> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Conduktor Schema Registry Proxy configuration examples

> Deployment examples for Conduktor Schema Registry Proxy: production and multi-node docker-compose, Confluent Cloud and Keycloak integration, monitoring.

Ready-to-adapt deployment examples and operational guidance for Schema Registry Proxy (SRP). For the full list of configuration options, see the [Schema Registry Proxy environment variables reference](/guide/reference/schema-registry-proxy-environment-variables).

## Deployment Examples

## Production Deployment with Full Security

```yaml theme={null}
version: "3.8"
services:
  schema-registry-proxy:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    hostname: srp-prod-1
    environment:
      # Core Configuration
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-prod-cluster
      PORT: "8080"

      # SSL/TLS Server Configuration
      SSL_KEYSTORE_PATH: /opt/srp/certs/server.jks
      SSL_KEYSTORE_PASSWORD: ${SSL_KEYSTORE_PASSWORD}
      SSL_TRUSTSTORE_PATH: /opt/srp/certs/truststore.jks
      SSL_TRUSTSTORE_PASSWORD: ${SSL_TRUSTSTORE_PASSWORD}
      SSL_SECURE_PORT: "8443"
      SSL_INSECURE_ENABLED: "false"

      # Kafka Configuration with SASL/SSL
      KAFKA_BOOTSTRAP_SERVERS: kafka1:9093,kafka2:9093,kafka3:9093
      KAFKA_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_SASL_MECHANISM: SCRAM-SHA-512
      KAFKA_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="${KAFKA_USER}" password="${KAFKA_PASSWORD}";'
      KAFKA_SSL_TRUSTSTORE_LOCATION: /opt/srp/certs/kafka-truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: ${KAFKA_TRUSTSTORE_PASSWORD}

      # Schema Registry Backend with mTLS
      CONFLUENT_SCHEMA_REGISTRY_URL: <https://schema-registry:8082>
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /opt/srp/certs/sr-truststore.jks
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: ${SR_TRUSTSTORE_PASSWORD}
      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /opt/srp/certs/sr-client.jks
      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: ${SR_KEYSTORE_PASSWORD}

      # JWT Authentication
      AUTH_PROVIDER: jwt
      JWT_JWKS_URL: <https://auth.company.com/realms/production/protocol/openid-connect/certs>
      JWT_VALIDATE_EXPIRATION: "true"
      JWT_SUBJECT_CLAIM_NAME: preferred_username

      # Observability
      OTEL_EXPORTER_OTLP_ENDPOINT: <http://otel-collector:4317>
      OTEL_TRACES_ENABLED: "true"
      OTEL_METRICS_ENABLED: "true"
      LOG_LEVEL: INFO
    volumes:
      - ./certs:/opt/srp/certs:ro
    ports:
      - "8443:8443"
      - "9464:9464"
    deploy:
      replicas: 3
      resources:
        limits:
          memory: 2G
          cpus: "2"
        reservations:
          memory: 1G
          cpus: "1"
```

## Multi-Node Deployment Configuration

For high availability deployments with multiple SRP instances:

```yaml theme={null}
version: "3.8"
services:
  schema-registry-proxy-1:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "0"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...

  schema-registry-proxy-2:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "1"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...

  schema-registry-proxy-3:
    image: conduktor/conduktor-schema-registry-proxy:0.1.0-rc1
    environment:
      SCHEMA_REGISTRY_PROXY_APP_ID: srp-cluster
      CLUSTER_NODE_INDEX: "2"
      CLUSTER_MAX_NODE_INDEX: "2"
      # ... other configuration ...
```

## Security Configurations

### Example: Confluent Cloud Integration

```yaml theme={null}
environment:
  # Kafka connection to Confluent Cloud
  KAFKA_BOOTSTRAP_SERVERS: <pkc-xxxxx.region.provider.confluent.cloud:9092>
  KAFKA_SECURITY_PROTOCOL: SASL_SSL
  KAFKA_SASL_MECHANISM: PLAIN
  KAFKA_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="${CONFLUENT_API_KEY}" password="${CONFLUENT_API_SECRET}";'

  # Schema Registry connection
  CONFLUENT_SCHEMA_REGISTRY_URL: <https://psrc-xxxxx.region.provider.confluent.cloud>
  SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
  SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: "${SR_API_KEY}:${SR_API_SECRET}"
```

### Example: Keycloak Integration

```yaml theme={null}
environment:
  AUTH_PROVIDER: jwt
  JWT_JWKS_URL: <https://keycloak.company.com/realms/production/protocol/openid-connect/certs>
  JWT_VALIDATE_EXPIRATION: "true"
  JWT_SUBJECT_CLAIM_NAME: preferred_username
```

## Monitoring and Operations

### Health Checks

The service exposes health endpoints for monitoring:

* **Health Check**: `GET https://host:PORT/health`
* **Prometheus Metrics**: `GET https://host:PORT/metrics`

### Metrics

Key metrics exposed via Prometheus:

* `http_server_requests_total`: Total HTTP requests
* `http_server_request_duration_seconds`: Request latency histogram
* `kafka_consumer_lag`: Consumer lag for configuration topics
* `schema_registry_backend_requests_total`: Backend request counts
* `schema_registry_backend_request_duration_seconds`: Backend request latency
* `srp_heartbeat_published_total`: Count of published heartbeats
* `srp_permissions_updated_total`: Count of permission updates received

### Logging

Structured JSON logging with configurable levels:

```yaml theme={null}
environment:
  LOG_LEVEL: INFO # DEBUG for troubleshooting
  JAVALIN_DEV_LOGGING_ENABLED: "false" # Never enable in production
```

### Distributed Tracing

When configured with OpenTelemetry, the service automatically creates spans for:

* HTTP requests (parent spans)
* Backend Schema Registry calls (child spans)
* Kafka operations (consuming permissions, publishing heartbeats)
* Authentication/authorization operations
