Skip to main content
Ready-to-adapt deployment examples and operational guidance for Schema Registry Proxy (SRP). For the full list of configuration options, see the Schema Registry Proxy environment variables reference.

Deployment Examples

Production Deployment with Full Security

version: "3.8"
services:
  schema-registry-proxy:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    hostname: srp-prod-1
    environment:
      # Core Configuration
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-prod-cluster
      PORT: "8080"

      # SSL/TLS Server Configuration
      SSL_KEYSTORE_PATH: /opt/srp/certs/server.jks
      SSL_KEYSTORE_PASSWORD: ${SSL_KEYSTORE_PASSWORD}
      SSL_TRUSTSTORE_PATH: /opt/srp/certs/truststore.jks
      SSL_TRUSTSTORE_PASSWORD: ${SSL_TRUSTSTORE_PASSWORD}
      SSL_SECURE_PORT: "8443"
      SSL_INSECURE_ENABLED: "false"

      # Kafka Configuration with SASL/SSL
      KAFKA_BOOTSTRAP_SERVERS: kafka1:9093,kafka2:9093,kafka3:9093
      KAFKA_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_SASL_MECHANISM: SCRAM-SHA-512
      KAFKA_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="${KAFKA_USER}" password="${KAFKA_PASSWORD}";'
      KAFKA_SSL_TRUSTSTORE_LOCATION: /opt/srp/certs/kafka-truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: ${KAFKA_TRUSTSTORE_PASSWORD}

      # Schema Registry Backend with mTLS
      CONFLUENT_SCHEMA_REGISTRY_URL: <https://schema-registry:8082>
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /opt/srp/certs/sr-truststore.jks
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: ${SR_TRUSTSTORE_PASSWORD}
      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /opt/srp/certs/sr-client.jks
      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: ${SR_KEYSTORE_PASSWORD}

      # JWT Authentication
      AUTH_PROVIDER: jwt
      JWT_JWKS_URL: <https://auth.company.com/realms/production/protocol/openid-connect/certs>
      JWT_VALIDATE_EXPIRATION: "true"
      JWT_SUBJECT_CLAIM_NAME: preferred_username

      # Observability
      OTEL_EXPORTER_OTLP_ENDPOINT: <http://otel-collector:4317>
      OTEL_TRACES_ENABLED: "true"
      OTEL_METRICS_ENABLED: "true"
      LOG_LEVEL: INFO
    volumes:
      - ./certs:/opt/srp/certs:ro
    ports:
      - "8443:8443"
      - "9464:9464"
    deploy:
      replicas: 3
      resources:
        limits:
          memory: 2G
          cpus: "2"
        reservations:
          memory: 1G
          cpus: "1"

Multi-Node Deployment Configuration

For high availability deployments with multiple SRP instances:
version: "3.8"
services:
  schema-registry-proxy-1:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "0"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...

  schema-registry-proxy-2:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "1"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...

  schema-registry-proxy-3:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "2"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...

Security Configurations

Example: Confluent Cloud Integration

environment:
  # Kafka connection to Confluent Cloud
  KAFKA_BOOTSTRAP_SERVERS: <pkc-xxxxx.region.provider.confluent.cloud:9092>
  KAFKA_SECURITY_PROTOCOL: SASL_SSL
  KAFKA_SASL_MECHANISM: PLAIN
  KAFKA_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="${CONFLUENT_API_KEY}" password="${CONFLUENT_API_SECRET}";'

  # Schema Registry connection
  CONFLUENT_SCHEMA_REGISTRY_URL: <https://psrc-xxxxx.region.provider.confluent.cloud>
  SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
  SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: "${SR_API_KEY}:${SR_API_SECRET}"

Example: Keycloak Integration

environment:
  AUTH_PROVIDER: jwt
  JWT_JWKS_URL: <https://keycloak.company.com/realms/production/protocol/openid-connect/certs>
  JWT_VALIDATE_EXPIRATION: "true"
  JWT_SUBJECT_CLAIM_NAME: preferred_username

Monitoring and Operations

Health Checks

The service exposes health endpoints for monitoring:
  • Health Check: GET https://host:PORT/health
  • Prometheus Metrics: GET https://host:PORT/metrics

Metrics

Key metrics exposed via Prometheus:
  • http_server_requests_total: Total HTTP requests
  • http_server_request_duration_seconds: Request latency histogram
  • kafka_consumer_lag: Consumer lag for configuration topics
  • schema_registry_backend_requests_total: Backend request counts
  • schema_registry_backend_request_duration_seconds: Backend request latency
  • srp_heartbeat_published_total: Count of published heartbeats
  • srp_permissions_updated_total: Count of permission updates received

Logging

Structured JSON logging with configurable levels:
environment:
  LOG_LEVEL: INFO # DEBUG for troubleshooting
  JAVALIN_DEV_LOGGING_ENABLED: "false" # Never enable in production

Distributed Tracing

When configured with OpenTelemetry, the service automatically creates spans for:
  • HTTP requests (parent spans)
  • Backend Schema Registry calls (child spans)
  • Kafka operations (consuming permissions, publishing heartbeats)
  • Authentication/authorization operations