Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Service Registry release notes

Service Registry 2.4 is provided as a General Availability release. Service Registry is a data store for standard event schemas and API designs, and is based on the Apicurio Registry open source community project.

Note

Red Hat build of Apicurio Registry is now available as part of Red Hat Application Foundations. Red Hat build of Apicurio Registry 2.x and Red Hat Integration Service Registry 2.x are functionally identical. For more information, see https://access.redhat.com/products/red-hat-application-foundations/.

You can use Service Registry to manage and share the structure of your data using a web console, REST API, Maven plug-in, or Java client. For example, client applications can dynamically push or pull the latest schema updates to or from Service Registry without needing to redeploy. You can also create optional rules to govern how Service Registry content evolves over time. These rules include validation of content, integrity of artifact references, and backwards or forwards compatibility of schema or API versions.

6.1. Service Registry installation options
Copy link

You can install Service Registry on OpenShift with either of the following data storage options:

  • PostgreSQL database
  • Red Hat AMQ Streams

For more details, see Installing and deploying Service Registry on OpenShift.

6.2. Service Registry supported platforms
Copy link

Service Registry 2.4 supports the following platforms:

  • Red Hat OpenShift Container Platform 4.13, 4.12, 4.11, 4.10
  • Red Hat OpenShift Service on AWS
  • Microsoft Azure Red Hat OpenShift
  • PostgreSQL 15, 14, 13, 12
  • Red Hat AMQ Streams 2.4, 2.3, 2.2, 2.1
  • OpenJDK 17, 11

For more details, see the following article:

Service Registry 2.4 also supports integration with the following products:

  • Red Hat Single Sign-On (RH-SSO) 7.6
  • Red Hat build of Debezium 2.1

6.3. Service Registry new features
Copy link

Service Registry 2.4 includes the following new features:

Service Registry core new features

Artifact references improvements
  • Artifact reference integrity rule: You can now apply a new artifact-specific rule and global rule to enforce the integrity of artifact references when creating or updating artifacts. For all artifact types, the rule detects duplicate artifact references and prevents references to nonexistent artifacts. For a subset of artifact types (Apache Avro, Google Protobuf, OpenAPI, and AsyncAPI), the rule ensures that all artifact references are mapped.
  • Automatic artifact reference detection in Maven plug-in: For a subset of artifact types (Apache Avro, Google Protobuf, and JSON Schema), the Maven plug-in can now automatically identify and configure all of the artifact references for a given artifact when creating or updating artifacts.
  • Visualization of artifact references in the web console: You can now view both inbound and outbound references for an artifact version, in a new References tab. The REST API now supports the retrieval of both inbound and outbound references. Previously, the REST API retrieved outbound references only, and the web console did not display references.
  • Artifact references are now treated as content: This release now considers artifact references when calculating the content hash and ID, and when checking compatibility of an artifact version. If you upload the same schema content with different references, you create a new artifact version.
Client SDK generation (OpenAPI)
This release adds a new web console feature to enable users to generate a client SDK from an OpenAPI artifact. This feature uses Kiota from Microsoft to generate the SDK. The feature runs in your browser only, and cannot be automated by using an API. For more information, see https://github.com/microsoft/kiota.
Artifact version deletion
This release adds a new REST API operation, and a new Delete artifact version setting in the web console, to enable you to delete artifact versions by using the REST API. Previously, artifact versions were immutable; you could deprecate or disable them, but not delete them. However, it is sometimes necessary to delete an artifact version, despite the semantic implications. For example, you might need to delete an artifact version for regulatory or policy reasons.
Core Registry REST API improvements
  • Version comments API: You can now use the REST API to add comments to artifact versions. Managing comments is not yet available in the web console.
  • Export API supports application/json in the Accept header: You can now send application/json as the value of the Accept header in a call to the /admin/export API endpoint. Previously, the only way to return an application/json formatted response was by using the forBrowser query parameter. Now you can use either the query parameter or the Accept header.
  • Group management: You can now optionally manage artifact groups directly by using the REST API, rather than implicitly as part of artifact creation.
Confluent Compatibility REST API improvements
  • Updated support for Confluent Compatibility API: Added support for version 7 of the Confluent Schema Registry API. Service Registry now supports both v6 and v7, at different endpoints.
  • Customizable maximum number of Subjects: You can now use the registry.ccompat.max-subjects dynamic configuration property to customize the maximum number of Subjects returned by the ccompat API.
Other changes
  • Serializer/deserializer artifact resolution with content hash: SerDe classes can now resolve artifact coordinates by using the content hash of the schema.
  • Maven plug-in option to minify Avro: When registering an Avro schema by using the Maven plug-in, you can now minify the content prior to registration.
Community-only: Custom artifact types

Users can potentially extend Service Registry with their own custom artifact types, and remove support for existing types. This feature is available only in the community version of Service Registry, and is not supported.

