Skip to main content
The Schema Registry Proxy (SRP) sits between your Kafka clients and Confluent Schema Registry, adding authentication, authorization and observability. It integrates with Console for Self-service permission management, and automatically synchronizes and enforces access rights for schemas.
Schema Registry Proxy is in early access. Only Confluent-compatible schema registries are supported.
From our blog: Introducing Schema Registry Proxy How SRP adds authentication, authorization, and observability on top of Confluent Schema Registry.

Want Schema Registry Proxy?

SRP is early access — talk to our team to get artifact access, deployment help and a working setup on your stack.

Prerequisites

RequirementDetails
Apache KafkaVersion 3.8+. Used for permission distribution and heartbeat discovery.
Confluent Schema RegistryVersion 7.0+. The backend SRP proxies requests to.
Authentication providerOIDC-compliant provider with a JWKS endpoint (for example, Keycloak, Auth0, Okta).
Conduktor ConsoleFor Self-service permission management.

Enable SRP discovery in Console

Set the following environment variable on your Console deployment: 
environment:
  CDK_SCHEMAREGISTRYPROXY_ENABLED: "true"
Once SRP is running, the proxy instance appears in Console:
  1. Go to the Kafka cluster configured as the SRP backing cluster.
  2. Open the Schema Registry tab for a Schema Registry with ConfluentLike flavor.
  3. Select the discovered SRP instance from the dropdown.

Deploy with Docker Compose

services:
  schema-registry-proxy:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    hostname: schema-registry-proxy
    depends_on:
      kafka:
        condition: service_healthy
      schema-registry:
        condition: service_healthy
    environment:
      PORT: "7070"
      KAFKA_BOOTSTRAP_SERVERS: <YOUR_KAFKA_BOOTSTRAP>
      CONFLUENT_SCHEMA_REGISTRY_URL: <YOUR_SCHEMA_REGISTRY_URL>
      AUTH_PROVIDER: jwt
      JWT_JWKS_URL: <YOUR_JWKS_ENDPOINT>
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster-1
    ports:
      - "7070:7070"
      - "9464:9464"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7070/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

Verify deployment

Check that SRP is healthy: 
curl http://host:PORT/health
Confirm Prometheus metrics are available: 
curl http://host:PORT/metrics
In Console, verify the SRP instance appears in the Schema Registry tab dropdown for the relevant cluster.

Next steps