Connect to External Schema Registry

When schema validation is enabled, the agent needs to be connected to a schema registry in order to fetch schemas to validate data.

To allow the agent to connect to a schema registry, set the -schemaRegistryURL flag to the URL of the schema registry. Alternatively, you can also set the WARPSTREAM_SCHEMA_REGISTRY_URL environment variable.

Authentication

Most schema registry implementations support some form of authentication. Warpstream supports connecting to external schema registries with MTLS, TLS, or basic authentication.

Basic Authentication

For basic authentication, supply the username and password as follows:

• set the -externalSchemaRegistryBasicAuthUsername flag to the username of the schema registry. Alternatively, set the WARPSTREAM_EXTERNAL_SCHEMA_REGISTRY_BASIC_AUTH_USERNAME environment variable

• set the -externalSchemaRegistryBasicAuthPassword flag to the password of the schema registry. Alternatively, set the WARPSTREAM_EXTERNAL_SCHEMA_REGISTRY_BASIC_AUTH_PASSWORD environment variable

TLS/MTLS

For mTLS, the agent needs both a certificate and a private key to enable the schema registry server to authenticate the agent.

You can use the -externalSchemaRegistryTlsClientCertFile and -externalSchemaRegistryTlsClientPrivateKeyFile to pass in the file paths to the agent certificate and private key, respectively. Alternatively, you can use WARPSTREAM_EXTERNAL_SCHEMA_REGISTRY_TLS_CLIENT_CERT_FILE and WARPSTREAM_EXTERNAL_SCHEMA_REGISTRY_TLS_CLIENT_PRIVATE_KEY_FILE environment variables.

For TLS and mTLS, you can optionally add a file path to the root certificate authority certificate file which the Agent will use to verify the schema registry server's certificate. Use the -externalSchemaRegistryTlsServerCACertFile flag, or the WARPSTREAM_EXTERNAL_SCHEMA_REGISTRY_TLS_SERVER_CA_CERT_FILE environment variable.