Authentication with schema registry using Strimzi-Generated scram-sha-512 credentials

[snophey]

Feature or Problem Description

A schema registry is a common companion to a Kafka deployment. Strimzi is a project that provides a set of operators for running Kafka on Kubernetes. One of the nice features offered by Strimzi is the ability to provision Kafka users using the KafkaUser custom resource. One way to authenticate with Kafka would be using SCRAM-SHA-512 credentials (username and password). Strimzi generates these credentials and places them in a secret. It would be nice if we could re-use these credentials to also authenticate with the schema registry. This would eliminate the need to manage another set of credentials and reduce the number of required additional components (such as Keycloak).

Proposed Solution

I have a pull request with a possible solution in my fork of this repository. The basic idea is to extend the registry with a StrimziIdentityProvider which, when enabled, will take the basic auth credentials from an incoming request and validate them against the relevant Strimzi-generated credentials inside the configured Kubernetes namespace.

Additional Context

From what I have seen so far, this solution integrates nicely with owner-only authorization.

[apicurio-bot[bot]]

Thank you for reporting an issue!

Pinging @jsenko to respond or triage.