Connect

schema_registry

Type:

Available in: Cloud, Self-Managed

Publishes schemas to a schema registry. This output uses the Franz Kafka Schema Registry client.

Introduced in version 4.32.2.

  • Common

  • Advanced

outputs:
  label: ""
  schema_registry:
    url: "" # No default (required)
    subject: "" # No default (required)
    max_in_flight: 64
outputs:
  label: ""
  schema_registry:
    url: "" # No default (required)
    subject: "" # No default (required)
    subject_compatibility_level: "" # No default (optional)
    backfill_dependencies: true
    translate_ids: false
    normalize: true
    remove_metadata: true
    remove_rule_set: true
    input_resource: schema_registry_input
    tls:
      enabled: false
      skip_cert_verify: false
      enable_renegotiation: false
      root_cas: ""
      root_cas_file: ""
      client_certs: []
    max_in_flight: 64
    oauth:
      enabled: false
      consumer_key: ""
      consumer_secret: ""
      access_token: ""
      access_token_secret: ""
    basic_auth:
      enabled: false
      username: ""
      password: ""
    jwt:
      enabled: false
      private_key_file: ""
      signing_method: ""
      claims: {}
      headers: {}

Performance

The schema_registry output sends multiple messages in parallel for improved performance. You can use the max_in_flight field to tune the maximum number of in-flight messages, or message batches.

Example

This example writes schemas to a schema registry instance and logs errors for existing schemas.

output:
  fallback:
    - schema_registry:
        url: http://localhost:8082
        subject: ${! @schema_registry_subject }
    - switch:
        cases:
          - check: '@fallback_error == "request returned status: 422"'
            output:
              drop: {}
              processors:
                - log:
                    message: |
                      Subject '${! @schema_registry_subject }' version ${! @schema_registry_version } already has schema: ${! content() }
          - output:
              reject: ${! @fallback_error }

Fields

backfill_dependencies

Backfill missing schema references and previous schema versions. If set to true, you must also configure a schema_registry input to read source schemas.

Type: bool

Default: true

basic_auth

Configure basic authentication for requests from this component to your schema registry.

Type: object

basic_auth.enabled

Whether to use basic authentication in requests.

Type: bool

Default: false

basic_auth.password

The password to use for authentication. Used together with username for basic authentication or with encrypted private keys for secure access.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

basic_auth.username

The username of the account credentials to authenticate as. Used together with password for basic authentication.

Type: string

Default: ""

input_resource

The label of the schema_registry input from which to read source schemas.

Type: string

Default: schema_registry_input

jwt

Beta

Configure JSON Web Token (JWT) authentication for secure data transmission from this component to your schema registry. This feature is in beta and may change in future releases.

Type: object

jwt.claims

Values used to pass the identity of the authenticated entity to the service provider. In this case, between this component and the schema registry.

Type: object

Default: {}

jwt.enabled

Whether to use JWT authentication in requests.

Type: bool

Default: false

jwt.headers

The key/value pairs that identify the type of token and signing algorithm.

Type: object

Default: {}

jwt.private_key_file

A PEM-encoded file containing a private key that is formatted using either PKCS1 or PKCS8 standards.

Type: string

Default: ""

jwt.signing_method

The method used to sign the token, such as RS256, RS384, RS512 or EdDSA.

Type: string

Default: ""

max_in_flight

The maximum number of messages to have in flight at a given time. Increase this number to improve throughput.

Type: int

Default: 64

normalize

Normalize schemas.

Requires version 4.61.0 or later.

Type: bool

Default: true

oauth

Configure OAuth version 1.0 to give this component authorized access to your schema registry.

Type: object

oauth.access_token

The value this component can use to gain access to the schema registry.

Type: string

Default: ""

oauth.access_token_secret

The secret that establishes ownership of the oauth.access_token in OAuth 1.0 authentication.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

oauth.consumer_key

The value used to identify this component or client to your schema registry.

Type: string

Default: ""

oauth.consumer_secret

The secret that establishes ownership of the consumer key in OAuth 1.0 authentication.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

oauth.enabled

Whether to use OAuth version 1 in requests.

Type: bool

Default: false

remove_metadata

Removes metadata fields from schema output. Use this to produce leaner schema definitions for downstream consumers or when metadata is not required.

Requires version 4.61.0 or later.

Type: bool

Default: true

remove_rule_set

Removes rule set definitions from schema output. Useful for simplifying schemas when rule sets are not required by consumers or applications.

Requires version 4.61.0 or later.

Type: bool

Default: true

subject

The subject name.

This field supports interpolation functions.

Type: string

subject_compatibility_level

The compatibility level for the subject. Can be one of BACKWARD, BACKWARD_TRANSITIVE, FORWARD, FORWARD_TRANSITIVE, FULL, FULL_TRANSITIVE, NONE.

This field supports interpolation functions.

Type: string

tls

Configure Transport Layer Security (TLS) settings to secure network connections. This includes options for standard TLS as well as mutual TLS (mTLS) authentication where both client and server authenticate each other using certificates. Key configuration options include enabled to enable TLS, client_certs for mTLS authentication, root_cas/root_cas_file for custom certificate authorities, and skip_cert_verify for development environments.

Type: object

tls.client_certs[]

A list of client certificates for mutual TLS (mTLS) authentication. Configure this field to enable mTLS, authenticating the client to the server with these certificates.

You must set tls.enabled: true for the client certificates to take effect.

Certificate pairing rules: For each certificate item, provide either:

  • Inline PEM data using both cert and key or

  • File paths using both cert_file and key_file.

Mixing inline and file-based values within the same item is not supported.

Type: object

Default: []

# Examples:
client_certs:
  - cert: foo
    key: bar


# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

tls.client_certs[].key

A plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}

tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Requires version 3.45.0 or later.

Type: bool

Default: false

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.root_cas

Specify a root certificate authority to use (optional). This is a string that represents a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for inline certificate data or root_cas_file for file-based certificate loading.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

tls.root_cas_file

Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for file-based certificate loading or root_cas for inline certificate data.

Type: string

Default: ""

# Examples:
root_cas_file: ./root_cas.pem

tls.skip_cert_verify

Whether to skip server side certificate verification.

Type: bool

Default: false

translate_ids

When set to true, this field automatically translates the schema ID in each message to match the corresponding schema in the destination schema registry. The updated message is then written to the destination schema registry.

Type: bool

Default: false

url

The base URL of the schema registry service.

Type: string