The Schema Registry Proxy (SRP) sits between your Kafka clients and Confluent Schema Registry, adding authentication, authorization and observability. It integrates with Console for Self-service permission management, and automatically synchronizes and enforces access rights for schemas.
Schema Registry Proxy is in early access. Only Confluent-compatible schema registries are supported.
Prerequisites
| Requirement | Details |
|---|
| Apache Kafka | Version 3.8+. Used for permission distribution and heartbeat discovery. |
| Confluent Schema Registry | Version 7.0+. The backend SRP proxies requests to. |
| Authentication provider | OIDC-compliant provider with a JWKS endpoint (for example, Keycloak, Auth0, Okta). |
| Conduktor Console | For Self-service permission management. |
Enable SRP discovery in Console
Set the following environment variable on your Console deployment:
environment:
CDK_SCHEMAREGISTRYPROXY_ENABLED: "true"
- Go to the Kafka cluster configured as the SRP backing cluster.
- Open the Schema Registry tab for a Schema Registry with ConfluentLike flavor.
- Select the discovered SRP instance from the dropdown.
Deploy with Docker Compose
services:
schema-registry-proxy:
image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
hostname: schema-registry-proxy
depends_on:
kafka:
condition: service_healthy
schema-registry:
condition: service_healthy
environment:
PORT: "7070"
KAFKA_BOOTSTRAP_SERVERS: <YOUR_KAFKA_BOOTSTRAP>
CONFLUENT_SCHEMA_REGISTRY_URL: <YOUR_SCHEMA_REGISTRY_URL>
AUTH_PROVIDER: jwt
JWT_JWKS_URL: <YOUR_JWKS_ENDPOINT>
SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster-1
ports:
- "7070:7070"
- "9464:9464"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:7070/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
Verify deployment
Check that SRP is healthy:
curl http://host:PORT/health
curl http://host:PORT/metrics
Next steps
