Chapter 5. Deploying Service Registry storage in AMQ Streams
This chapter explains how to install and configure Service Registry storage in AMQ Streams.
- Section 5.1, “Installing AMQ Streams from the OpenShift OperatorHub”
- Section 5.2, “Configuring Service Registry with AMQ Streams storage on OpenShift”
- Section 5.3, “Configuring TLS security with Service Registry storage in AMQ Streams”
- Section 5.4, “Configuring SCRAM security with Service Registry storage in AMQ Streams”
Service Registry storage in AMQ Streams is the recommended storage option for production environments.
Prerequisites
5.1. Installing AMQ Streams from the OpenShift OperatorHub
If you do not already have AMQ Streams installed, you can install the AMQ Streams Operator on your OpenShift cluster from the OperatorHub. The OperatorHub is available from the OpenShift Container Platform web console and provides an interface for cluster administrators to discover and install Operators. For more details, see the OpenShift documentation.
Prerequisites
- You must have cluster administrator access to an OpenShift cluster
- See Using AMQ Streams on OpenShift for detailed information on installing AMQ Streams. This section shows a simple example of installing using the OpenShift OperatorHub.
Procedure
- In the OpenShift Container Platform web console, log in using an account with cluster administrator privileges.
-
Change to the OpenShift project in which Service Registry is installed. For example, from the Project drop-down, select
my-project
. - In the left navigation menu, click Operators > OperatorHub.
-
In the Filter by keyword text box, enter
AMQ Streams
to find the Red Hat Integration - AMQ Streams Operator. - Read the information about the Operator, and click Install to display the Operator subscription page.
Select your subscription settings, for example:
- Update Channel > amq-streams-1.5.x
- Installation Mode > A specific namespace on the cluster > my-project
- Approval Strategy > Manual
- Click Install, and wait a few moments until the Operator is ready for use.
Additional resources
5.2. Configuring Service Registry with AMQ Streams storage on OpenShift
This section explains how to configure Kafka-based storage for Service Registry using AMQ Streams on OpenShift. This storage option is suitable for production environments when persistent
storage is configured for the Kafka cluster on OpenShift. You can install Service Registry in an existing Kafka cluster or create a new Kafka cluster, depending on your environment.
Prerequisites
- You must have an OpenShift cluster with cluster administrator access.
- You must have already installed Service Registry. See Chapter 4, Installing Service Registry on OpenShift.
- You must have already installed AMQ Streams. See Section 5.1, “Installing AMQ Streams from the OpenShift OperatorHub”.
Procedure
- In the OpenShift Container Platform web console, log in using an account with cluster administrator privileges.
If you do not already have a Kafka cluster configured, create a new Kafka cluster using AMQ Streams. For example, in the OpenShift OperatorHub:
- Click Installed Operators > Red Hat Integration - AMQ Streams.
- Under Provided APIs > Kafka, click Create Instance to create a new Kafka cluster.
Edit the custom resource definition as appropriate, and click Create.
WarningThe default example creates a cluster with 3 Zookeeper nodes and 3 Kafka nodes with
ephemeral
storage. This temporary storage is suitable for development and testing only, and not for production. For more details, see Using AMQ Streams on OpenShift.
- After the cluster is ready, click Provided APIs > Kafka > my-cluster > YAML.
In the
status
block, make a copy of thebootstrapServers
value, which you will use later to deploy Service Registry. For example:status: conditions: ... listeners: - addresses: - host: my-cluster-kafka-bootstrap.my-project.svc port: 9092 bootstrapServers: 'my-cluster-kafka-bootstrap.my-project.svc:9092' type: plain ...
Create a Kafka topic to store the Service Registry artifacts:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredstorage-topic
.
Create a Kafka topic to store the Service Registry global IDs:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredglobal-id-topic
.
- Click Installed Operators > Red Hat Integration - Service Registry > ApicurioRegistry > Create ApicurioRegistry.
Paste in the following custom resource definition, but use your
bootstrapServers
value that you copied earlier:apiVersion: apicur.io/v1alpha1 kind: ApicurioRegistry metadata: name: example-apicurioregistry spec: configuration: persistence: "streams" streams: bootstrapServers: "my-cluster-kafka-bootstrap.my-project.svc:9092"
- Click Create and wait for the Service Registry route to be created on OpenShift.
Click Networking > Route to access the new route for the Service Registry web console. For example:
http://example-apicurioregistry.my-project.my-domain-name.com/
Additional resources
- For more details on creating Kafka clusters and topics using AMQ Streams, see Using AMQ Streams on OpenShift.
5.3. Configuring TLS security with Service Registry storage in AMQ Streams
You can configure the AMQ Streams Operator and Service Registry Operator to use an encrypted Transport Layer Security (TLS) connection.
Prerequisites
- You must install the Service Registry Operator using the OperatorHub or command line.
- You must install the AMQ Streams Operator or have Kafka accessible from your OpenShift cluster.
This section assumes that the AMQ Streams Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Service Registry Operator expects.
Procedure
- In the OpenShift web console, click Installed Operators, select the AMQ Streams Operator details, and then the Kafka tab.
- Click Create Kafka to provision a new Kafka cluster for Service Registry storage.
