Discovery API

About the Discovery API

The Discovery API provides client applications and distributors with the endpoint information of the cluster to connect to and regularly checks the availability of the target clusters.

It can be installed on multiple clusters, each with its own settings, but all installations will be aware of all clusters in the instance.

Enabling authentication

Discovery API supports two types of authentication

Basic authentication
Mutual TLS

Both Basic and Mutual TLS authentication can be enabled at the same time. Below are the scenarios how clients will be authenticated if both options are enabled.

If mTLS is enabled and set to NEED, client will be authenticated using mTLS only.
If mTLS is enabled and set to WANT and during connection to Discovery API client provides the certificates, then client will be authenticated using mTLS.
If mTLS is set to WANT and during connection to Discovery API client don’t provide certificates, then client will be authenticated using Basic authentication.

Enabling Basic authentication

If SASL is enabled in the platform deployment, you can enable basic authentication. In this approach each connection to the SSL endpoint must provide a valid username and password. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual CLI

Add or modify the following configuration in the Discovery API config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/discovery-api.sh

# Disables Basic auth for cluster cluster1 and enables it for the cluster cluster2. These clusters are defined in this config as well
SECURITY_BASIC_AUTH_ENABLED=cluster1:false,cluster2:true

# Instance-api url
SECURITY_BASIC_AUTH_AUTHENTICATION_URL="https://<hostname>:<port>/credentials/authorize"

You need to add Discovery API client certificate CN to Instance-API config INSTANCE_API_AUTHORIZED_CNS so that Discovery API can access Instance-API for authentication.

Example: Assuming Discovery API CN is Axual Local Discovery API Client

INSTANCE_API_AUTHORIZED_CNS="'Interservice Client, Axual Local Schema Registry Client, Axual Local Discovery API Client'"

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
  instance:
    discoveryapi:
      security:
        basicAuth:
          enabled: true
          # Override Instance API URL if it runs outside the K8S cluster
          #authenticationUrlOverride: ""

You need to add Discovery API client certificate CN to Instance-API config security.authorizedDns so that Discovery API can access Instance-API for authentication.

Example: Assuming Discovery API CN is Axual Local Discovery API Client

platform:
  instance:
    instanceapi:
      security:
        enabled: true
        authorizedDns: "Interservice Client, Axual Local Schema Registry Client, Axual Local Discovery API Client"

Enabling authentication with a client certificate (Mutual TLS)

The Discovery API has support for authentication with Mutual TLS. In this approach each connection to the SSL endpoint must provide a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual CLI

Add or modify the following configuration in the Discovery API config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/discovery-api.sh

# Disables mTLS for cluster cluster1 and requires it for the cluster cluster2. These clusters are defined in this config as well
# Valid values are:
# -'need' , server demands that the client provides a certificate
# -'want' , server request that the client provides a certificate, but will not fail if none is supplied. Often used with Basic Auth enabled as an alternative authentication mechanism
# -'none' , server does not ask for any client certificate
DISCOVERYAPI_SERVER_SSL_CLIENT_AUTH=cluster1:none,cluster2:need

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
  instance:
    discoveryapi:
     tls:
       # Server uses TLS to secure the services
       serverEnabled: true
       # Enable client authentication (MTLS) want / need / none
       clientAuth: none

Enabling Multi Cluster Support

Discovery service can be configured to handle multi-cluster instances. Each cluster might have its own configuration to handle different operations such as topic resolution

This multi cluster configuration is only available through Axual Helm Charts

Using Axual Helm Charts

Following is an example for a 2 cluster setup. Open the values.yaml for your instance and add the following configuration and update. The values of the configuration might differ in different situations.

platform:
  instance:
    clusters: "local remote"
    graph:
      root: "1:local,remote"
    discoveryClusterDetails:
      remote.bootstrap: "platform.remote:9094"
      remote.bootstrap.intercluster: "platform.remote:9095"
      remote.schemas.url: "https://platform.remote:26000"
      remote.rest.url: "https://platform.remote:18222"
      remote.network.provider: "local"
      remote.topic.resolver: "io.axual.common.resolver.TopicPatternResolver"
      remote.topic.pattern: "{tenant}_{instance}_{environment}_{topic}"
      remote.group.id.resolver: "io.axual.common.resolver.GroupPatternResolver"
      remote.group.id.pattern: "{tenant}_{instance}_{environment}_{group}"
      remote.transactional.id.pattern: "{tenant}_{instance}_{environment}_{app.id}_{transactional.id}"
      remote.transactional.id.resolver: "io.axual.common.resolver.TransactionalIdPatternResolver"
      remote.url: "https://remote-cluster-api:9080"

that each remote cluster should have respective configurations under discoveryClusterDetails as shown above.

Following is an example that you can use in case you have more than 2 clusters

platform:
  instance:
    clusters: "c1 c2 c3 c4"
    graph:
      root: "8:cluster_group1,cluster_group2"
      cluster_group1: "1:c1,c2"
      cluster_group2: "1:c3,c4"
    discoveryClusterDetails:
      c1.bootstrap: "c1.remote:9094"
      ...
      c2.bootstrap: "c2.remote:9094"
      ...
      c3.bootstrap: "c3.remote:9094"
      ...
      c4.bootstrap: "c4.remote:9094"
      ...