From df50d93dc1ba3a16cd5ad9b6566a6c12a1b207a0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 09:15:02 +0000
Subject: [PATCH 1/3] Initial plan
From 79d5069a8b671514bcfcdc2b63f54a21f8fe476d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 09:19:33 +0000
Subject: [PATCH 2/3] docs: add schema.registry.ca_pem_path option for schema
registry (#17826)
Co-authored-by: kwannoel <47273164+kwannoel@users.noreply.github.com>
---
changelog/release-notes.mdx | 1 +
ingestion/formats-and-encoding-options.mdx | 12 ++++++++++++
ingestion/sources/kafka-config.mdx | 1 +
3 files changed, 14 insertions(+)
diff --git a/changelog/release-notes.mdx b/changelog/release-notes.mdx
index c05961a3..f05e70c6 100644
--- a/changelog/release-notes.mdx
+++ b/changelog/release-notes.mdx
@@ -19,6 +19,7 @@ Support for certain earlier versions will end following the release of v2.8. Ple
- Supports TCP keepalive configuration for PostgreSQL Rust sink and JDBC sink connections to prevent silent connection drops. [#24388](https://github.com/risingwavelabs/risingwave/pull/24388)
- Iceberg: Enforces merge-on-read for append-only tables to ensure data consistency. [#24487](https://github.com/risingwavelabs/risingwave/pull/24487)
- Redshift and Snowflake v2 sinks: Adds new parameters `writer_target_interval_seconds` (alias: `schedule_seconds`) to configure the interval for writing data to the target, and `write_intermediate_interval_seconds` to configure the interval for writing data to intermediate storage. [#23086](https://github.com/risingwavelabs/risingwave/pull/23086)
+- Adds a new optional `schema.registry.ca_pem_path` parameter for Confluent Schema Registry connections. Set it to a file path to load a custom root CA certificate, or to `'ignore'` to skip TLS certificate verification (not recommended for production). Supports secret management via `SECRET ... AS FILE`. [#17826](https://github.com/risingwavelabs/risingwave/pull/17826)
## Cluster configuration changes
diff --git a/ingestion/formats-and-encoding-options.mdx b/ingestion/formats-and-encoding-options.mdx
index 9acbb9b0..c529dc67 100644
--- a/ingestion/formats-and-encoding-options.mdx
+++ b/ingestion/formats-and-encoding-options.mdx
@@ -273,19 +273,31 @@ Parquet sources require case-sensitive column names. However, PostgreSQL convert
| FORMAT | ENCODE | Parameter | Description | Required |
|:-------|:-------|:----------|:------------|:---------|
| PLAIN | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
+| PLAIN | AVRO | `schema.registry.username` | The username for schema registry. | No |
+| PLAIN | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| PLAIN | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| UPSERT | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
+| UPSERT | AVRO | `schema.registry.username` | The username for schema registry. | No |
+| UPSERT | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| UPSERT | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
+| DEBEZIUM | AVRO | `schema.registry.username` | The username for schema registry. | No |
+| DEBEZIUM | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| DEBEZIUM | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | AVRO | `message` | The main message name. | Yes |
| DEBEZIUM | AVRO | `ignore_key` | Whether to ignore the key (default: false). | No |
| PLAIN | JSON | `schema.registry` | URL(s) of the schema registry (optional). | No |
| PLAIN | JSON | `schema.registry.username` | The username for schema registry (optional). | No |
| PLAIN | JSON | `schema.registry.password` | The password for schema registry (optional). | No |
+| PLAIN | JSON | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| UPSERT | JSON | `schema.registry` | URL(s) of the schema registry (optional). | No |
| UPSERT | JSON | `schema.registry.username` | The username for schema registry (optional). | No |
| UPSERT | JSON | `schema.registry.password` | The password for schema registry (optional). | No |
+| UPSERT | JSON | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| PLAIN | PROTOBUF | `message` | Fully qualified name of the Protobuf message. | Yes |
| PLAIN | PROTOBUF | `schema.location` | URL of the schema file (or schema.registry). | Yes |
| PLAIN | PROTOBUF | `schema.registry` | URL(s) of the schema registry (alternative to schema.location). | Yes |
+| PLAIN | PROTOBUF | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | JSON | `ignore_key` | Whether to ignore the key (default: false). | No |
| PLAIN | CSV | `delimiter` | Delimiter character. | Yes |
| PLAIN | CSV | `without_header` | Whether the CSV data has a header row (default: false). | No |
diff --git a/ingestion/sources/kafka-config.mdx b/ingestion/sources/kafka-config.mdx
index ab183a5b..623e630c 100644
--- a/ingestion/sources/kafka-config.mdx
+++ b/ingestion/sources/kafka-config.mdx
@@ -84,6 +84,7 @@ These parameters are used with `FORMAT` and `ENCODE` to specify how RisingWave s
| *schema.registry* | Confluent Schema Registry URL. Example: `http://127.0.0.1:8081`. - For Avro data, you must specify a Confluent Schema Registry or an AWS Glue Schema Registry.
