|
| 1 | +# General Technical Review - Apicurio Registry / Sandbox |
| 2 | + |
| 3 | +- **Project:** Apicurio Registry |
| 4 | +- **Project Version:** 3.1.7 (latest stable), 3.2.0-SNAPSHOT (development) |
| 5 | +- **Website:** https://www.apicur.io/registry |
| 6 | +- **Date Updated:** 2026-02-26 |
| 7 | +- **Template Version:** v1.0 |
| 8 | +- **Description:** Open-source API and Schema registry for governing schemas, API definitions, and AI agent artifacts in cloud-native environments. |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +## Day 0 - Planning Phase |
| 13 | + |
| 14 | +### Scope |
| 15 | + |
| 16 | +**Describe the roadmap process, how scope is determined for mid to long term features, as well as how the roadmap maps back to current contributions and maintainer ladder?** |
| 17 | + |
| 18 | +The roadmap is maintained as a [GitHub Project board](https://github.com/orgs/Apicurio/projects/22/views/1). Feature scope is determined through a combination of: |
| 19 | +- Community feedback via GitHub issues and discussions |
| 20 | +- Production requirements from downstream distributions (Red Hat build of Apicurio Registry, IBM Event Streams) |
| 21 | +- Alignment with CNCF ecosystem standards (xRegistry specification, CloudEvents) |
| 22 | +- Maintainer consensus during regular planning sessions |
| 23 | + |
| 24 | +Contributors can progress through the maintainer ladder by consistently contributing quality code, reviews, and community engagement. The current maintainers are listed in the [project pom.xml](https://github.com/Apicurio/apicurio-registry/blob/main/pom.xml#L27-L69). |
| 25 | + |
| 26 | +**Describe the target persona or user(s) for the project?** |
| 27 | + |
| 28 | +- **Platform engineers** who operate schema and API registries as shared infrastructure for development teams |
| 29 | +- **Application developers** who produce and consume schemas/APIs in microservices and event-driven architectures |
| 30 | +- **Data engineers** who manage schema evolution in streaming data pipelines (Kafka, Pulsar, NATS) |
| 31 | +- **API architects** who govern API design standards and compatibility across an organization |
| 32 | +- **AI/ML engineers** who manage agent cards, prompt templates, and model schemas in AI-native applications |
| 33 | + |
| 34 | +**Explain the primary use case for the project. What additional use cases are supported by the project?** |
| 35 | + |
| 36 | +**Primary use case — Schema Registry:** Central management of serialization schemas (Avro, Protobuf, JSON Schema) for event-driven architectures. Producers and consumers resolve schemas at runtime via the registry, decoupling schema lifecycle from application deployment. The registry enforces compatibility rules to prevent breaking changes. |
| 37 | + |
| 38 | +**Additional use cases:** |
| 39 | +- **API Registry:** Store and govern API definitions (OpenAPI, AsyncAPI, GraphQL) with versioning, validation, and auto-generated documentation. |
| 40 | +- **AI Agent Registry:** Store and discover A2A Agent Cards, MCP prompt templates, and LLM model schemas with the same governance guarantees as traditional schemas. |
| 41 | +- **Contract testing:** Enforce compatibility rules between service versions to enable independent deployment. |
| 42 | +- **Schema evolution governance:** Multi-level rules (global, group, artifact) for validity, compatibility, and integrity enforcement. |
| 43 | +- **Migration from proprietary registries:** Confluent Schema Registry API compatibility (v7/v8) enables drop-in replacement. |
| 44 | + |
| 45 | +**Explain which use cases have been identified as unsupported by the project.** |
| 46 | + |
| 47 | +- General-purpose artifact storage (use OCI registries or Artifact Hub instead) |
| 48 | +- Container image registry (use Harbor or similar) |
| 49 | +- Service mesh configuration management |
| 50 | +- API gateway functionality (routing, rate limiting, etc.) |
