Configuring external access in Schema Registry

Learn how you can configure Schema Registry to make it accessible from outside of your Kubernetes cluster.

When installing Schema Registry with default values, a ClusterIP type Kubernetes Service is deployed. This provides access to Schema Registry from within the Kubernetes cluster.

To enable secure (TLS) external access, you can configure a Kubernetes Ingress on top of the ClusterIP. Alternatively, you can deploy a LoadBalancer type Service instead of the ClusterIP. Both methods allow you to provide secure external access to Schema Registry. The choice between Ingress and LoadBalancer depends on your infrastructure, security requirements, and need for advanced routing or certificate management.

Configuring external access with Ingress

Learn how to configure external access to Schema Registry with Kubernetes Ingress.

An Ingress controller is required. Ensure that you have one deployed in your Kubernetes cluster. For example, you can use the Ingress-Nginx controller.
Optional: cert-manager is installed in your Kubernetes cluster.

Although not required, cert-manager enables you to manage certificates automatically. Without cert-manager you must manage your certificate manually through Secrets. The following steps assume that cert-manager is available.

Deploy an Issuer resource for cert-manager.
Take note of the name of the Issuer you deploy. You provide the name of the Issuer to the Ingress in a following step. Deploying a Certificate resource is not needed, it is automatically requested and created by the Ingress once it is deployed.
Configure ingress properties in a values file (values.yaml).
```
#...
ingress:
  enabled: true
  className: "nginx"
  rules:
    host: my-app.example.cloudera.com
  tls:
    enabled: true
    secretRef: "[***INGRESS TLS CERT SECRET***]"
  extraAnnotations: 
    cert-manager.io/issuer: "[***ISSUER NAME***]"
```
- ingress.enabled – Enables or disables external access through Ingress.
- ingress.rules.host – Specifies the DNS hostname that the Ingress controller should match for incoming HTTP/HTTPS requests.
- ingress.tls.enabled – Enables or disables TLS for Ingress.
- ingress.tls.secretRef – The name of the Secret containing Ingress TLS certificates.
  
  When using cert-manager and the cert-manager.io/issuer annotation is set in the ingress.extraAnnotations property, a certificate is requested automatically and saved to the Secret specified here.
- ingress.extraAnnotations.* – Extra annotations to apply to the Ingress.
  
  The cert-manager.io/issuer annotation specified here contains the name of the cert-manager Issuer. When set, a certificate is automatically requested by the Ingress.

Apply configuration changes.

helm upgrade schema-registry [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values

Access Schema Registry from the Hostname/IP of the Ingress.

kubectl get ingress --namespace [***NAMESPACE***]

NAME               CLASS   HOSTS                ADDRESS     PORTS  
#...
schema-registry-ingress   nginx   my-app.example.cloudera.com  10.14.91.1  80, 443

In this example, Schema Registry is accessed at my-app.example.cloudera.com.com:443.

Configuring external access with LoadBalancer

Learn how to configure external access to Schema Registry with a LoadBalancer type Service.

When deploying a LoadBalancer type Service, the actual load balancer is provisioned and managed by your cloud or infrastructure provider. As a result, TLS settings and certificate management may vary depending on the platform. Refer to vendor-specific documentation for detailed guidance on configuring TLS.

Set service.type to LoadBalancer in a custom values file (values.yaml).
```
#...
service:
  type: LoadBalancer
  port: 9090
```
note
Ensure that Ingress is disabled (ingress.enabled: false). Ingress is disabled by default.

Apply configuration changes.

helm upgrade schema-registry [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values

Access Schema Registry from the Hostname/IP of the load balancer.
```
kubectl get service schema-registry-service --namespace [***NAMESPACE***]
```
Look at the IP listed in the EXTERNAL-IP column as well as the port in the PORT(S) column. You can access Schema Registry using this IP and port.
```
NAME              TYPE           CLUSTER-IP      EXTERNAL-IP        PORT(S)
schema-registry-service  LoadBalancer   10.103.58.116   104.198.205.71     9090:30219/TCP
```
In this example, Schema Registry is accessed at 104.198.205.71:30219.