Configure the
authorization
andtls
fields to use TLS authentication for the Kafka cluster, for example:apiVersion: kafka.strimzi.io/v1beta1 kind: Kafka metadata: name: my-cluster namespace: registry-example-streams-tls spec: kafka: authorization: type: simple version: 2.5.0 replicas: 3 listeners: plain: {} tls: authentication: type: tls config: offsets.topic.replication.factor: 3 transaction.state.log.replication.factor: 3 transaction.state.log.min.isr: 2 log.message.format.version: '2.5' storage: type: ephemeral zookeeper: replicas: 3 storage: type: ephemeral entityOperator: topicOperator: {} userOperator: {}
Create a Kafka topic to store the Service Registry artifacts:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredstorage-topic
.
Create a Kafka topic to store the Service Registry global IDs:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredglobal-id-topic
.
Create a Kafka User resource to configure authentication and authorization for the Service Registry user. For example, in the
spec
block, you can specify a user name in themetadata
section or use the defaultmy-user
.spec: authentication: type: tls authorization: acls: - operation: All resource: name: '*' patternType: literal type: topic - operation: All resource: name: '*' patternType: literal type: cluster - operation: All resource: name: '*' patternType: literal type: transactionalId - operation: All resource: name: '*' patternType: literal type: group type: simple
NoteYou must configure the authorization specifically for the topics and resources that the Service Registry requires. This is a simple example.
Click Workloads and then Secrets to find two secrets that AMQ Streams creates for Service Registry to connect to the Kafka cluster:
-
my-cluster-cluster-ca-cert
- contains the PKCS12 truststore for the Kafka cluster my-user
- contains the user’s keystoreNoteThe name of the secret can vary based on your cluster or user name.
-
If you create the secrets manually, they must contain the following key-value pairs:
my-cluster-ca-cert
-
ca.p12
- truststore in PKCS12 format -
ca.password
- truststore password
-
my-user
-
user.p12
- keystore in PKCS12 format -
user.password
- keystore password
-
Configure the following example configuration to deploy the Service Registry.
apiVersion: apicur.io/v1alpha1 kind: ApicurioRegistry metadata: name: example-apicurioregistry spec: configuration: persistence: "streams" streams: bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-tls.svc:9093" security: tls: keystoreSecretName: my-user truststoreSecretName: my-cluster-cluster-ca-cert
ImportantYou must use a different
bootstrapServers
address than in the plain insecure use case. The address must support TLS connections and is found in the specified Kafka resource under thetype: tls
field.
5.4. Configuring SCRAM security with Service Registry storage in AMQ Streams
You can configure the AMQ Streams Operator and Service Registry Operator to use Salted Challenge Response Authentication Mechanism (SCRAM-SHA-512) for the Kafka cluster.
Prerequisites
- You must install the Service Registry Operator using the OperatorHub or command line.
- You must install the AMQ Streams Operator or have Kafka accessible from your OpenShift cluster.
This section assumes that AMQ Streams Operator is available, however you can use any Kafka deployment. In that case, you must manually create the Openshift secrets that the Service Registry Operator expects.
Procedure
- In the OpenShift web console, click Installed Operators, select the AMQ Streams Operator details, and then the Kafka tab.
- Click Create Kafka to provision a new Kafka cluster for Service Registry storage.
Configure the
authorization
andtls
fields to use SCRAM-SHA-512 authentication for the Kafka cluster, for example:apiVersion: kafka.strimzi.io/v1beta1 kind: Kafka metadata: name: my-cluster namespace: registry-example-streams-tls spec: kafka: authorization: type: simple version: 2.5.0 replicas: 3 listeners: plain: {} tls: authentication: type: scram-sha-512 config: offsets.topic.replication.factor: 3 transaction.state.log.replication.factor: 3 transaction.state.log.min.isr: 2 log.message.format.version: '2.5' storage: type: ephemeral zookeeper: replicas: 3 storage: type: ephemeral entityOperator: topicOperator: {} userOperator: {}
Create a Kafka topic to store the Service Registry artifacts:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredstorage-topic
.
Create a Kafka topic to store the Service Registry global IDs:
- Under Provided APIs > Kafka Topic, click Create topic.
-
Change the default topic name from
my-topic
to the requiredglobal-id-topic
.
Create a Kafka User resource to configure SCRAM authentication and authorization for the Service Registry user. For example, in the
spec
block, see theauthentication
section.spec: authentication: type: scram-sha-512 authorization: acls: - operation: All resource: name: '*' patternType: literal type: topic - operation: All resource: name: '*' patternType: literal type: cluster - operation: All resource: name: '*' patternType: literal type: transactionalId - operation: All resource: name: '*' patternType: literal type: group type: simple
Click Workloads and then Secrets to find two secrets that AMQ Streams creates for Service Registry to connect to the Kafka cluster:
-
my-cluster-cluster-ca-cert
- contains the PKCS12 truststore for the Kafka cluster my-user
- contains the user’s keystoreNoteThe name of the secret can vary based on your cluster or user name.
-
If you create the secrets manually, they must contain the following key-value pairs:
my-cluster-ca-cert
-
ca.p12
- the truststore in PKCS12 format -
ca.password
- truststore password
-
my-user
-
password
- user password
-
Configure the following example settings to deploy the Service Registry:
apiVersion: apicur.io/v1alpha1 kind: ApicurioRegistry metadata: name: example-apicurioregistry spec: configuration: persistence: "streams" streams: bootstrapServers: "my-cluster-kafka-bootstrap.registry-example-streams-scram.svc:9093" security: scram: truststoreSecretName: my-cluster-cluster-ca-cert user: my-user passwordSecretName: my-user
ImportantYou must use a different
bootstrapServers
address than in the plain insecure use case. The address must support TLS connections, and is found in the specified Kafka resource under thetype: tls
field.