Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 1. Apicurio Registry 2.6 release notes
Red Hat build of Apicurio Registry is a data store for standard event schemas and API designs, and is based on the Apicurio Registry open source community project.
You can use Apicurio Registry to manage and share the structure of your data using a web console, REST API, Maven plug-in, or Java client. For example, client applications can dynamically push or pull the latest schema updates to or from Apicurio Registry without needing to redeploy. You can also create optional rules to govern how Apicurio Registry content evolves over time. These rules include validation of content, integrity of artifact references, and backwards or forwards compatibility of schema or API versions.
1.1. Apicurio Registry installation options
You can install Apicurio Registry on OpenShift with either of the following data storage options:
- PostgreSQL database
- Red Hat AMQ Streams
For more details, see Installing and deploying Red Hat build of Apicurio Registry on OpenShift.
1.2. Apicurio Registry supported platforms
Apicurio Registry 2.6 supports the following core platforms:
- Red Hat OpenShift Container Platform: 4.17, 4.16, 4.15, 4.14, 4.13, 4.12
- Red Hat OpenShift Service on AWS: 4.14
- Microsoft Azure Red Hat OpenShift: 4.15
- PostgreSQL: 15, 14, 13, 12
- Red Hat AMQ Streams: 2.7, 2.5, 2.2
- OpenJDK: 17, 11
For more details, see the following article:
1.2.1. Supported integration with other products
Apicurio Registry 2.6 also supports integration with the following products:
- Red Hat build of Keycloak 24
- Red Hat Single Sign-On (RH-SSO) 7.6
- Red Hat build of Debezium 2.3
1.3. Apicurio Registry new features
Apicurio Registry 2.6 includes the following new features:
- Operator metadata versions
With this release, Operator metadata versions match Apicurio Registry release versions. For previous releases, see the following article:
- Support for Red Hat build of Keycloak 24
- Red Hat Single Sign-On (RH-SSO) 7.6 is still supported, however references have changed to the new name: Red Hat build of Keycloak.
- Apicurio Registry Maven plug-in improvements
Automatic detection of references in the Maven plug-in by using the
autoRefoption in thepom.xmlfile. For more details, see Registry-3439. This is a Technology Preview feature.ImportantTechnology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Apicurio Registry user documentation and examples
The documentation library has been updated with the new features available in version 2.6:
The open source demonstration applications are available from:
1.4. Apicurio Registry deprecated features
Apicurio Registry core deprecated features
- Confluent Schema Registry API version 6 (compatibility API): Apicurio Registry currently supports two versions of the Confluent Schema Registry API on separate endpoints: version 6 and version 7. The v6 API endpoint is deprecated, and will be removed in a future release. Ensure that you replace all references to the v6 API endpoint with references to the v7 API endpoint.
- Apicurio Registry Core API version 1: Apicurio Registry support for the original version 1 of the Apicurio Registry Core API is now deprecated. This v1 legacy API will be removed in the next major release.
-
Dynamic log level configuration: The
/admin/loggersand/admin/loggers/{logger}API endpoints are now deprecated in the v2 Apicurio Registry Core API. These endpoints will be removed in a future release. - Registry V1 export utility: Apicurio Registry support for the command-line export utility is now deprecated. The export tool, which is used to export data from Apicurio Registry 1.x into a format that can be imported into 2.x, will no longer be released or maintained. All customers should have already upgraded from 1.x to 2.x.
Apicurio Registry Operator deprecated features
-
JAVA_OPTIONS environment variable: The
JAVA_OPTIONSenvironment variable is no longer the preferred way to configure Java options for Apicurio Registry. You can use theJAVA_OPTS_APPENDenvironment variable instead. TheJAVA_OPTSenvironment variable is also available, which replaces the default content of Java options. However, it is best to avoid usingJAVA_OPTSbecause it might interfere with some Apicurio Registry Operator functionality. - Retention of environment variables for features that are not enabled: The Apicurio Registry Operator sets environment variables to enable and configure various features, such as Salted Challenge Response Authentication Mechanism (SCRAM) security when using Kafka storage. When such features are disabled, the Operator currently retains the associated environment variables, which can cause problems. Retention of such environment variables is deprecated, and the Operator support for it will be removed. Ensure that your deployment does not rely on the retention of such environment variables.
