SR with CfK; Enable ACL => ConfigException: Listener unsupported scheme 'EXTERNAL'

Hello,

I have this setup:

• Self-managed platform v8.1.1 configured via CfK v3.1.1
• SchemaRegistry is configured to use HTTPS on external listener and plain HTTP on internal one, using the Kubernetes Schema Rregistry CR
• I have enabled mTLS authentication on external listener

On the server, the CfK configuration ends up like this:

listener.name.external.ssl.client.authentication=REQUIRED
listener.name.external.ssl.key.password=${file:/mnt/sslcerts/cdc-server-certs/jksPassword.txt:jksPassword}
listener.name.external.ssl.keystore.location=/mnt/sslcerts/cdc-server-certs/keystore.p12
listener.name.external.ssl.keystore.password=${file:/mnt/sslcerts/cdc-server-certs/jksPassword.txt:jksPassword}
listener.name.external.ssl.principal.mapping.rules=RULE:^.CN\s=\s*(test-client).$/$1/
listener.name.external.ssl.truststore.location=/mnt/sslcerts/cdc-server-certs/truststore.p12
listener.name.external.ssl.truststore.password=${file:/mnt/sslcerts/cdc-server-certs/jksPassword.txt:jksPassword}
listener.protocol.map=EXTERNAL:https,INTERNAL:http
listeners=EXTERNAL://0.0.0.0:8081,INTERNAL://0.0.0.0:9081

Everything works fine up to this point. However, when trying to enable ACL on SchemaRegistry, using this configuration

configOverrides:
server:
- resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
- confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer
- confluent.topic.acl.super.users=User:kafka

SchemaRegistry no longer starts because of

org.apache.kafka.common.config.ConfigException: Listener ‘EXTERNAL://0.0.0.0:8081’ has an unsupported scheme ‘EXTERNAL’
at io.confluent.rest.RestConfig.constructNamedURI(RestConfig.java:1557) ~[rest-utils-8.1.1.jar:?]
at io.confluent.rest.RestConfig.lambda$parseListeners$1(RestConfig.java:1524) ~[rest-utils-8.1.1.jar:?]
at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
at io.confluent.rest.RestConfig.parseListeners(RestConfig.java:1525) ~[rest-utils-8.1.1.jar:?]
at io.confluent.rest.Application.parseListeners(Application.java:589) ~[rest-utils-8.1.1.jar:?]
at io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer.getPortForIdentity(SchemaRegistryAclAuthorizer.java:254) ~[confluent-schema-registry-security-plugin-8.1.1.jar:?]

It seems it expects a listener like “https://0.0.0.0:8081"and not like “EXTERNAL://0.0.0.0:8081”. Looks like a CfK limitation for me. Any idea on how can I address it?

The “EXTERNAL” listener is automatically created by the SR CR, from this setup:
listeners:
internal:
tls:
enabled: false
external:
tls:
enabled: true
secretRef: {{ $network.tlsSecretRef }}

Yes, this is a limitation. The ACL authorizer doesn’t currently support named listeners.

I’m not positive that this will work but what happens if you attempt to workaround by overriding listeners like this:

  configOverrides:
    server:
      - "listeners=http://0.0.0.0:9081,https://0.0.0.0:8081"