Chapter 5. Deploying Service Registry storage in AMQ Streams


This chapter explains how to install and configure Service Registry storage in AMQ Streams.

Important

Service Registry storage in AMQ Streams is the recommended storage option for production environments.

5.1. Installing AMQ Streams from the OpenShift OperatorHub

If you do not already have AMQ Streams installed, you can install the AMQ Streams Operator on your OpenShift cluster from the OperatorHub. The OperatorHub is available from the OpenShift Container Platform web console and provides an interface for cluster administrators to discover and install Operators. For more details, see the OpenShift documentation.

Prerequisites

  • You must have cluster administrator access to an OpenShift cluster
  • See Using AMQ Streams on OpenShift for detailed information on installing AMQ Streams. This section shows a simple example of installing using the OpenShift OperatorHub.

Procedure

  1. In the OpenShift Container Platform web console, log in using an account with cluster administrator privileges.
  2. Change to the OpenShift project in which Service Registry is installed. For example, from the Project drop-down, select my-project.
  3. In the left navigation menu, click Operators > OperatorHub.
  4. In the Filter by keyword text box, enter AMQ Streams to find the Red Hat Integration - AMQ Streams Operator.
  5. Read the information about the Operator, and click Install to display the Operator subscription page.
  6. Select your subscription settings, for example:

    • Update Channel > amq-streams-1.5.x
    • Installation Mode > A specific namespace on the cluster > my-project
    • Approval Strategy > Manual
  7. Click Install, and wait a few moments until the Operator is ready for use.

5.2. Configuring Service Registry with AMQ Streams storage on OpenShift

This section explains how to configure Kafka-based storage for Service Registry using AMQ Streams on OpenShift. This storage option is suitable for production environments when persistent storage is configured for the Kafka cluster on OpenShift. You can install Service Registry in an existing Kafka cluster or create a new Kafka cluster, depending on your environment.

Prerequisites

Procedure

  1. In the OpenShift Container Platform web console, log in using an account with cluster administrator privileges.
  2. If you do not already have a Kafka cluster configured, create a new Kafka cluster using AMQ Streams. For example, in the OpenShift OperatorHub:

    1. Click Installed Operators > Red Hat Integration - AMQ Streams.
    2. Under Provided APIs > Kafka, click Create Instance to create a new Kafka cluster.
    3. Edit the custom resource definition as appropriate, and click Create.

      Warning

      The default example creates a cluster with 3 Zookeeper nodes and 3 Kafka nodes with ephemeral storage. This temporary storage is suitable for development and testing only, and not for production. For more details, see Using AMQ Streams on OpenShift.

  3. After the cluster is ready, click Provided APIs > Kafka > my-cluster > YAML.
  4. In the status block, make a copy of the bootstrapServers value, which you will use later to deploy Service Registry. For example:

    status:
      conditions:
      ...
      listeners:
        - addresses:
            - host: my-cluster-kafka-bootstrap.my-project.svc
              port: 9092
          bootstrapServers: 'my-cluster-kafka-bootstrap.my-project.svc:9092'
          type: plain
      ...
  5. Create a Kafka topic to store the Service Registry artifacts:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required storage-topic.
  6. Create a Kafka topic to store the Service Registry global IDs:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required global-id-topic.
  7. Click Installed Operators > Red Hat Integration - Service Registry > ApicurioRegistry > Create ApicurioRegistry.
  8. Paste in the following custom resource definition, but use your bootstrapServers value that you copied earlier:

    apiVersion: apicur.io/v1alpha1
    kind: ApicurioRegistry
    metadata:
      name: example-apicurioregistry
    spec:
      configuration:
        persistence: "streams"
        streams:
          bootstrapServers: "my-cluster-kafka-bootstrap.my-project.svc:9092"
  9. Click Create and wait for the Service Registry route to be created on OpenShift.
  10. Click Networking > Route to access the new route for the Service Registry web console. For example:

    http://example-apicurioregistry.my-project.my-domain-name.com/

Additional resources

5.3. Configuring TLS security with Service Registry storage in AMQ Streams

You can configure the AMQ Streams Operator and Service Registry Operator to use an encrypted Transport Layer Security (TLS) connection.

Prerequisites

  • You must install the Service Registry Operator using the OperatorHub or command line.
  • You must install the AMQ Streams Operator or have Kafka accessible from your OpenShift cluster.
Note

This section assumes that the AMQ Streams Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Service Registry Operator expects.

Procedure

  1. In the OpenShift web console, click Installed Operators, select the AMQ Streams Operator details, and then the Kafka tab.
  2. Click Create Kafka to provision a new Kafka cluster for Service Registry storage.
  3. Configure the authorization and tls fields to use TLS authentication for the Kafka cluster, for example:

    apiVersion: kafka.strimzi.io/v1beta1
    kind: Kafka
    metadata:
      name: my-cluster
      namespace: registry-example-streams-tls
    spec:
      kafka:
        authorization:
          type: simple
        version: 2.5.0
        replicas: 3
        listeners:
          plain: {}
          tls:
            authentication:
              type: tls
        config:
          offsets.topic.replication.factor: 3
          transaction.state.log.replication.factor: 3
          transaction.state.log.min.isr: 2
          log.message.format.version: '2.5'
        storage:
          type: ephemeral
      zookeeper:
        replicas: 3
        storage:
          type: ephemeral
      entityOperator:
        topicOperator: {}
        userOperator: {}
  4. Create a Kafka topic to store the Service Registry artifacts:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required storage-topic.
  5. Create a Kafka topic to store the Service Registry global IDs:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required global-id-topic.
  6. Create a Kafka User resource to configure authentication and authorization for the Service Registry user. For example, in the spec block, you can specify a user name in the metadata section or use the default my-user.

    spec:
      authentication:
        type: tls
      authorization:
        acls:
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: topic
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: cluster
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: transactionalId
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: group
        type: simple
    Note

    You must configure the authorization specifically for the topics and resources that the Service Registry requires. This is a simple example.

