Schema Registry
About the Schema Registry
The Schema Registry provides client applications with the Avro schemas available in a specific tenant.
The Schema Registry is always connected to a single Kafka Broker in the same cluster to allow for clusters to have different tenant/instance isolation patterns.
Enabling required authentication with a client certificate
The Schema Registry has support for authentication with Mutual TLS. In this approach each connection to the SSL endpoint must provide a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.
| See the Deployment page for more information about the different service types, like cluster and instance services. |
Using Axual CLI
Add or modify the following configuration in the Schema Registry config file for the tenant instance.
# Disables mTLS for clusters cluster1 and enables it for the cluster2 cluster. These clusters are defined in this config as well
SR_SLAVE_SSL_CLIENT_AUTH=cluster1:false,cluster2:trueTLS Protocols and Cipher Suites
Want to enable other TLS protocol versions and cipher suites?
|
From |
|
If broker is set to use old TLS protocols (like |
If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:
Using Axual CLI
Add or modify the following configuration in the Schema Registry config file for the tenant instance.
# Schema Registry Master
# Leave blank to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_MASTER_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_MASTER_CLIENT_SSL_CIPHER_SUITES=
# Schema Registry Slave
# Leave blank to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_SLAVE_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_SLAVE_CLIENT_SSL_CIPHER_SUITES=Using Axual Helm Charts
Edit the values.yaml for your instance and add the following configuration
platform:
instance:
schemaregistry:
security:
slave:
server:
# Leave blank to use Jetty’s defaults.
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
cipherSuites:
client:
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
cipherSuites:
master:
server:
# Leave blank to use Jetty’s defaults.
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
cipherSuites:
client:
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
cipherSuites: