3:48 p.m.
Hi all,
We have a problem with settings of Apicurio Schema Registry. We have basic configuration
of Kafka cluster with SSL. But when we try to connect Apicurio with Kafka we get errors.
This is our docker script to run Apicurio.
docker run -it --env KAFKA_BOOTSTRAP_SERVERS=b-3.dev.kdm41f.c4.kafka.eu
<http://dev.kdm41f.c4.kafka.eu/>-central-1.amazonaws.com:9094 --env
'JAVA_OPTIONS=-Dquarkus.profile=prod
-D%prod.registry.streams.topology.security.protocol=SSL
-D%prod.registry.kafka.snapshot-consumer.security.protocol=SSL
-Dsecurity.protocol=SSL' apicurio/apicurio-registry-kafka:latest
Output:
…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
…..
I think that the first time Apicurio tries to connect it connects with PLAINTEXT (in red)
and second times it connects with SSL (in red).
Can you please help me to configurate Apicurio that use SSL?
Regards Janez Bindas
2:33 p.m.
Hi Janez. I'm not sure what might be going wrong with the SSL support.
We'll need to try and reproduce that locally. One thing I should mention
though is that you're using a deprecated storage mechanism. You should be
using this docker image if you want to use Kafka as the storage:
apicurio/apicurio-registry-streams
That uses Kafka Streams for storage - the plain kafka variant was
deprecated some time ago and will be removed in the next major release.
-Eric
On Sat, Nov 21, 2020 at 9:55 AM Janez Bindas <janez.bindas(a)gmail.com> wrote:
Hi all,
We have a problem with settings of Apicurio Schema Registry. We have basic
configuration of Kafka cluster with SSL. But when we try to connect
Apicurio with Kafka we get errors.
This is our docker script to run Apicurio.
docker run -it --env KAFKA_BOOTSTRAP_SERVERS=b-3.dev.kdm41f.c4.kafka.eu-
central-1.amazonaws.com:9094 --env 'JAVA_OPTIONS=-Dquarkus.profile=prod
-D%prod.registry.streams.topology.security.protocol=SSL
-D%prod.registry.kafka.snapshot-consumer.security.protocol=SSL
-Dsecurity.protocol=SSL' apicurio/apicurio-registry-kafka:latest
Output:
…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
…..
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
…..
I think that the first time Apicurio tries to connect it connects with
PLAINTEXT (in red) and second times it connects with SSL (in red).
Can you please help me to configurate Apicurio that use SSL?
Regards Janez Bindas
_______________________________________________
Apicurio mailing list -- apicurio(a)lists.jboss.org
To unsubscribe send an email to apicurio-leave(a)lists.jboss.org
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
4:46 p.m.
OK Janez. I want to once again stress that you should be using the
-streams docker image instead of the -kafka one. Sorry for the confusion
on that. It's marked as deprecated but I realize that might not be readily
apparent!
Once you switch to the Streams image, you should be able to configure it
using Environment Variables:
These are environment variables used by the operator (streams):
QUARKUS_PROFILE = prod
KAFKA_BOOTSTRAP_SERVERS = [Provided by Strimzi, URL with TLS support]
APPLICATION_SERVER_HOST = [Pod IP]
APPLICATION_SERVER_PORT =9000
APPLICATION_ID = example-apicurioregistry
REGISTRY_PROPERTIES_PREFIX = REGISTRY_
REGISTRY_STREAMS_TOPOLOGY_SECURITY_PROTOCOL = SSL
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_TYPE = PKCS12
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_LOCATION = [Provided by Strimzi,
mounted secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_PASSWORD = [Provided by Strimzi,
secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_TYPE = PKCS12
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_LOCATION =[Provided by Strimzi,
mounted secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_PASSWORD [Provided by Strimzi,
secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SECURITY_PROTOCOL = SSL
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_TYPE = PKCS12
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_LOCATION = [Provided by
Strimzi, mounted secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_PASSWORD = [Provided by
Strimzi, secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_TYPE = PKCS12
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_LOCATION = [Provided by
Strimzi, mounted secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_PASSWORD = [Provided by
Strimzi, secret]
Hope this helps, I think it can be transformed into Java parameters if
needed, but I think for docker ENV vars are probably fine/better.
On Tue, Nov 24, 2020 at 8:33 AM Eric Wittmann <eric.wittmann(a)redhat.com>
wrote:
Hi Janez. I'm not sure what might be going wrong with the SSL
support.
We'll need to try and reproduce that locally. One thing I should mention
though is that you're using a deprecated storage mechanism. You should be
using this docker image if you want to use Kafka as the storage:
apicurio/apicurio-registry-streams
That uses Kafka Streams for storage - the plain kafka variant was
deprecated some time ago and will be removed in the next major release.
-Eric
On Sat, Nov 21, 2020 at 9:55 AM Janez Bindas <janez.bindas(a)gmail.com>
wrote:
> Hi all,
>
> We have a problem with settings of Apicurio Schema Registry. We have
> basic configuration of Kafka cluster with SSL. But when we try to connect
> Apicurio with Kafka we get errors.
>
> This is our docker script to run Apicurio.
>
> docker run -it --env KAFKA_BOOTSTRAP_SERVERS=b-3.dev.kdm41f.c4.kafka.eu-
> central-1.amazonaws.com:9094 --env 'JAVA_OPTIONS=-Dquarkus.profile=prod
> -D%prod.registry.streams.topology.security.protocol=SSL
> -D%prod.registry.kafka.snapshot-consumer.security.protocol=SSL
> -Dsecurity.protocol=SSL' apicurio/apicurio-registry-kafka:latest
>
>
> Output:
>
> …..
> sasl.login.refresh.window.jitter = 0.05
> sasl.mechanism = GSSAPI
> security.protocol = PLAINTEXT
> security.providers = null
> send.buffer.bytes = 131072
> …..
> sasl.login.refresh.window.jitter = 0.05
> sasl.mechanism = GSSAPI
> security.protocol = SSL
> security.providers = null
> send.buffer.bytes = 131072
> …..
>
> I think that the first time Apicurio tries to connect it connects with
> PLAINTEXT (in red) and second times it connects with SSL (in red).
>
> Can you please help me to configurate Apicurio that use SSL?
>
> Regards Janez Bindas
>
> _______________________________________________
> Apicurio mailing list -- apicurio(a)lists.jboss.org
> To unsubscribe send an email to apicurio-leave(a)lists.jboss.org
>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
1248
days inactive
1251
days old
2 comments
2 participants
participants (2)
-
Eric Wittmann -
Janez Bindas