Confluent Schema Registry
Configuration
Kpow connects to a Schema registry with environment variables.
| Variable | Description |
|---|---|
| SCHEMA_REGISTRY_NAME | UI and logs friendly name for this Schema registry |
| SCHEMA_REGISTRY_URL | The client connection URL for your registry |
| SCHEMA_REGISTRY_AUTH | USER_INFO if basic authentication is configured |
| SCHEMA_REGISTRY_USER | Username if basic authentication is configured |
| SCHEMA_REGISTRY_PASSWORD | Password if basic authentication is configured |
| SCHEMA_REGISTRY_RESOURCE_IDS | Optional, comma separated list of unique ids. Only specify when configuring multiple schema registries. |
| SCHEMA_REGISTRY_OBSERVATION_VERSION | Optional, sets the observation version used to snapshot schema resources. Default=1. See Observation Version. |
SSL configuration
The following environment variables can be used to configure Confluent schema registry connections with mutual-TLS:
| Variable | Description |
|---|---|
| SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION | Location of the keystore file |
| SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD | Password to access the keystore file |
| SCHEMA_REGISTRY_SSL_KEYSTORE_KEY | Specific key to use within the keystore |
| SCHEMA_REGISTRY_SSL_KEY_PASSWORD | Password to access the key within the keystore |
| SCHEMA_REGISTRY_SSL_KEYSTORE_TYPE | Keystore type |
| SCHEMA_REGISTRY_SSL_KEYMANAGER_ALGORITHM | Keymanager algorithm |
| SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION | Location of the truststore file |
| SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD | Password to access the truststore file |
| SCHEMA_REGISTRY_SSL_TRUSTSTORE_TYPE | Truststore type |
| SCHEMA_REGISTRY_SSL_TRUSTMANAGER_ALGORITHM | Trustmanager algorithm |
| SCHEMA_REGISTRY_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM | SSL endpoint identification algorithm |
| SCHEMA_REGISTRY_SSL_PROVIDER | SSL provider |
| SCHEMA_REGISTRY_SSL_CIPHER_SUITES | SSL cipher suites |
| SCHEMA_REGISTRY_SSL_PROTOCOL | SSL protocol |
| SCHEMA_REGISTRY_SSL_ENABLED_PROTOCOLS | SSL enabled protocols |
| SCHEMA_REGISTRY_SSL_SECURE_RANDOM_IMPLEMENTATION | SSL secure random implementation |
| SCHEMA_REGISTRY_SSL_KEYSTORE_CERTIFICATE_CHAIN | SSL keystore certificate chain |
| SCHEMA_REGISTRY_SSL_TRUSTSTORE_CERTIFICATES | SSL truststore certificates |
| SCHEMA_REGISTRY_SSL_ENGINE_FACTORY_CLASS | SSL engine factory class |
OAuth configuration
The following environment variables can be used to configure Confluent schema registry with Confluent Cloud via OAuth
See the Confluent Cloud guide to Schema Registry OAuth for more information.
| Variable | Description |
|---|---|
| SCHEMA_REGISTRY_BEARER_AUTH_CREDENTIALS_SOURCE | OAUTHBEARER or SASL_OAUTHBEARER_INHERIT |
| SCHEMA_REGISTRY_BEARER_AUTH_TOKEN | Bearer Auth token |
| SCHEMA_REGISTRY_BEARER_AUTH_ISSUER_ENDPOINT_URL | OpenID provider URL |
| SCHEMA_REGISTRY_BEARER_AUTH_CLIENT_ID | Client ID |
| SCHEMA_REGISTRY_BEARER_AUTH_CLIENT_SECRET | Client secret |
| SCHEMA_REGISTRY_BEARER_AUTH_SCOPE | Scope |
| SCHEMA_REGISTRY_BEARER_AUTH_SCOPE_CLAIM_NAME | Scope claim name |
| SCHEMA_REGISTRY_BEARER_AUTH_SUB_CLAIM_NAME | Scope sub claim name |
| SCHEMA_REGISTRY_BEARER_AUTH_LOGICAL_CLUSTER | LSRC resource ID |
| SCHEMA_REGISTRY_BEARER_AUTH_IDENTITY_POOL_ID | Identity pool ID |
| SCHEMA_REGISTRY_BEARER_AUTH_CACHE_EXPIRY_BUFFER_SECONDS | Cache expiry buffer seconds |
Observation version
To control how Kpow snapshots schemas, use the SCHEMA_REGISTRY_OBSERVATION_VERSION flag to set the observation version.
By default, when SCHEMA_REGISTRY_OBSERVATION_VERSION is set to 1, Kpow follows a two-step process to capture schema metadata. First, it retrieves all schema names with a single
query. Then, with the specified parallelism level, it makes two REST calls for each schema: one to fetch metadata and another to fetch compatibility.
This method provides the most context at an aggregate level, but can be resource-intensive for larger schema registries, as the number of REST calls increases proportionally to the number of schemas.
Alternatively, when SCHEMA_REGISTRY_OBSERVATION_VERSION is set to 2 (Confluent only), Kpow uses a single-step process to capture schema metadata. It makes a single REST call to
fetch all schemas, including their metadata. This approach can be much more efficient than version 1, but compatibility information is only available at the individual schema level
in Kpow's UI.
Access control
User permissions to Kafka cluster resources are defined by Schema actions. See: User Authorization.