| 51 | +- Runtime schema enforcement at the network level (the registry provides schemas; enforcement is the responsibility of serializer/deserializer libraries or application code) |
| 52 | + |
| 53 | +**Describe the intended types of organizations who would benefit from adopting this project.** |
| 54 | + |
| 55 | +- Organizations operating event-driven microservices architectures with Apache Kafka, Pulsar, or NATS |
| 56 | +- Financial services, telecommunications, and e-commerce companies with strict schema evolution requirements |
| 57 | +- Platform engineering teams providing shared developer infrastructure |
| 58 | +- Organizations migrating from proprietary schema registries (Confluent, AWS Glue, Azure Schema Registry) to open-source alternatives |
| 59 | +- AI-native organizations managing agent ecosystems with governance requirements |
| 60 | + |
| 61 | +**Please describe any completed end user research and link to any reports.** |
| 62 | + |
| 63 | +Community feedback is gathered through GitHub issues, discussions, and direct engagement at conferences (KubeCon, DevNation). The project roadmap reflects production requirements from downstream distributions that serve enterprise customers across financial services, telecommunications, and technology sectors. |
| 64 | + |
| 65 | +### Usability |
| 66 | + |
| 67 | +**How should the target personas interact with your project?** |
| 68 | + |
| 69 | +- **Web UI:** Browse, search, create, and manage artifacts, versions, groups, and rules through a React-based web application built with PatternFly. |
| 70 | +- **REST API:** Full CRUD operations via the Registry v3 REST API. OpenAPI specification available at `/apis/registry/v3`. |
| 71 | +- **Client SDKs:** Java, Go, and TypeScript SDKs generated from the OpenAPI spec via Kiota. |
| 72 | +- **CLI:** Command-line interface for scripting and automation. |
| 73 | +- **Serializer/Deserializer libraries:** Transparent schema resolution integrated into Kafka, Pulsar, and NATS client libraries. |
| 74 | +- **Maven plugin:** Schema registration and download as part of the build process. |
| 75 | +- **Kubernetes operator:** Declarative deployment and lifecycle management via CRDs. |
| 76 | +- **MCP Server:** AI/LLM tools can interact with the registry via the Model Context Protocol. |
| 77 | + |
| 78 | +**Describe the user experience (UX) and user interface (UI) of the project.** |
| 79 | + |
| 80 | +The web UI provides: |
| 81 | +- Dashboard with global artifact and rule overview |
| 82 | +- Artifact browser with search, filtering by group/type/labels, and pagination |
| 83 | +- Artifact detail view with version history, metadata, content viewer/editor, and rule configuration |
| 84 | +- Group management for organizing artifacts |
| 85 | +- API design editing (integrated from the former Apicurio Studio project) |
| 86 | +- Role-based access control reflected in the UI when authentication is enabled |
| 87 | + |
| 88 | +The UI is built with React 19, PatternFly v6, and deployed as a separate container or served from the main application. |
| 89 | + |
| 90 | +**Describe how this project integrates with other projects in production environments.** |
| 91 | + |
| 92 | +- **Apache Kafka / Strimzi:** Schema registry for Kafka topics; KafkaSQL storage backend using Kafka itself as the data store |
| 93 | +- **Pulsar / NATS:** Schema resolution via dedicated serdes libraries |
| 94 | +- **Kubernetes:** Operator for lifecycle management; KubernetesOps storage variant for managing artifacts as ConfigMaps ([#7400](https://github.com/Apicurio/apicurio-registry/pull/7400)) |
| 95 | +- **CI/CD pipelines:** Maven plugin for schema registration during builds |
| 96 | +- **OpenTelemetry:** Distributed tracing and metrics export |
| 97 | +- **OIDC providers:** Keycloak, Azure Entra ID, Okta for authentication |
| 98 | +- **CloudEvents:** The registry can be extended to support CloudEvents as an artifact type |
| 99 | + |
| 100 | +### Design |
| 101 | + |
| 102 | +**Explain the design principles and best practices the project follows.** |