-
Environment variable precedence: The Apicurio Registry Operator might attempt to set an environment variable that is already explicitly specified in the
spec.configuration.envfield. If an environment variable has a conflicting value, the value set by the Apicurio Registry Operator takes precedence by default. This behavior will change in the future, to enable users to overwrite most environment variables set by the Operator. Ensure that your deployment does not rely on the original precedence behavior.
Apicurio Registry Operator removed features
- Setting environment variables by editing the Deployment resource: This ability was deprecated in previous versions, and has been removed from this release.
1.5. Upgrading and migrating Apicurio Registry deployments
You can upgrade the Apicurio Registry server automatically from Apicurio Registry 2.x to Apicurio Registry 2.6 on OpenShift. There is no automatic upgrade from Apicurio Registry 1.x to Apicurio Registry 2.x, and a migration process is required.
1.5.1. Updating 2.x client dependencies
It is not mandatory to update client dependencies for this release. Existing Apicurio Registry 2.x client applications continue to work with Apicurio Registry 2.6.
However, before the next release of Apicurio Registry, you must update all of your client dependencies to use the latest version of Apicurio Registry. Client dependencies include dependencies for the Apicurio Registry Kafka serializers/deserializers (SerDes), Maven plug-in, and Java client applications.
For example, to update the Maven dependencies for a Java client application, specify the version in your pom.xml file as follows:
<dependency>
<groupId>io.apicurio</groupId>
<artifactId>apicurio-registry-client</artifactId>
<version>2.6.11.Final-redhat-00001</version>
</dependency>
<dependency>
<groupId>io.apicurio</groupId>
<artifactId>apicurio-registry-client</artifactId>
<version>2.6.11.Final-redhat-00001</version>
</dependency>For more details, see Legacy REST API date formats enabled by default.
1.5.2. Upgrading from Apicurio Registry 2.x on OpenShift
You can upgrade from Apicurio Registry 2.x on OpenShift 4.11 to Apicurio Registry 2.6 on OpenShift 4.12 or later. You must upgrade both your Apicurio Registry and your OpenShift versions, and upgrade OpenShift one minor version at a time.
Prerequisites
- You already have Apicurio Registry 2.x installed on OpenShift 4.11 or later.
You have backed up your existing Apicurio Registry storage data in your Kafka topic or PostgreSQL database. For more details, see Installing and deploying Red Hat build of Apicurio Registry on OpenShift.
ImportantIn production environments on OpenShift, to help ensure that storage is backed up before upgrading, it is best to set the Operator update approval strategy for Apicurio Registry to manual instead of automatic.
Procedure
- In the OpenShift Container Platform web console, click Administration and then Cluster Settings.
-
Click the pencil icon next to the Channel field, and select the next minor
candidateversion (for example, change fromstable-4.11tocandidate-4.12). - Click Save and then Update, and wait until the upgrade is complete.
-
If the OpenShift version is less than 4.13, repeat steps 2 and 3, and select
candidate-4.13or later. - Click Operators > Installed Operators > Red Hat Integration - Service Registry.
-
Ensure that the Update channel is set to
2.x. -
If the Update approval is set to Automatic, the upgrade should be approved and installed immediately after the
2.xchannel is set. - If the Update approval is set to Manual, click Install.
- Wait until the Operator is deployed and the Apicurio Registry pod is deployed.
- Verify that your Apicurio Registry system is up and running.
Additional resources
- For more details on how to set the Operator update channel in the OpenShift Container Platform web console, see Changing the update channel for an Operator.
1.5.3. Migrating from Apicurio Registry 1.1 on OpenShift
For details on migrating from Apicurio Registry 1.1 to Apicurio Registry 2.x, see Migrating Red Hat build of Apicurio Registry deployments.
