Cloudera Docs

Schema Registry Helm chart configuration reference

A reference listing all configurable properties of the Schema Registry Helm chart.

Configure these properties during installation in your helm install command, or update them after installation using helm upgrade. Use the --values (-f) and --set options to specify properties. For example:
helm install schema-registry \
  --namespace [***NAMESPACE***] \
  --values [***VALUES FILE***] \
  --set 'image.imagePullSecrets=[***REGISTRY CREDENTIALS SECRET***]' \
  oci://container.repository.cloudera.com/cloudera-helm/csm-operator/schema-registry \
  --version 1.6.0-b99
Table 1. Schema Registry Helm chart configuration properties reference
Property Description Default Value
replicaCount The ReplicaSet count. 1
image.registry The container image registry where the image is hosted. container.repository.cloudera.com
image.repository The repository name of the container image. cloudera
image.name The name of the container image. schema-registry
image.tag The tag of the container image to use. latest
image.pullPolicy The policy to use when pulling the container image. IfNotPresent
image.imagePullSecrets An array of Secrets containing credentials that provide access to the registry where Schema Registry images are hosted. []
env A list of environment variables to set in the Schema Registry Container. Can be specified as direct values or references to Secrets or Configmaps. []
database.type The type of database to use. Valid values are postgresql and in-memory. When using postgresql, you must configure database.jdbcUrl, database.user, and database.password properties. The in-memory option starts Schema Registry with an ephemeral in-memory database that requires no additional configuration. However, in-memory mode is only suitable for testing and evaluation as all schemas will be lost when Pods restart. postgresql
database.jdbcUrl The JDBC URL that points to your PostgreSQL database. jdbc:postgresql://localhost:5432/schema_registry
database.user The PostgreSQL username for Schema Registry database connections. none
database.password.secretKeyRef.name The name of the Secret containing the PostgreSQL database password. none
database.password.secretKeyRef.key The key in the Secret specified by database.password.secretKeyRef.name that contains the PostgreSQL database password. none
database.tls.secretRef The name of a Secret containing TLS configuration for PostgreSQL connections (certificates, truststores, and so on). All keys from the Secret are mounted to /etc/schema-registry/postgres/tls. Reference mounted files in your JDBC URL (database.jdbcUrl) to configure SSL connections if SSL is required for PostgreSQL. none
service.type The type of Kubernetes Service used for exposing the Schema Registry application. ClusterIP
service.port The port exposed by the Service for accessing the Schema Registry application. 9090
tls.enabled Enables or disables TLS for the Schema Registry application. true
tls.keystore.secretKeyRef.name The name of the Secret containing the TLS keystore. none
tls.keystore.secretKeyRef.key The key in the Secret specified by tls.keystore.secretKeyRef.name that contains the TLS keystore. none
tls.keystore.password.secretKeyRef.name The name of the Secret containing the TLS keystore password. none
tls.keystore.password.secretKeyRef.key The key in the Secret specified by tls.keystore.password.secretKeyRef.name that contains the TLS keystore password. none
tls.keystore.type The type of the TLS keystore. Can be PKCS12 or JKS. PKCS12
additionalApplicationConnectorConfig Additional Dropwizard configuration for the applicationConnector. For available properties, see https://www.dropwizard.io/en/stable/manual/configuration.html#http. none
ingress.enabled Enables or disables external access through Ingress. false
ingress.className The Ingress controller class. none
ingress.extraAnnotations.* Extra annotations to apply to the Ingress. {nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"}
ingress.rules.host The host of the Ingress rule. "none"
ingress.rules.path The Ingress path. "/"
ingress.tls.enabled Enables or disables TLS for Ingress. true
ingress.tls.secretRef The name of the Secret containing Ingress TLS certificates. none
podSecurityContext Security context settings at the Pod level. {}
containerSecurityContext Security context settings at the Container level. {}
resources Resource requests and limits for the Schema Registry Container. {}
scheduling.nodeSelector Node selector constraints for Pod scheduling. {}
scheduling.affinity Affinity rules for more complex Pod scheduling. Includes nodeAffinity, podAffinity, and podAntiAffinity. {}
scheduling.tolerations Tolerations to allow Pod scheduling on nodes with matching taints. []
scheduling.topologySpreadConstraints Constraints for distributing Pods across the cluster topology. []
authentication.oauth.enabled Enables OAuth authentication for the Schema Registry server. true
authentication.oauth.jwt.principalClaimName The name of the claim in the JWT token that contains the principal (username) used for authorization. sub
authentication.oauth.jwt.expectedAudience The expected audience value. If the JWT token contains an aud claim, it must match this value, otherwise the token is considered invalid. none
authentication.oauth.jwt.expectedIssuer The expected issuer value. If the JWT token contains an iss claim, it must match this value, otherwise the token is considered invalid. When configured, Schema Registry only accepts tokens issued by this specific issuer. none
authentication.oauth.jwks.url The URL to the JWKS endpoint. none
authentication.oauth.jwks.configMapKeyRef.name The name of a ConfigMap containing the JWKS output of your OAuth server. When configured, Schema Registry loads the JWKS from the mounted file instead of calling the JWKS endpoint. This is useful in air-gapped environments where JWKS endpoints are not accessible. none
authentication.oauth.jwks.configMapKeyRef.key The key in the ConfigMap specified by authentication.oauth.jwks.configMapKeyRef.name that contains the JWKS output. none
authentication.oauth.jwks.tls.truststore.secretKeyRef.name The name of the Secret that contains the truststore for accessing the JWKS endpoint. Configure this property if the backend of your JWKS has self-signed certificates. none
authentication.oauth.jwks.tls.truststore.secretKeyRef.key The key in the Secret specified by authentication.oauth.jwks.tls.truststore.secretKeyRef.name that contains the truststore for accessing the JWKS endpoint. none
authentication.oauth.jwks.tls.truststore.type The type of the TLS truststore for the JWKS endpoint. Can be PKCS12 or JKS. PKCS12
authentication.oauth.jwks.tls.truststore.password.secretKeyRef.name The name of the Secret that contains the truststore password for accessing the JWKS endpoint. none
authentication.oauth.jwks.tls.truststore.password.secretKeyRef.key The key in the Secret specified by authentication.oauth.jwks.tls.truststore.password.secretKeyRef.name that contains the truststore password for accessing the JWKS endpoint. none
authentication.oauth.additionalConfig Additional OAuth configuration values. Configuration specified here is added directly to the YAML configuration of Schema Registry. {}
logging.level The level of the root logger in the Schema Registry application. INFO
logging.config Advanced logging configuration for packages, appenders, and other logging components. {}
schema.avro.compatibility The default Avro schema compatibility mode applied when no compatibility setting is provided during schema creation. Valid values: BACKWARD, FORWARD, BOTH, NONE. BACKWARD
schema.avro.validationLevel The default Avro schema validation level applied when no validation level is provided during schema creation. Valid values: ALL, LATEST. ALL
authorization.simple.enabled Enables or disables authorization. true
authorization.simple.adminUsers A list of admin usernames. Admin users can perform any operation in Schema Registry. []
authorization.simple.readOnlyUsers A list of read-only usernames. Read-only users can only perform read operations in Schema Registry. []