[bitnami/schema-registry] Support AWS_MSK_IAM

[hongbo-miao]

Name and Version

bitnami/schema-registry 21.0.0

What is the problem this feature will solve?

I am hoping to mount aws-msk-iam-auth-2.2.0-all.jar file and use AWS IAM auth way according to

• Connect Schema Registry to AWS MSK with IAM enabled. confluentinc/schema-registry#1898 (comment)
• https://stackoverflow.com/questions/70500586/using-confluent-schema-registry-with-msk/70522089#70522089

Here is my current Helm values.yaml:

kafka:
  enabled: false
externalKafka:
  brokers:
    - b-1.xx.ida45p.c11.kafka.us-west-2.amazonaws.com:9098
    - b-2.xx.ida45p.c11.kafka.us-west-2.amazonaws.com:9098
    - b-3.xx.ida45p.c11.kafka.us-west-2.amazonaws.com:9098
  listener:
    protocol: SASL_SSL
  # sasl:
  #   user: ""
  #   password: ""
extraEnvVars:
  - name: SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL
    value: SASL_SSL
  - name: SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM
    value: AWS_MSK_IAM
  - name: SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG
    value: software.amazon.msk.auth.iam.IAMLoginModule required;
  - name: SCHEMA_REGISTRY_KAFKASTORE_SASL_CLIENT_CALLBACK_HANDLER_CLASS
    value: software.amazon.msk.auth.iam.IAMClientCallbackHandler
extraVolumes:
  - name: schema-registry-storage
    persistentVolumeClaim:
      claimName: confluent-schema-registry-persistent-volume-claim
extraVolumeMounts:
  - name: schema-registry-storage
    mountPath: /usr/share/java/cp-base-new/aws-msk-iam-auth-2.2.0-all.jar
    subPath: confluent-schema-registry/aws-msk-iam-auth-2.2.0-all.jar
  - name: schema-registry-storage
    mountPath: /usr/share/java/rest-utils/aws-msk-iam-auth-2.2.0-all.jar
    subPath: confluent-schema-registry/aws-msk-iam-auth-2.2.0-all.jar

If I use

externalKafka:
  listener:
    protocol: SASL_SSL

it will throw error:

It's mandatory to set the SASL credentials when enabling SASL authentication with Kafka brokers.%0A You can specify these credentials setting the parameters below:%0A - externalKafka.sasl.user%0A - externalKafka.sasl.password%0A - externalKafka.sasl.existingSecret (takes precedence over password)%0A%0Akafka: auth.kafka.jksSecret%0A A secret containing the Schema Registry JKS files is required when TLS encryption in enabled%0A%0AUse --debug flag to render out invalid YAML

However, in this case, I do not need externalKafka.sasl, I tried

externalKafka:
  sasl: {}

and

externalKafka:
  sasl:
    user: ""
    password: ""
    existingSecret: ""

but none of them helps me bypass InvalidArgument check.

What is the feature you are proposing to solve the problem?

It would be great to support AWS_MSK_IAM way.

What alternatives have you considered?

Use old SASL_SSL way.

[hongbo-miao]

Hmm I found env

• SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL
• SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM
• SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG
• SCHEMA_REGISTRY_KAFKASTORE_SASL_CLIENT_CALLBACK_HANDLER_CLASS

do not exist in https://github.com/bitnami/containers/tree/main/bitnami/schema-registry#configuration

It is for confluentinc/cp-schema-registry.

I opened a feature request at bitnami/containers#70769. I guess container needs to support it first.

[juan131]

Thanks so much for this feature request, given changes in the image are required before supporting this in the chart I'll mark this issue as "on-hold".