.

If Connect logging is enabled, Connect Certificates must be provided.

To enable Connect logging for an instance

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click Edit Instance button

  5. Under Connect Support, click on the Enable Connect toggle

  6. Provide Connect URL

  7. Under Connect Logging, click on the Enable Connect logging toggle

  8. Upload Connect Certificates

  9. Click Update Instance button

    Enable Connector Loggin Support
Please read more about connector logging here: Enabling Connector logging into Kafka

Apicurio’s Keycloak support for an Instance

Apicurio’s Keycloak support is an optional configuration that allows storing Keycloak authentication details for an Instance Cluster. This configuration can only be performed by a Tenant Admin.

To use this feature, ensure the following prerequisites are met:

  1. The Instance Cluster is already configured with an Apicurio Schema Registry.

  2. The authentication method for the Apicurio Schema Registry is not set to No Authentication (i.e., any other authentication option must be selected).

Configure Apicurio Schema Registry for an Instance/Cluster

To configure your Instance with an Apicurio Schema Registry

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click the Configure Cluster button to configure the Apicurio Schema Registry Details for this Instance/Cluster

    1. Put https://apicurio.axual.dta.local/apis/registry/v2 as the Schema Registry URL

    2. Select Apicurio as the Schema Registry Type

    3. Select Basic Authentication as the Authentication Method

      1. Put the username used by Platform Manager to authenticate against Apicurio

      2. Put the password used by Platform Manager to authenticate against Apicurio

    4. Verify the Schema Registry details and connectivity by pressing the Verify button

      Self-Service Add Apicurio Schema Registry Details page

  5. You can now press the Save button to update the Instance Cluster

You can follow the steps in Instance Creation to configure additional instance settings before continue with Keycloak configuration.

Configure Apicurio’s Keycloak Details for an Instance/Cluster

  1. Log in as a Tenant Admin

  2. Move to the Instance page

  3. Select the Instance

  4. Click the Configure Cluster button to configure the Apicurio’s Keycloak Details for this Instance/Cluster

  5. At the bottom of the Schema Registry section, there is the Apicurio Keycloak form

    Self-Service Apicurio Keycloak Form

  6. Enter Apicurio Keycloak details

    1. Keycloak URL: Enter the base URL of the Apicurio’s Keycloak server with the /auth prefix (e.g. https://apicurio-keycloak/auth)

    2. Keycloak Master Realm: Specify the name of the master realm. Default value is master

    3. Keycloak Admin Username: Provide the Keycloak administrator username

    4. Keycloak Admin Password: Provide the Keycloak administrator password

    5. Keycloak Admin Client ID: Enter the admin client ID. Default value is admin-cli

    6. Keycloak Apicurio Realm: Specify the name of the Apicurio realm. Default value is apicurio

      Self-Service Configure Apicurio Keycloak
      Currently, to save the Apicurio’s Keycloak details, you will need to provide again the Apicurio Details credentials (username and password)

  7. Click the Save button to apply the Keycloak settings to the selected Instance/Cluster

If you have a Multi-Cluster Instance, you can configure Keycloak details independently for each cluster and choose not to configure Keycloak details for specific clusters.