1.6. Apicurio Registry resolved issues
| Issue | Description |
|---|---|
| It should be harder to delete a schema that is the target of a reference | |
| Owner-Only Policy not enforced when added after schemas are created | |
| Operator should have a way to provide an IngressClass reference to the Ingresses |
| Issue | Description |
|---|---|
| GraphQL Artifact auto detection not working |
| Issue | Description |
|---|---|
| Apicurio dereferenced schema fail when multiple references in JSON schema | |
| Various issues in Registry 2.6 | |
| Updates and examples for apicurio registry |
| Issue | Description |
|---|---|
| Software build reproducibility | |
| Service Registry Operator: https doesn’t work for the service registry application after upgrade to 2.6.1 |
| Issue | Description |
|---|---|
| The podTemplateSpecPreview (initContainers) defined in the CR are not propagated to the deployment resource. |
1.7. Apicurio Registry resolved CVEs
The following Common Vulnerabilities and Exposures (CVEs) are resolved in Apicurio Registry 2.6:
| CVE | Description |
|---|---|
| A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely. | |
| A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. | |
| A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. | |
| A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed. An attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. | |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE), causing a vulnerability that can be exploited by using APIs. | |
| Vulnerability in Oracle Java SE (component: Compiler), causing a vulnerability that can be exploited by using APIs. | |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some data. |
| CVE | Description |
|---|---|
| A data integrity error was found in the Linux Kernel’s bzip2 functionality when decompressing. A local user could get unexpected results (or corrupted data) as result of decompressing these files. |
| CVE | Description |
|---|---|
|
A vulnerability has been found in the Python | |
|
A flaw was found in Python. The |
| CVE | Description |
|---|---|
| A vulnerability was found in Apache Avro that allows an attacker to trigger remote code execution by using the special "java-class" attribute. |
| CVE | Description |
|---|---|
| curl: HTTP/2 push headers memory-leak. |
| CVE | Description |
|---|---|
| A vulnerability in the Quarkus causes a leak of local configuration properties into Quarkus applications. | |
| A flaw in the Express.js framework causes malformed URLs to be evaluated. | |
| A flaw in the webpack-dev-middleware package may lead to file leak. | |
| A vulnerability in the jose4j library allows a denial of service via specially crafted JWE. | |
| A vulnerability in the jetty web server can cause the server to stop accepting new connections from valid clients. |
1.8. Apicurio Registry known issues
The following known issues apply in Apicurio Registry 2.6:
Apicurio Registry core known issues
IPT-1143 - Misleading "warning" log message regarding ResultSet resource leak
You might see a message similar to the following in the logs:
2024-07-24 08:33:53 WARN <> [io.quarkus.agroal.runtime.AgroalEventLoggingListener] (executor-thread-3) Datasource '<default>': JDBC resources leaked: 1 ResultSet(s) and 0 Statement(s)
2024-07-24 08:33:53 WARN <> [io.quarkus.agroal.runtime.AgroalEventLoggingListener] (executor-thread-3) Datasource '<default>': JDBC resources leaked: 1 ResultSet(s) and 0 Statement(s)This message is incorrect, as no JDBC resources are leaked.
You can safely ignore these messages.
Registry-3413 - Legacy REST API date formats enabled by default
For maximum compatibility and for easier upgrades from older versions of Apicurio Registry, the date format used in the Apicurio Registry REST API is not compliant with OpenAPI standards. This is because of a bug in older versions.
Before the next release of Apicurio Registry, you must upgrade all of your client applications to use the latest Apicurio Registry client version. The next release will fix the date format bug, which will result in older clients no longer being compatible with the REST API.
To update your REST API to be OpenAPI compliant, you can fix the date format bug in this version of Apicurio Registry as follows:
-
Update all of your client applications to version
2.6.11.Final-redhat-00001, as described in Updating 2.x client dependencies. Set the following environment variable to the value shown:
REGISTRY_APIS_V2_DATE_FORMAT=yyyy-MM-dd'T'HH:mm:ss'Z'
REGISTRY_APIS_V2_DATE_FORMAT=yyyy-MM-dd'T'HH:mm:ss'Z'Copy to Clipboard Copied!
IPT-814 - Apicurio Registry logout feature incompatible with RH-SSO 7.6
In RH-SSO 7.6, the redirect_uri parameter used with the logout endpoint is deprecated. For more details, see the RH-SSO 7.6 Upgrading Guide. Because of this deprecation, when Apicurio Registry is secured by using the RH-SSO Operator, clicking the Logout button displays the Invalid parameter: redirect_uri error.
For a workaround, see https://access.redhat.com/solutions/6980926.
IPT-701 - CVE-2022-23221 H2 allows loading custom classes from remote servers through JNDI
When Apicurio Registry data is stored in AMQ Streams, the H2 database console allows remote attackers to execute arbitrary code by using the JDBC URL. Apicurio Registry is not vulnerable by default and a malicious configuration change is required.
Apicurio Registry Operator known issues
Operator-42 - Autogeneration of OpenShift route might use wrong base host value
If multiple routerCanonicalHostname values are specified, autogeneration of the Apicurio Registry OpenShift route might use a wrong base host value.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}