Allow schema registry to include mTLS certs, proxy and also header for Authorization OAuth Token

[MohammedQureshi]

Currently it is not possible to build a request for schema registry and pass in the certs for mTLS also the proxy and also the OAuth token which is required in some instances, This is possible to do with axios and tunnel so would be awesome to add this functionality or at least open the doors so we can design our own API request but you guys can handle all the other stuff.

Similar to this
https://github.com/kafkajs/confluent-schema-registry/pull/269/files

[kriskw1999]

Hi, I am looking into it. I am figuring out how to implement a couple of test around such a feature and I will reach you out when I am done.

I have developed a mTLS registry in a docker-compose and in fact it may be useful.

[kriskw1999]

For the mTLS part, I was able to connect with mTLS by passing a custom agent to the registry's client with something like this:

import { readFileSync } from 'fs'
import path from 'path'
import SchemaRegistry from '../../src/SchemaRegistry'
import { Agent } from 'https'

const cert = readFileSync(path.join(__dirname, './certs/localhost.crt'))
const key = readFileSync(path.join(__dirname, './certs/localhost.key'))
const ca = readFileSync(path.join(__dirname, './certs/ca.crt'))

const registry = new SchemaRegistry({
  host: 'https://localhost:8081',
  agent: new Agent({
    cert,
    ca,
    key,
  }),
})

With the custom agent this seams to work well and the registry accepts the certificate without issues for what I can see.
Do you see any particular use case needing to pass it into a middleware? Let me know WDYT 🙏

In theory also the proxy can be handled with the agent. You can find a previous thread on this topic HERE

[MohammedQureshi]

Hi, Thanks for the response, So the findings I found is that it allowed allowed one thing only at a time but the request I have required mTLS also to proxy the request and also to add a OAuth Bearer token which I have found is not possible to add all of these, Which limits usage. I am able to just add one but of course without all 3 it doesn't allow the connection to be made.

[kriskw1999]

Hi again, have you also tried the https-proxy-agent npm package? It extends node Agent so it means should be compatible with the registry client. It allows proxy, custom headers and also as options you can pass the certificates for the mTLS.

import { HttpsProxyAgent } from 'https-proxy-agent'

const agent = new HttpsProxyAgent('something', {
  ca: '',
  key: '',
  cert: '',
  headers: {
    bearer: 'auth',
  },
})

Let me know if this one can cover your case

[MohammedQureshi]

Hi, Yes I tried to use this agent first but it did not work with both the certs and proxy