Note

To provide this feature, the ArtifactType in the REST API was changed from an enum to a simple string. If you use the REST API client for custom integrations, you might have to edit your code after you upgrade to the newer client.

Service Registry Operator new features

Operator support for HTTPS
Added support for configuring HTTPS connections inside the OpenShift cluster. You can create a Secret containing the certificate and the private key, named tls.crt and tls.key respectively, and reference the Secret by setting the spec.configuration.security.https.secretName field in the ApicurioRegistry custom resource definition (CRD) file. The Service Registry Operator can then configure an HTTPS port on the Service Registry Service resource. If HTTPS is enabled, you can disable the HTTP connection by setting spec.security.https.disableHttp to true.
Support for manually managed OpenShift resources

You can now disable certain resource types to ensure that the Service Registry Operator does not create or manage those resources, so that you can configure them manually. Manual configuration provides you with greater flexibility in using features that the Service Registry Operator does not currently support. If you disable a resource type, its existing instance is deleted. If you enable a resource type, the Service Registry Operator attempts to find a resource using the app label (for example, app=example-apicurioregistry) and start managing it. Otherwise, the Service Registry Operator creates a new instance. You can disable the following resource types in this way:

  • Ingress
  • NetworkPolicy
  • PodDisruptionBudget
Improved log level configuration
You can now set the log level for Service Registry and the Service Registry Operator more easily, by using the spec.configuration.registryLogLevel field in the ApicurioRegistry CRD file. This new field sets the log level for Apicurio application components (excludes non-Apicurio components and libraries), in contrast with the spec.configuration.logLevel field, which works for non-Apicurio components and libraries. You can now also set the log level for the Service Registry Operator, by setting the LOG_LEVEL environment variable in the Operator Deployment resource. Valid LOG_LEVEL values are debug, info, warn, and error.
CORS allowed origins

Servers can use the Cross-Origin Resource Sharing (CORS) mechanism to control whether a response can be shared with the origin of the request. The Service Registry Operator now sets the CORS_ALLOWED_ORIGINS environment variable, based on the value of the spec.deployment.host field in the ApicurioRegistry CRD file. This environment variable controls the Access-Control-Allow-Origin header sent by Service Registry.

If you use a custom Ingress (for example, to configure HTTPS), you can disable the Operator-managed Ingress by setting the spec.deployment.managedResources.disableIngress field to true, and still set the spec.deployment.host field to the appropriate value. If you want to configure a fully customized CORS policy, you can set the spec.deployment.host field to be empty, apply the changes, and then use the spec.deployment.env field to set the CORS_ALLOWED_ORIGINS environment variable manually.

Configuring Service Registry deployment by using a pod template

The ApicurioRegistry CRD file now contains the spec.deployment.podTemplateSpecPreview field as a Technology Preview feature. The spec.deployment.podTemplateSpecPreview field has the same structure as the spec.template field in an OpenShift Deployment resource (the PodTemplateSpec struct). With some restrictions, the Service Registry Operator forwards the data from this field to the corresponding field in the Service Registry Deployment resource. This feature provides greater configuration flexibility, without requiring the Service Registry Operator to natively support each use case.

Important

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Service Registry user documentation and examples

The documentation library has been updated with the new features available in version 2.4:

The open source demonstration applications have also been updated:

6.4. Service Registry deprecated features
Copy link

Service Registry core deprecated features

  • Confluent Schema Registry API version 6 (compatibility API): Service Registry currently supports two versions of the Confluent Schema Registry API on separate endpoints: version 6 and version 7. Use of version 6 is deprecated; the v6 API endpoint will be removed in a future release. Ensure that you replace all references to the v6 endpoint with references to the v7 API endpoint.
  • Service Registry Core API version 1: Service Registry support for the original version of the Service Registry Core API (version 1) is now deprecated; the legacy API will be removed in the next major release.
  • Dynamic log level configuration: The /admin/loggers and /admin/loggers/{logger} API endpoints are now deprecated in the Service Registry Core API (v2). These endpoints will be removed in a future release.
  • Registry V1 export utility: Service Registry support for the command-line export utility is now deprecated. The export tool, which is used to export data from Service Registry 1.x into a format that can be imported into 2.x, will no longer be released or maintained. All customers should have already upgraded from 1.x to 2.x.

