OK Janez. I want to once again stress that you should be using the
-streams docker image instead of the -kafka one. Sorry for the confusion
on that. It's marked as deprecated but I realize that might not be readily
apparent!
Once you switch to the Streams image, you should be able to configure it
using Environment Variables:
These are environment variables used by the operator (streams):
QUARKUS_PROFILE = prod
KAFKA_BOOTSTRAP_SERVERS = [Provided by Strimzi, URL with TLS support]
APPLICATION_SERVER_HOST = [Pod IP]
APPLICATION_SERVER_PORT =9000
APPLICATION_ID = example-apicurioregistry
REGISTRY_PROPERTIES_PREFIX = REGISTRY_
REGISTRY_STREAMS_TOPOLOGY_SECURITY_PROTOCOL = SSL
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_TYPE = PKCS12
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_LOCATION = [Provided by Strimzi,
mounted secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_KEYSTORE_PASSWORD = [Provided by Strimzi,
secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_TYPE = PKCS12
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_LOCATION =[Provided by Strimzi,
mounted secret]
REGISTRY_STREAMS_TOPOLOGY_SSL_TRUSTSTORE_PASSWORD [Provided by Strimzi,
secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SECURITY_PROTOCOL = SSL
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_TYPE = PKCS12
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_LOCATION = [Provided by
Strimzi, mounted secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_KEYSTORE_PASSWORD = [Provided by
Strimzi, secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_TYPE = PKCS12
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_LOCATION = [Provided by
Strimzi, mounted secret]
REGISTRY_STREAMS_STORAGE-PRODUCER_SSL_TRUSTSTORE_PASSWORD = [Provided by
Strimzi, secret]
Hope this helps, I think it can be transformed into Java parameters if
needed, but I think for docker ENV vars are probably fine/better.
On Tue, Nov 24, 2020 at 8:33 AM Eric Wittmann <eric.wittmann(a)redhat.com>
wrote:
Hi Janez. I'm not sure what might be going wrong with the SSL
support.
We'll need to try and reproduce that locally. One thing I should mention
though is that you're using a deprecated storage mechanism. You should be
using this docker image if you want to use Kafka as the storage:
apicurio/apicurio-registry-streams
That uses Kafka Streams for storage - the plain kafka variant was
deprecated some time ago and will be removed in the next major release.
-Eric
On Sat, Nov 21, 2020 at 9:55 AM Janez Bindas <janez.bindas(a)gmail.com>
wrote:
> Hi all,
>
> We have a problem with settings of Apicurio Schema Registry. We have
> basic configuration of Kafka cluster with SSL. But when we try to connect
> Apicurio with Kafka we get errors.
>
> This is our docker script to run Apicurio.
>
> docker run -it --env KAFKA_BOOTSTRAP_SERVERS=b-3.dev.kdm41f.c4.kafka.eu-
> central-1.amazonaws.com:9094 --env 'JAVA_OPTIONS=-Dquarkus.profile=prod
> -D%prod.registry.streams.topology.security.protocol=SSL
> -D%prod.registry.kafka.snapshot-consumer.security.protocol=SSL
> -Dsecurity.protocol=SSL' apicurio/apicurio-registry-kafka:latest
>
>
> Output:
>
> …..
> sasl.login.refresh.window.jitter = 0.05
> sasl.mechanism = GSSAPI
> security.protocol = PLAINTEXT
> security.providers = null
> send.buffer.bytes = 131072
> …..
> sasl.login.refresh.window.jitter = 0.05
> sasl.mechanism = GSSAPI
> security.protocol = SSL
> security.providers = null
> send.buffer.bytes = 131072
> …..
>
> I think that the first time Apicurio tries to connect it connects with
> PLAINTEXT (in red) and second times it connects with SSL (in red).
>
> Can you please help me to configurate Apicurio that use SSL?
>
> Regards Janez Bindas
>
> _______________________________________________
> Apicurio mailing list -- apicurio(a)lists.jboss.org
> To unsubscribe send an email to apicurio-leave(a)lists.jboss.org
>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com