Support schema registry connection with TLS mutual authentication

[teebee]

It seems that connecting to a schema registry with TLS mutual authentication is currently not supported. I would appreciate if a corresponding configuration option could be added.

[tchiotludo]

Hello @teebee, to be honest, I don't even know what is this kind of authentication.

Can you point me to some doc and sample on how it works and how to connect this kind of registry for a producer or consumer please ?

[teebee]

Currently, the io.confluent.kafka.serializers.* classes seem to lack appropriate direct configuration options. So you have to workaround it using the corresponding JVM settings. See Producer with Schema Registry connection not using ssl settings for more. I hope to have some time next week to verify it.

BTW great work @tchiotludo

[tchiotludo]

As I understand, since it was a hack for now from JVM options, you can trick it with JAVA_OPTS on docker image or java ${JAVA_OPTS} -jar /app/kafkahq.jar on standalone version.

It will need merge from https://github.com/confluentinc/schema-registry/pull/957 to be added on KafkaHQ

[teebee]

https://github.com/confluentinc/schema-registry/pull/957 has been merged ...

[tchiotludo]

Ok will look at this, PR are welcome since I don't really know how to have this env.

[tchiotludo]

hi @teebee , just have a look at this, the PR is merged and but was not release for now.

As I see this files : https://github.com/confluentinc/schema-registry/blob/0ec98b07ec0767775aa038faffb6c6e96335e047/client/src/main/java/io/confluent/kafka/schemaregistry/client/security/SslFactory.java is not on package 5.3.2 for now.

As I understand, it's this configuration that you want to be available on KafkaHQ ?

[teebee]

Yes, this looks good. It's part of the recent 5.4.0 release.

[tchiotludo]

Just add a new version on dev docker image, can you test please ? I don't have any env to test

Thanks

[alobodzki]

Hi, So I'm running locally 5.4.0 and I'm trying use the feature that you talked about here, is my assumption correct that to use it I would have to execute something like: kafka-avro-console-consumer --consumer.config certs.properties

and the content of the properties file would be:

security.protocol=SSL
ssl.truststore.location=<path-truststore>
ssl.truststore.password=<password>
ssl.keystore.location=<path-keystore>
ssl.keystore.password=<password>
ssl.key.password=<password>

[tchiotludo]

As i understand quickly, yes (but don't have time to look further).

If it's work, then you could use the same properties in KafkaHQ on kafkahq.connections.NAME.schema-registry.properties

[duffleit]

MTLs for the schema registry connections unfortunately still not working on my end. Any hints?

schema-registry:
   url: "https://{{ groups['schema_registry'][0] }}:{{schema_registry_listener_port}}"
   type: "confluent"
   properties:
     schema.registry.ssl.truststore.location: "{{akhq.dest}}/truststore.jks"
     schema.registry.ssl.truststore.password: "{{akhq.ssl_truststore_password}}"
     schema.registry.ssl.keystore.type: "PKCS12"
     schema.registry.ssl.keystore.location: "{{akhq.dest}}/keystore.jks"
     schema.registry.ssl.keystore.password: "{{akhq.ssl_keystore_store_password}}"
     schema.registry.ssl.key.password: "{{akhq.ssl_keystore_key_password}}"

certs work if I connect to the given schema registry from java client or conduktor with the same config. Also seen that only schema.registry.ssl.truststore.* configs are documented.