Service Registry Operator deprecated features

  • Setting environment variables by editing the Deployment resource: In previous versions, you could set environment variables for Service Registry by directly editing its Deployment resource, which was supported by the Service Registry Operator. Now that you can manage environment variables by using the spec.configuration.env field in the ApicurioRegistry CRD file, the previous procedure is deprecated and the Operator support for it will be removed. Ensure that you use the spec.configuration.env field to set all environment variables that are not set by the Operator.
  • Retention of environment variables for features that are not enabled: The Service Registry Operator sets environment variables to enable and configure various features, such as Salted Challenge Response Authentication Mechanism (SCRAM) security when using KafkaSQL storage. When such features are disabled, the Operator currently retains the associated environment variables, which can cause problems. Retention of such environment variables is deprecated, and the Operator support for it will be removed. Ensure that your deployment does not rely on the retention of such environment variables.
  • Environment variable precedence: The Service Registry Operator might attempt to set an environment variable that is already explicitly specified in the spec.configuration.env field. If an environment variable has a conflicting value, the value set by the Service Registry Operator takes precedence by default. This behavior will change in the future, to enable users to overwrite most environment variables set by the Operator. Ensure that your deployment does not rely on the original precedence behavior.

You can upgrade the Service Registry server automatically from Service Registry 2.x to Service Registry 2.4 on OpenShift. There is no automatic upgrade from Service Registry 1.x to Service Registry 2.x, and a migration process is required.

6.5.1. Updating 2.x client dependencies
Copy link

It is not mandatory to update client dependencies for this release; existing 2.x clients still work with Service Registry 2.4.

However, before the next release of Service Registry, you must update all of your client application dependencies to use the latest Service Registry client version. Client application dependencies include dependencies for Kafka serializers/deserializers (SerDes), Maven plug-in, and Java REST client. For example, to update the Maven dependencies for a Java REST client, specify the version in your pom.xml file as follows: 

<dependency>
    <groupId>io.apicurio</groupId>
    <artifactId>apicurio-registry-client</artifactId>
    <version>2.4.3.Final-redhat-00006</version>
</dependency>
Copy to Clipboard Toggle word wrap

For more details, see Legacy REST API date formats enabled by default.

You can upgrade from Service Registry 2.x on OpenShift 4.9 to Service Registry 2.4 on OpenShift 4.10 or later. You must upgrade both your Service Registry and your OpenShift versions, and upgrade OpenShift one minor version at a time.

Prerequisites

  • You already have Service Registry 2.x installed on OpenShift 4.9.

Procedure

  1. In the OpenShift Container Platform web console, click Administration and then Cluster Settings.
  2. Click the pencil icon next to the Channel field, and select the next minor candidate version (for example, change from stable-4.9 to candidate-4.10).
  3. Click Save and then Update, and wait until the upgrade is complete.
  4. If the OpenShift version is less than 4.11, repeat steps 2 and 3, and select candidate-4.11 or later.
  5. Click Operators > Installed Operators > Red Hat Integration - Service Registry.
  6. Ensure that the Update channel is set to 2.x.
  7. If the Update approval is set to Automatic, the upgrade should be approved and installed immediately after the 2.x channel is set.
  8. If the Update approval is set to Manual, click Install.
  9. Wait until the Operator is deployed and the Service Registry pod is deployed.
  10. Verify that your Service Registry system is up and running.

Additional resources

For details on migrating from Service Registry 1.1 to Service Registry 2.x, see Migrating Service Registry deployments.

6.6. Service Registry resolved issues
Copy link

Expand
Table 6.1. Service Registry resolved issues in version 2.4.3
IssueDescription

Registry-3307

Enabling Anonymous read access and Artifact owner-only authorization in web console fails with error.

Registry-3260

Key password not optional when configuring KafkaSQL storage to use SSL.

