OK Janez. I want to once again stress that you should be using the -streams docker image instead of the -kafka one. Sorry for the confusion on that. It's marked as deprecated but I realize that might not be readily apparent!

Once you switch to the Streams image, you should be able to configure it using Environment Variables:

These are environment variables used by the operator (streams):

QUARKUS_PROFILE = prod

KAFKA_BOOTSTRAP_SERVERS = [Provided by Strimzi, URL with TLS support]

APPLICATION_SERVER_HOST = [Pod IP]

APPLICATION_SERVER_PORT =9000

APPLICATION_ID = example-apicurioregistry

REGISTRY_PROPERTIES_PREFIX = REGISTRY_

REGISTRY_STREAMS_TOPOLOGY_SECURITY_PROTOCOL = SSL

REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_TYPE = PKCS12

REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_LOCATION = [Provided by Strimzi, mounted secret]

REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_PASSWORD = [Provided by Strimzi, secret]

REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_TYPE = PKCS12

REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_LOCATION =[Provided by Strimzi, mounted secret]

REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_PASSWORD [Provided by Strimzi, secret]

REGISTRY_STREAMS_STORAGE-PRODUCER_SECURITY_PROTOCOL = SSL

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_TYPE = PKCS12

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_LOCATION = [Provided by Strimzi, mounted secret]

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_PASSWORD = [Provided by Strimzi, secret]

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_TYPE = PKCS12

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_LOCATION = [Provided by Strimzi, mounted secret]

REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_PASSWORD = [Provided by Strimzi, secret]

Hope this helps, I think it can be transformed into Java parameters if needed, but I think for docker ENV vars are probably fine/better.

On Tue, Nov 24, 2020 at 8:33 AM Eric Wittmann <eric.wittmann@redhat.com> wrote:

Hi Janez. I'm not sure what might be going wrong with the SSL support. We'll need to try and reproduce that locally. One thing I should mention though is that you're using a deprecated storage mechanism. You should be using this docker image if you want to use Kafka as the storage:

apicurio/apicurio-registry-streams

That uses Kafka Streams for storage - the plain kafka variant was deprecated some time ago and will be removed in the next major release.

-Eric

On Sat, Nov 21, 2020 at 9:55 AM Janez Bindas <janez.bindas@gmail.com> wrote:
Hi all,

We have a problem with settings of Apicurio Schema Registry. We have basic configuration of Kafka cluster with SSL. But when we try to connect Apicurio with Kafka we get errors.

This is our docker script to run Apicurio.

docker run -it --env KAFKA_BOOTSTRAP_SERVERS=b-3.dev.kdm41f.c4.kafka.eu-central-1.amazonaws.com:9094 --env 'JAVA_OPTIONS=-Dquarkus.profile=prod -D%prod.registry.streams.topology.security.protocol=SSL -D%prod.registry.kafka.snapshot-consumer.security.protocol=SSL -Dsecurity.protocol=SSL' apicurio/apicurio-registry-kafka:latest

Output:

…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
…..

I think that the first time Apicurio tries to connect it connects with PLAINTEXT (in red) and second times it connects with SSL (in red).

Can you please help me to configurate Apicurio that use SSL?

Regards Janez Bindas

_______________________________________________
Apicurio mailing list -- apicurio@lists.jboss.org
To unsubscribe send an email to apicurio-leave@lists.jboss.org

--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann@redhat.com