- For Protobuf data, you must specify either a schema location or a Confluent Schema Registry but not both.
|
| *schema.registry.username* | **Conditional**. User name for the schema registry. It must be specified with `schema.registry.password`. |
| *schema.registry.password* | **Conditional**. Password for the schema registry. It must be specified with `schema.registry.username`. |
+| *schema.registry.ca_pem_path* | **Optional**. Path to a custom root CA certificate file (PEM format) for the schema registry HTTPS connection. Set to `'ignore'` to disable TLS certificate verification (not recommended for production). Supports secret management via `SECRET ... AS FILE`. |
| *access_key* | Required if loading descriptors from S3. The access key ID of AWS. |
| *secret_key* | Required if loading descriptors from S3. The secret access key of AWS. |
| *region* | Required if loading descriptors from S3. The AWS service region. |
From 0f3e5d2bf87b8d9f2e3ecdf1e84bd36b07708682 Mon Sep 17 00:00:00 2001
From: tab
Date: Thu, 5 Mar 2026 17:26:46 +0800
Subject: [PATCH 3/3] docs: clarify schema registry auth pairing and protobuf
one-of requirements
---
ingestion/formats-and-encoding-options.mdx | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/ingestion/formats-and-encoding-options.mdx b/ingestion/formats-and-encoding-options.mdx
index c529dc67..fc21f48a 100644
--- a/ingestion/formats-and-encoding-options.mdx
+++ b/ingestion/formats-and-encoding-options.mdx
@@ -273,16 +273,16 @@ Parquet sources require case-sensitive column names. However, PostgreSQL convert
| FORMAT | ENCODE | Parameter | Description | Required |
|:-------|:-------|:----------|:------------|:---------|
| PLAIN | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
-| PLAIN | AVRO | `schema.registry.username` | The username for schema registry. | No |
-| PLAIN | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| PLAIN | AVRO | `schema.registry.username` | The username for schema registry. Optional, but if set it must be used together with `schema.registry.password`. | No |
+| PLAIN | AVRO | `schema.registry.password` | The password for schema registry. Optional, but if set it must be used together with `schema.registry.username`. | No |
| PLAIN | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| UPSERT | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
-| UPSERT | AVRO | `schema.registry.username` | The username for schema registry. | No |
-| UPSERT | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| UPSERT | AVRO | `schema.registry.username` | The username for schema registry. Required if `schema.registry.password` is set. | No |
+| UPSERT | AVRO | `schema.registry.password` | The password for schema registry. Required if `schema.registry.username` is set. | No |
| UPSERT | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | AVRO | `schema.registry` | URL(s) of the schema registry. | Yes |
-| DEBEZIUM | AVRO | `schema.registry.username` | The username for schema registry. | No |
-| DEBEZIUM | AVRO | `schema.registry.password` | The password for schema registry. | No |
+| DEBEZIUM | AVRO | `schema.registry.username` | The username for schema registry. Required if `schema.registry.password` is set; configure together with `schema.registry.password`. | No |
+| DEBEZIUM | AVRO | `schema.registry.password` | The password for schema registry. Required if `schema.registry.username` is set; configure together with `schema.registry.username`. | No |
| DEBEZIUM | AVRO | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | AVRO | `message` | The main message name. | Yes |
| DEBEZIUM | AVRO | `ignore_key` | Whether to ignore the key (default: false). | No |
@@ -295,8 +295,8 @@ Parquet sources require case-sensitive column names. However, PostgreSQL convert
| UPSERT | JSON | `schema.registry.password` | The password for schema registry (optional). | No |
| UPSERT | JSON | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| PLAIN | PROTOBUF | `message` | Fully qualified name of the Protobuf message. | Yes |
-| PLAIN | PROTOBUF | `schema.location` | URL of the schema file (or schema.registry). | Yes |
-| PLAIN | PROTOBUF | `schema.registry` | URL(s) of the schema registry (alternative to schema.location). | Yes |
+| PLAIN | PROTOBUF | `schema.location` | URL of the schema file (alternative to `schema.registry`). | Yes (one of) |
+| PLAIN | PROTOBUF | `schema.registry` | URL(s) of the schema registry (alternative to `schema.location`). | Yes (one of) |
| PLAIN | PROTOBUF | `schema.registry.ca_pem_path` | Path to a custom root CA certificate file (PEM) for the schema registry TLS connection, or `'ignore'` to skip certificate verification (not recommended for production). Supports `SECRET ... AS FILE`. | No |
| DEBEZIUM | JSON | `ignore_key` | Whether to ignore the key (default: false). | No |
| PLAIN | CSV | `delimiter` | Delimiter character. | Yes |
@@ -330,4 +330,3 @@ You cannot set this parameter for these three combinations:
- `FORMAT DEBEZIUM_MONGO ENCODE JSON`
- `FORMAT MAXWELL ENCODE JSON`
- `FORMAT CANAL ENCODE JSON`
-