| 103 | + |
| 104 | +- **Single responsibility:** The registry manages artifact metadata, versioning, and governance. It does not enforce schemas at runtime — that responsibility belongs to serdes libraries and application code. |
| 105 | +- **Pluggable storage:** Storage is abstracted behind the `RegistryStorage` interface. Implementations exist for SQL (PostgreSQL, H2, MSSQL, MySQL), KafkaSQL, and GitOps. |
| 106 | +- **Decorator pattern:** Storage implementations use a decorator chain for cross-cutting concerns (logging, metrics, authorization) without coupling them to storage logic. |
| 107 | +- **API-first:** The REST API is defined via OpenAPI and client SDKs are generated from it. |
| 108 | +- **Configuration via environment variables:** Following 12-factor app principles, all configuration is externalized. |
| 109 | +- **Upstream-first development:** All features are developed in the open-source project before being incorporated into downstream products. |
| 110 | + |
| 111 | +**Outline or link to the project's architecture requirements.** |
| 112 | + |
| 113 | +Architecture documentation: https://www.apicur.io/registry/docs/apicurio-registry/3.0.x/index.html |
| 114 | + |
| 115 | +The application is a single Quarkus-based Java application: |
| 116 | +- **Minimum requirements:** 512MB RAM, 1 CPU core (development/PoC) |
| 117 | +- **Production requirements:** 1-2GB RAM, 2+ CPU cores, external PostgreSQL or Kafka cluster |
| 118 | +- **Storage:** No local persistent storage required — all state is in the configured storage backend |
| 119 | + |
| 120 | +**Define any specific service dependencies the project relies on in the cluster.** |
| 121 | + |
| 122 | +- **PostgreSQL** (for SQL storage mode) — any PostgreSQL 12+ instance |
| 123 | +- **Apache Kafka** (for KafkaSQL storage mode) — any Kafka 3.x cluster |
| 124 | +- **Git repository** (for GitOps storage mode) |
| 125 | +- **OIDC provider** (optional, for authentication) — Keycloak, Azure Entra ID, Okta, or any OIDC-compliant provider |
| 126 | + |
| 127 | +For development/testing, an in-memory H2 database is used with no external dependencies. |
| 128 | + |
| 129 | +**Describe how the project implements Identity and Access Management.** |
| 130 | + |
| 131 | +Apicurio Registry supports OIDC-based authentication via Quarkus OIDC, compatible with any OpenID Connect provider (Keycloak, Azure Entra ID, Okta, etc.). Authorization is role-based with three built-in roles: |
| 132 | +- **sr-admin:** Full administrative access |
| 133 | +- **sr-developer:** Create, read, update artifacts |
| 134 | +- **sr-readonly:** Read-only access |
| 135 | + |
| 136 | +Roles are mapped from OIDC token claims (configurable). Owner-based authorization can optionally restrict modification of artifacts to their creators. When authentication is disabled (default for development), all operations are permitted. |
| 137 | + |
| 138 | +**Describe how the project has addressed sovereignty.** |
| 139 | + |
| 140 | +Apicurio Registry is fully self-hosted — all data remains within the deployer's infrastructure. There are no external service calls, telemetry, or data exfiltration. The choice of storage backend (PostgreSQL, Kafka, GitOps) gives deployers full control over data residency and jurisdiction. |
| 141 | + |
| 142 | +**Describe any compliance requirements addressed by the project.** |
| 143 | + |
| 144 | +The project does not target specific compliance frameworks directly but enables compliance through: |
| 145 | +- Audit logging of all operations |
| 146 | +- Role-based access control |
| 147 | +- Version immutability (non-draft versions cannot be modified) |
| 148 | +- Data sovereignty (fully self-hosted, no external dependencies) |
| 149 | + |
| 150 | +**Describe the project's High Availability requirements.** |
| 151 | + |
| 152 | +Apicurio Registry is stateless (all state in the storage backend), enabling horizontal scaling: |