Registry-3184

JSON schema compatibility check fails for multipleOf comparison.

Registry-3143

DownloadReaper error when deploying Service Registry.

Registry-3096

SearchedGroup.createdBy property should have type String not Object.

Registry-3088

Serialization error in enum artifact reference and record ID strategy.

Registry-3086

Cannot upload JSON schemas that reference other schemas with $ref.

Registry-3080

Compatibility check does not throw exception when empty schema is provided.

Registry-3014

Upload fails with 422 error when schema has default value of {}.

Registry-2991

Kafka consumer thread starts before internal database is ready.

Registry-2955

Redirect filter configured incorrectly.

Registry-2952

Compatibility rules do not order by version number.

Registry-2938

SSL configuration does not work unless SASL is enabled.

Registry-2902

'registry.ccompat.use-canonical-hash' setting changes schema to canonized form on save.

Registry-2880

Exception not thrown when wrong credentials passed to auth server.

Registry-2877

Uploading new version of Protobuf schema fails with NullPointerException.

Registry-2826

Name and description populated incorrectly when creating artifact with REST API.

Registry-2790

Cannot get latest enabled version of schema if latest version is disabled.

Registry-2552

JSON schema validation fails for complex array objects.

Service Registry Operator resolved issues

Expand
IssueDescription

IPT-916

Port name not provided in service created by Operator.

IPT-883

Missing environment variables after deployment destroyed.

IPT-852

Incorrect method documented for managing environment variables.

Operator-119

Log level not set correctly.

6.7. Service Registry resolved CVEs
Copy link

Expand
Table 6.2. Service Registry resolved Common Vulnerabilities and Exposures (CVEs) in version 2.4.3
IssueDescription

IPT-943

CVE-2023-2976 guava: Insecure temporary directory creation [rhint-serv-2].

IPT-890

CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode [rhint-serv-2].

IPT-880

CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS [rhint-serv-2].

IPT-879

CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS [rhint- serv-2].

IPT-876

CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption [rhint-serv-2].

IPT-866

CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability [rhint-serv-2].

IPT-856

CVE-2022-3782 keycloak: path traversal via double URL encoding [rhint-serv-2].

IPT-850

CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider [rhint-serv-2].

IPT-845

CVE-2022-4742 json-pointer: prototype pollution in json-pointer [rhint-serv-2].

IPT-825

CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service (DoS) attacks [rhint-serv-2].

6.8. Service Registry known issues
Copy link

The following known issues apply in Service Registry 2.4.x:

Service Registry core known issues

Registry-3413 - Legacy REST API date formats enabled by default

For maximum compatibility and for easier upgrades from older versions of Service Registry, the date format used in the REST API is not compliant with OpenAPI standards (because of a bug in older versions).

Before the next release of Service Registry, you must upgrade all of your client applications to use the latest client version. The next release will fix the date format bug, which will result in older clients no longer being compatible with the REST API.

To update your REST API to be OpenAPI compliant, you can fix the date format bug in this version of Service Registry as follows:

  1. Update all of your client applications to version 2.4.3.Final-redhat-00006, as described in Updating 2.x client dependencies.

  2. Set the following environment variable to the value shown: 

    REGISTRY_APIS_V2_DATE_FORMAT=yyyy-MM-dd'T'HH:mm:ss'Z'
    Copy to Clipboard Toggle word wrap

IPT-814 - Service Registry logout feature incompatible with RH-SSO 7.6

In RH-SSO 7.6, the redirect_uri parameter used with the logout endpoint is deprecated. For more details, see the RH-SSO 7.6 Upgrading Guide. Because of this deprecation, when Service Registry is secured by using the RH-SSO Operator, clicking the Logout button displays the Invalid parameter: redirect_uri error.

For a workaround, see https://access.redhat.com/solutions/6980926.

IPT-701 - CVE-2022-23221 H2 allows loading custom classes from remote servers through JNDI

When Service Registry data is stored in AMQ Streams, the H2 database console allows remote attackers to execute arbitrary code by using the JDBC URL. Service Registry is not vulnerable by default and a malicious configuration change is required.

Service Registry Operator known issues

Operator-42 - Autogeneration of OpenShift route might use wrong base host value

If multiple routerCanonicalHostname values are specified, autogeneration of the Service Registry OpenShift route might use a wrong base host value.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat