Configuring Apicurio Registry storage

This chapter explains how to configure the available Apicurio Registry storage options:

Apicurio Registry storage options
Configuring Apicurio Registry In-Memory storage using CLI
Configuring Apicurio Registry Infinispan storage
Configuring plain Kafka storage
Configuring plain Kafka Streams storage with no security
Configuring Kafka Streams storage with TLS security
Configuring Kafka Streams storage with SCRAM security
Configuring Java Persistence API (PostgreSQL) storage

This chapter mostly focuses on storage configuration procedures for OpenShift using OperatorHub UI. If you are deploying to Kubernetes, you can use command line tools to perform the equivalent steps. The Apicurio Registry Operator supports the same configuration options on OpenShift and Kubernetes.

Apicurio Registry storage options

The main decision to make when deploying Apicurio Registry is which storage backend to use.

The following storage options are available:

In-memory - data is stored in RAM on each Apicurio Registry node. This is the easiest deployment to use, but is not recommended for production environment.
Infinispan - data is stored in an embedded Infinispan cache.
Apache Kafka - data is stored using plain Apache Kafka.
Apache Kafka Steams - data is stored using Apache Kafka Streams. This option is recommended for most production deployments.
Java Persistence API (PostgreSQL) - data is stored in a relational database, in this case PostgreSQL 12+.

Storage requiring installation

The following options require that the storage is already installed as a prerequisite:

Apache Kafka
Apache Kafka Streams
Java Persistence API (PostgreSQL)

Additional resources

Installing Apicurio Registry Operator using the OperatorHub

Configuring Apicurio Registry In-Memory storage using CLI

The in-memory storage option uses RAM to store the data on nodes where Apicurio Registry is deployed, and it is the simplest persistence option to use. The Apicurio Registry Operator will deploy Apicurio Registry in this way if you do not provide any configuration in the ApicurioRegistry CR:

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
# spec:
# No config required for dev deployment
# NOTE: In-memory storage option is not suitable for production environment

Prerequisites

You must have an OpenShift cluster with cluster administrator access.
You must have already installed the Apicurio Registry Operator.

Procedure

Deploy the example CR using following commands:

export REF="0.0.4" &&
curl -sSL "https://raw.githubusercontent.com/Apicurio/apicurio-registry-operator/$REF/docs/modules/ROOT/examples/in-memory_cr.yaml" |
kubectl apply -f - -n $NAMESPACE

This persistence option does not support data distribution across Apicurio Registry nodes. Therefore, it is only recommended for development environments using a single replica (Pod). Use embedded Infinispan persistence option when deploying multiple replicas.

Configuring Apicurio Registry Infinispan storage

The Apicurio Registry Infinispan storage option uses RAM to store the data on nodes where Apicurio Registry is deployed. This is achieved using an embedded Infinispan in-memory data grid, which also provides data replication between nodes. This configuration is simple, with an optional field to provide a name for the Infinispan cluster.

Prerequisites

You must have an OpenShift cluster with cluster administrator access.
You must have already installed the Apicurio Registry Operator.

Procedure

In the OpenShift Container Platform web console, log in with cluster administrator privileges.
Change to the OpenShift project in which Apicurio Registry is installed. For example, from the Project drop-down, select my-project.
Click Installed Operators > Apicurio Registry > ApicurioRegistry > Create ApicurioRegistry.
Use the following example ApicurioRegistry CR:

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "infinispan"
    infinispan: # Currently, registry uses an embedded version of Infinispan
      clusterName: "example-apicurioregistry"
      # ^ Optional

Configuring plain Kafka storage

You can configure the Strimzi Operator and Apicurio Registry Operator to use plain Kafka (without Kafka Streams) and with no security.

Prerequisites

You must install the Apicurio Registry Operator using the OperatorHub or command line.
You must install the Strimzi Operator or have Kafka accessible from your OpenShift cluster.

Procedure

In the OpenShift web console, click Installed Operators, select the Strimzi Operator details, and then the Kafka tab.

Click Create Kafka to provision a new Kafka cluster for Apicurio Registry storage. You can use the default value, for example:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster
  namespace: registry-example-kafka
spec:
  kafka:
    version: 2.5.0
    replicas: 3
    listeners:
      plain: {}
      tls: {}
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      log.message.format.version: '2.5'
    storage:
      type: ephemeral
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}

Your OpenShift project namespace might be different.

When the cluster is ready, open the Kafka resource, examine the status block, and copy the bootstrapServers value for later use when deploying Apicurio Registry. For example:

status:
  conditions:
    ...
  listeners:
    - addresses:
        - host: my-cluster-kafka-bootstrap.registry-example-kafka.svc
          port: 9092
      bootstrapServers: 'my-cluster-kafka-bootstrap.registry-example-kafka.svc:9092'
      type: plain
  ...

Click the Kafka Topic tab, and then Create Kafka Topic to create the required global-id-topic:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: global-id-topic
  labels:
    strimzi.io/cluster: my-cluster
  namespace: registry-example-kafka
spec:
  partitions: 2
  replicas: 1
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824

Change the topic name to global-id-topic, and optionally decrease the partition and replica count to minimum, which is sufficient for an example deployment.
Perform the same steps to create the required storage-topic topic.

Select the Apicurio Registry Operator, and in the ApicurioRegistry tab, click Create ApicurioRegistry, using the following example, but replace your value in the bootstrapServers field.

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "kafka"
    kafka:
      bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-kafka.svc:9092"

Wait a few minutes to see the Route being created, where you can access the application.

Configuring plain Kafka Streams storage with no security

You can configure the Strimzi Operator and Apicurio Registry Operator to use a default connection with no security.

Prerequisites

You must install the Apicurio Registry Operator using the OperatorHub or command line.
You must install the Strimzi Operator or have Kafka accessible from your OpenShift cluster.

Procedure

In the OpenShift web console, click Installed Operators, select the Strimzi Operator details, and then the Kafka tab.

Click Create Kafka to provision a new Kafka cluster for Apicurio Registry storage. You can use the default value, for example:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster
  namespace: registry-example-streams-plain
spec:
  kafka:
    version: 2.5.0
    replicas: 3
    listeners:
      plain: {}
      tls: {}
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      log.message.format.version: '2.5'
    storage:
      type: ephemeral
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}

Your OpenShift project namespace might be different.

When the cluster is ready, open the Kafka resource, examine the status block, and copy the bootstrapServers value for later use when deploying Apicurio Registry. For example:

status:
  conditions:
    ...
  listeners:
    - addresses:
        - host: my-cluster-kafka-bootstrap.registry-example-streams-plain.svc
          port: 9092
      bootstrapServers: 'my-cluster-kafka-bootstrap.registry-example-streams-plain.svc:9092'
      type: plain
  ...

Click the Kafka Topic tab, and then Create Kafka Topic to create the required global-id-topic:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: global-id-topic
  labels:
    strimzi.io/cluster: my-cluster
  namespace: registry-example-streams-plain
spec:
  partitions: 2
  replicas: 1
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824

Change the topic name to global-id-topic, and optionally decrease the partition and replica count to minimum, which is sufficient for an example deployment.
Perform the same steps to create the required storage-topic topic.

Select the Apicurio Registry Operator, and in the ApicurioRegistry tab, click Create ApicurioRegistry, using the following example, but replace your value in the bootstrapServers field.

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "streams"
    streams:
      bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-plain.svc:9092"

Wait a few minutes to see the Route being created, where you can access the application.

Configuring Kafka Streams storage with TLS security

You can configure the Strimzi Operator and Apicurio Registry Operator to use an encrypted Transport Layer Security (TLS) connection.

Prerequisites

You must install the Apicurio Registry Operator using the OperatorHub or command line.
You must install the Strimzi Operator or have Kafka accessible from your OpenShift cluster.

This section assumes that the Strimzi Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Apicurio Registry Operator expects.

Procedure

In the OpenShift web console, click Installed Operators, select the Strimzi Operator details, and then the Kafka tab.
Click Create Kafka to provision a new Kafka cluster for Apicurio Registry storage.

Configure the authorization and tls fields to use TLS authentication for the Kafka cluster, for example:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster
  namespace: registry-example-streams-tls
spec:
  kafka:
    authorization:
      type: simple
    version: 2.5.0
    replicas: 3
    listeners:
      plain: {}
      tls:
        authentication:
          type: tls
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      log.message.format.version: '2.5'
    storage:
      type: ephemeral
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}

Click the Kafka Topic tab, and then Create Kafka Topic to create the required global-id-topic:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: global-id-topic
  labels:
    strimzi.io/cluster: my-cluster
  namespace: registry-example-streams-plain
spec:
  partitions: 2
  replicas: 1
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824

Change the topic name to global-id-topic, and optionally decrease the partition and replica count to minimum, which is sufficient for an example deployment.
Perform the same steps to create the required storage-topic topic.

Create a Kafka User resource to configure authentication and authorization for the Apicurio Registry user. For example, in the spec block, you can specify a user name in the metadata section or use the default my-user.

spec:
  authentication:
    type: tls
  authorization:
    acls:
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: cluster
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: transactionalId
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: group
    type: simple

You must configure the authorization specifically for the topics and resources that the Apicurio Registry requires. This is a simple example.

Click Workloads and then Secrets to find two secrets that Strimzi creates for Apicurio Registry to connect to the Kafka cluster:
- my-cluster-cluster-ca-cert - contains the PKCS12 truststore for the Kafka cluster
- my-user - contains the user’s keystore
  
  The name of the secret can vary based on your cluster or user name.
If you create the secrets manually, they must contain the following key-value pairs:
- my-cluster-ca-cert
  - ca.p12 - truststore in PKCS12 format
  - ca.password - truststore password
- my-user
  - user.p12 - keystore in PKCS12 format
  - user.password - keystore password

Configure the following example configuration to deploy the Apicurio Registry.