| 153 | +- **SQL mode:** Multiple registry instances behind a load balancer, sharing a PostgreSQL database |
| 154 | +- **KafkaSQL mode:** Multiple instances sharing a Kafka topic, with each instance maintaining a local materialized view. Kafka provides the durability guarantees. |
| 155 | +- **GitOps mode:** Multiple instances reading from the same Git repository |
| 156 | + |
| 157 | +HA for the storage backend itself (PostgreSQL replication, Kafka cluster) is outside the registry's scope. |
| 158 | + |
| 159 | +**Describe the project's resource requirements, including CPU, Network and Memory.** |
| 160 | + |
| 161 | +| Environment | CPU | Memory | Network | |
| 162 | +|---|---|---|---| |
| 163 | +| Development (H2) | 1 core | 512MB | Loopback only | |
| 164 | +| Production (SQL) | 2+ cores | 1-2GB | Access to PostgreSQL | |
| 165 | +| Production (KafkaSQL) | 2+ cores | 1-2GB | Access to Kafka cluster | |
| 166 | +| Production (high traffic) | 4+ cores | 2-4GB | Load balancer, storage backend | |
| 167 | + |
| 168 | +**Describe the project's storage requirements, including its use of ephemeral and/or persistent storage.** |
| 169 | + |
| 170 | +The application itself requires **no persistent local storage**. All state is stored in the configured backend: |
| 171 | +- **SQL:** PostgreSQL database (schema auto-created on startup) |
| 172 | +- **KafkaSQL:** Kafka topics (auto-created or pre-provisioned) |
| 173 | +- **GitOps:** Git repository |
| 174 | + |
| 175 | +Temporary/ephemeral storage is used only for JVM temp files and logging. |
| 176 | + |
| 177 | +**Please outline the project's API Design:** |
| 178 | + |
| 179 | +*Describe the project's API topology and conventions:* |
| 180 | +The primary API is the Registry v3 REST API, a RESTful JSON API following standard HTTP conventions (GET/POST/PUT/DELETE, standard status codes, JSON request/response bodies). The API is organized hierarchically: Groups > Artifacts > Versions. An OpenAPI 3.0 specification is published and available at runtime at `/apis/registry/v3`. |
| 181 | + |
| 182 | +Additionally, the project implements the Confluent Schema Registry API (v7 and v8) at `/apis/ccompat/v7` and `/apis/ccompat/v8` for drop-in compatibility with existing Kafka ecosystems. |
| 183 | + |
| 184 | +*Describe the project defaults:* |
| 185 | +- In-memory H2 storage (development mode) |
| 186 | +- No authentication (development mode) |
| 187 | +- All content rules disabled |
| 188 | +- CORS enabled for localhost origins |
| 189 | + |
| 190 | +*Outline any additional configurations from default to make reasonable use of the project:* |
| 191 | +- Configure a persistent storage backend (`apicurio.storage.kind=sql` or `kafkasql`) |
| 192 | +- Enable OIDC authentication for production |
| 193 | +- Configure global validity and compatibility rules |
| 194 | +- Set up TLS termination (typically via ingress/load balancer) |
| 195 | + |
| 196 | +*Describe compatibility of any new or changed APIs with API servers, including the Kubernetes API server:* |
| 197 | +The Registry v3 API does not interact with the Kubernetes API server. The Kubernetes operator uses standard CRDs for registry deployment and lifecycle management. The KubernetesOps storage variant ([#7400](https://github.com/Apicurio/apicurio-registry/pull/7400)) reads artifacts from Kubernetes ConfigMaps using a read-only polling model, following the same proven pattern as the GitOps storage backend. |
| 198 | + |
| 199 | +*Describe versioning of any new or changed APIs, including how breaking changes are handled:* |
| 200 | +The REST API is versioned (v2, v3). Breaking changes are only introduced in major versions. The v2 API remains available for backward compatibility. Deprecation notices are published in release notes at least one major version before removal. |
| 201 | + |
| 202 | +**Describe the project's release processes, including major, minor and patch releases.** |
| 203 | + |