  7. Click Workloads and then Secrets to find two secrets that AMQ Streams creates for Service Registry to connect to the Kafka cluster:

    • my-cluster-cluster-ca-cert - contains the PKCS12 truststore for the Kafka cluster
    • my-user - contains the user’s keystore

      Note

      The name of the secret can vary based on your cluster or user name.

  8. If you create the secrets manually, they must contain the following key-value pairs:

    • my-cluster-ca-cert

      • ca.p12 - truststore in PKCS12 format
      • ca.password - truststore password
    • my-user

      • user.p12 - keystore in PKCS12 format
      • user.password - keystore password
  9. Configure the following example configuration to deploy the Service Registry.

    apiVersion: apicur.io/v1alpha1
    kind: ApicurioRegistry
    metadata:
      name: example-apicurioregistry
    spec:
      configuration:
        persistence: "streams"
        streams:
          bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-tls.svc:9093"
          security:
            tls:
              keystoreSecretName: my-user
              truststoreSecretName: my-cluster-cluster-ca-cert
    Important

    You must use a different bootstrapServers address than in the plain insecure use case. The address must support TLS connections and is found in the specified Kafka resource under the type: tls field.

5.4. Configuring SCRAM security with Service Registry storage in AMQ Streams

You can configure the AMQ Streams Operator and Service Registry Operator to use Salted Challenge Response Authentication Mechanism (SCRAM-SHA-512) for the Kafka cluster.

Prerequisites

  • You must install the Service Registry Operator using the OperatorHub or command line.
  • You must install the AMQ Streams Operator or have Kafka accessible from your OpenShift cluster.
Note

This section assumes that AMQ Streams Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Service Registry Operator expects.

Procedure

  1. In the OpenShift web console, click Installed Operators, select the AMQ Streams Operator details, and then the Kafka tab.
  2. Click Create Kafka to provision a new Kafka cluster for Service Registry storage.
  3. Configure the authorization and tls fields to use SCRAM-SHA-512 authentication for the Kafka cluster, for example:

    apiVersion: kafka.strimzi.io/v1beta1
    kind: Kafka
    metadata:
      name: my-cluster
      namespace: registry-example-streams-tls
    spec:
      kafka:
        authorization:
          type: simple
        version: 2.5.0
        replicas: 3
        listeners:
          plain: {}
          tls:
            authentication:
              type: scram-sha-512
        config:
          offsets.topic.replication.factor: 3
          transaction.state.log.replication.factor: 3
          transaction.state.log.min.isr: 2
          log.message.format.version: '2.5'
        storage:
          type: ephemeral
      zookeeper:
        replicas: 3
        storage:
          type: ephemeral
      entityOperator:
        topicOperator: {}
        userOperator: {}
  4. Create a Kafka topic to store the Service Registry artifacts:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required storage-topic.
  5. Create a Kafka topic to store the Service Registry global IDs:

    1. Under Provided APIs > Kafka Topic, click Create topic.
    2. Change the default topic name from my-topic to the required global-id-topic.
  6. Create a Kafka User resource to configure SCRAM authentication and authorization for the Service Registry user. For example, in the spec block, see the authentication section.

    spec:
      authentication:
        type: scram-sha-512
      authorization:
        acls:
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: topic
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: cluster
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: transactionalId
          - operation: All
            resource:
              name: '*'
              patternType: literal
              type: group
        type: simple
  7. Click Workloads and then Secrets to find two secrets that AMQ Streams creates for Service Registry to connect to the Kafka cluster:

    • my-cluster-cluster-ca-cert - contains the PKCS12 truststore for the Kafka cluster
    • my-user - contains the user’s keystore

      Note

      The name of the secret can vary based on your cluster or user name.

  8. If you create the secrets manually, they must contain the following key-value pairs:

    • my-cluster-ca-cert

      • ca.p12 - the truststore in PKCS12 format
      • ca.password - truststore password
    • my-user

      • password - user password
  9. Configure the following example settings to deploy the Service Registry:

    apiVersion: apicur.io/v1alpha1
    kind: ApicurioRegistry
    metadata:
      name: example-apicurioregistry
    spec:
      configuration:
        persistence: "streams"
        streams:
          bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-scram.svc:9093"
          security:
            scram:
              truststoreSecretName: my-cluster-cluster-ca-cert
              user: my-user
              passwordSecretName: my-user
    Important

    You must use a different bootstrapServers address than in the plain insecure use case. The address must support TLS connections, and is found in the specified Kafka resource under the type: tls field.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.