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "streams"
    streams:
      bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-tls.svc:9093"
      security:
        tls:
          keystoreSecretName: my-user
          truststoreSecretName: my-cluster-cluster-ca-cert

You must use a different bootstrapServers address than in the plain insecure use case. The address must support TLS connections and is found in the specified Kafka resource under the type: tls field.

Configuring Kafka Streams storage with SCRAM security

You can configure the Strimzi Operator and Apicurio Registry Operator to use Salted Challenge Response Authentication Mechanism (SCRAM-SHA-512) for the Kafka cluster.

Prerequisites

You must install the Apicurio Registry Operator using the OperatorHub or command line.
You must install the Strimzi Operator or have Kafka accessible from your OpenShift cluster.

This section assumes that Strimzi Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Apicurio Registry Operator expects.

Procedure

In the OpenShift web console, click Installed Operators, select the Strimzi Operator details, and then the Kafka tab.
Click Create Kafka to provision a new Kafka cluster for Apicurio Registry storage.

Configure the authorization and tls fields to use SCRAM-SHA-512 authentication for the Kafka cluster, for example:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster
  namespace: registry-example-streams-tls
spec:
  kafka:
    authorization:
      type: simple
    version: 2.5.0
    replicas: 3
    listeners:
      plain: {}
      tls:
        authentication:
          type: scram-sha-512
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      log.message.format.version: '2.5'
    storage:
      type: ephemeral
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}

Click the Kafka Topic tab, and then Create Kafka Topic to create the required global-id-topic:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: global-id-topic
  labels:
    strimzi.io/cluster: my-cluster
  namespace: registry-example-streams-plain
spec:
  partitions: 2
  replicas: 1
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824

Change the topic name to global-id-topic, and optionally decrease the partition and replica count to minimum, which is sufficient for an example deployment.
Perform the same steps to create the required storage-topic topic.

Create a Kafka User resource to configure SCRAM authentication and authorization for the Apicurio Registry user. For example, in the spec block, see the authentication section.

spec:
  authentication:
    type: scram-sha-512
  authorization:
    acls:
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: cluster
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: transactionalId
      - operation: All
        resource:
          name: '*'
          patternType: literal
          type: group
    type: simple

Click Workloads and then Secrets to find two secrets that Strimzi creates for Apicurio Registry to connect to the Kafka cluster:
- my-cluster-cluster-ca-cert - contains the PKCS12 truststore for the Kafka cluster
- my-user - contains the user’s keystore
  
  The name of the secret can vary based on your cluster or user name.
If you create the secrets manually, they must contain the following key-value pairs:
- my-cluster-ca-cert
  - ca.p12 - the truststore in PKCS12 format
  - ca.password - truststore password
- my-user
  - password - user password

Configure the following example settings to deploy the Apicurio Registry:

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "streams"
    streams:
      bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-scram.svc:9093"
      security:
        scram:
          truststoreSecretName: my-cluster-cluster-ca-cert
          user: my-user
          passwordSecretName: my-user

You must use a different bootstrapServers address than in the plain insecure use case. The address must support TLS connections, and is found in the specified Kafka resource under the type: tls field.

Configuring Java Persistence API (PostgreSQL) storage

Prerequisites

You must have an OpenShift cluster with cluster administrator access.
You must have already installed Apicurio Registry Operator
You have a PostgreSQL database reachable from your OpenShift cluster. See Installing Apicurio Registry Operator using the OperatorHub.

Procedure

In the OpenShift Container Platform web console, log in with cluster administrator privileges.
Change to the OpenShift project in which Apicurio Registry and your PostgreSQL Operator are installed. For example, from the Project drop-down, select my-project.
Click Installed Operators > Apicurio Registry > ApicurioRegistry > Create ApicurioRegistry.

Paste in the following ApicurioRegistry CR, and edit the values for the database url and credentials to match your environment:

apiVersion: apicur.io/v1alpha1
kind: ApicurioRegistry
metadata:
  name: example-apicurioregistry
spec:
  configuration:
    persistence: "jpa"
    dataSource:
      url: "jdbc:postgresql://SERVICE_NAME.NAMESPACE.svc:5432/"
      # e.g. url: "jdbc:postgresql://acid-minimal-cluster.my-project.svc:5432/"
      userName: "postgres"
      password: "PASSWORD"
      # ^ Optional

Click Create and wait for the Apicurio Registry route to be created on OpenShift.
Click Networking > Route to access the new route for the Apicurio Registry web console.

Additional resources

Crunchy PostgreSQL Operator QuickStart