| 204 | +- **Patch releases (3.1.x):** Monthly cadence, bug fixes and dependency updates. No breaking changes. |
| 205 | +- **Minor releases (3.x.0):** Feature releases, approximately every 6 months. May include new APIs or artifact types but no breaking changes to existing APIs. |
| 206 | +- **Major releases (x.0.0):** May include breaking API changes. Migration guides are published. Previous major version APIs remain available for a transition period. |
| 207 | + |
| 208 | +Releases are published to Maven Central, Docker Hub (`apicurio/apicurio-registry`), and Quay.io. Release notes are published on GitHub. |
| 209 | + |
| 210 | +### Installation |
| 211 | + |
| 212 | +**Describe how the project is installed and initialized.** |
| 213 | + |
| 214 | +**Container (simplest):** |
| 215 | +```bash |
| 216 | +docker run -it -p 8080:8080 apicurio/apicurio-registry:latest-snapshot |
| 217 | +``` |
| 218 | + |
| 219 | +**Kubernetes (operator):** |
| 220 | +Deploy the operator via OLM or Helm, then create an `ApicurioRegistry` custom resource specifying the desired storage backend and configuration. |
| 221 | + |
| 222 | +**Kubernetes (direct):** |
| 223 | +Deploy the container image with appropriate environment variables for storage configuration, optionally with a `Service`, `Ingress`, and `ConfigMap`. |
| 224 | + |
| 225 | +**Development:** |
| 226 | +```bash |
| 227 | +./mvnw clean install -DskipTests && cd app && ../mvnw quarkus:dev |
| 228 | +``` |
| 229 | + |
| 230 | +**How does an adopter test and validate the installation?** |
| 231 | + |
| 232 | +- Health endpoint: `GET /health/ready` returns 200 when the application is ready |
| 233 | +- Liveness endpoint: `GET /health/live` |
| 234 | +- System info: `GET /apis/registry/v3/system/info` returns version and configuration |
| 235 | +- Create a test artifact via the REST API or web UI |
| 236 | +- Run the provided integration test suite against the deployment |
| 237 | + |
| 238 | +### Security |
| 239 | + |
| 240 | +**Please provide a link to the project's cloud native security self assessment.** |
| 241 | + |
| 242 | +A formal CNCF security self-assessment has not yet been completed. We plan to complete one as part of the Sandbox onboarding process. |
| 243 | + |
| 244 | +**Security Hygiene:** |
| 245 | + |
| 246 | +- Dependencies are managed via Renovate with automated PRs for updates |
| 247 | +- The project uses Quarkus's built-in security framework for OIDC, RBAC, and CORS |
| 248 | +- Container images are based on Red Hat UBI (Universal Base Image) minimal images |
| 249 | +- The CI pipeline runs Checkstyle and linting on every PR |
| 250 | +- GitHub Security Advisories are used for vulnerability disclosure |
| 251 | + |
| 252 | +**Cloud Native Threat Modeling:** |
| 253 | + |
| 254 | +*Explain the least minimal privileges required by the project:* |
| 255 | +- The application runs as a non-root user in the container |
| 256 | +- Requires network access to the storage backend (PostgreSQL/Kafka) and optionally an OIDC provider |
| 257 | +- No cluster-wide Kubernetes permissions required for the application itself (the operator requires namespace-scoped permissions for managing deployments) |
| 258 | + |
| 259 | +*Describe how the project handles certificate rotation:* |
| 260 | +TLS termination is typically handled by the ingress controller or load balancer. The application supports TLS configuration via Quarkus properties for direct TLS termination. Certificate rotation is handled by the deployer's infrastructure (cert-manager, etc.). |
| 261 | + |
| 262 | +*Describe how the project implements secure software supply chain best practices:* |
| 263 | +- All releases are built in CI (GitHub Actions) with reproducible builds |
| 264 | +- Container images are published to Docker Hub and Quay.io with digest-based references |
| 265 | +- Maven artifacts are published to Maven Central with GPG signatures |
| 266 | +- The project uses a `pom.xml`-based dependency management with explicit version pinning |
0 commit comments