Fix kafka auth tls config

cert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIUTsdR5JCRLZx8gNn5/Hc4Lle9pB8wDQYJKoZIhvcNAQEL
+BQAwdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJh
+bmNpc2NvMREwDwYDVQQKDAhLZXljbG9hazEtMCsGA1UEAwwkc2ltcGxlLWtleWNs
+b2FrLmFwcHMuY2x1c3Rlci5leGFtcGxlMB4XDTI1MDEzMTA3MjI1MVoXDTI2MDEz
+MTA3MjI1MVowdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMREwDwYDVQQKDAhLZXljbG9hazEtMCsGA1UEAwwkc2ltcGxl
+LWtleWNsb2FrLmFwcHMuY2x1c3Rlci5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAq1Kouy7RTmfigX8pfgItDoqAZtBxQmXl8yqLsfNIabcy
+mFWDptAeZQErGMOjDozSPbfPacTBRr/CBtOhNpGxojMN7F9gH0aZDQfNmxD5lBJb
+RIKD6pcvSeS5fkP+GKtp0wtfjTG27kA41+K0uYuVOAHDDweEOjQIiuUX40yZilkx
+xk9Tatz0BgptUW6WLY1MYYfju0wHdfMf1oGbDBuX8lCGF+vHWpyEARjfYBrxKGYa
+UW+9Isui2YnOXIDyCDZngP1ctmt+jc7JZCPZdAkPS2I8w/WLLmQetryvnSdd+Run
+vIPhaEvaWV018tvOA24j8sRTm1T7NPjvFQoDJacb9QIDAQABo4GHMIGEMGMGA1Ud
+EQRcMFqCJHNpbXBsZS1rZXljbG9hay5hcHBzLmNsdXN0ZXIuZXhhbXBsZYIIa2V5
+Y2xvYWuCDGtleWNsb2FrLnN2Y4Iaa2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWww
+HQYDVR0OBBYEFKnx5Hc6DfUqIaXc2fvq6FbVG6WPMA0GCSqGSIb3DQEBCwUAA4IB
+AQAMEcYAgL7T1IQdG12pnvwDP1rcNeIGdPgZlVlmXvvM57MGHVP06D2SkbyAiQlQ
+r6Ohze4oS+9VcrkqAqoo2H3/fPT/dFLywqrXW47bs/7aEtD7bGnfwCkgS2mhn4ZK
+9vpWRrrKQ4ZAG8YG4rJFbsaMNAhMB/joUjjLh60RoQnDdWmyhAbl07ARzCQwuv8M
+DvpzrMi/U8nBFlvUPReIpsejj9HAyyfRBv2dJwSZGLxFOb2flSIxSC8aaaJ8NQmD
+TZeZInxtUvHwEnnH0u5pB3wE+u8NklGSu7Xo3ctK+9q4Cb51vGapwd6dhtjnmlmx
+gg82StaL1n9k01Rhu9keXA3J
+-----END CERTIFICATE-----

operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java

@@ -23,12 +23,11 @@ public class EnvironmentVariables {
 
     // KafkaSQL oauth
     public static final String APICURIO_KAFKASQL_SECURITY_SASL_ENABLED = "APICURIO_KAFKASQL_SECURITY_SASL_ENABLED";
-    public static final String APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL = "APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL";
     public static final String APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM = "APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM";
-    public static final String APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID = "APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID";
+    public static final String APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID = "APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID";
     public static final String APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET = "APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET";
-    public static final String APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT = "APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT";
-    public static final String APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS = "APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS";
+    public static final String APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT = "APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT";
+    public static final String APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS = "APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS";
 
     // Auth related environment variables
     public static final String APICURIO_REGISTRY_AUTH_ENABLED = "QUARKUS_OIDC_TENANT_ENABLED";
@@ -37,10 +36,9 @@ public class EnvironmentVariables {
     public static final String APICURIO_UI_AUTH_OIDC_REDIRECT_URI = "APICURIO_UI_AUTH_OIDC_REDIRECT_URI";
     public static final String APICURIO_UI_AUTH_OIDC_LOGOUT_URL = "APICURIO_UI_AUTH_OIDC_LOGOUT_URL";
     public static final String APICURIO_REGISTRY_AUTH_SERVER_URL = "QUARKUS_OIDC_AUTH_SERVER_URL";
-    public static final String OIDC_TLS_VERIFICATION = "QUARKUS_OIDC_TLS_VERIFICATION";
-    public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE";
-    public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD";
-
+    public static final String OIDC_TLS_VERIFICATION = "OIDC_TLS_VERIFICATION";
+    public static final String QUARKUS_TLS_TRUST_STORE_P12_PATH = "QUARKUS_TLS_TRUST_STORE_P12_PATH";
+    public static final String QUARKUS_TLS_TRUST_STORE_P12_PASSWORD = "QUARKUS_TLS_TRUST_STORE_P12_PASSWORD";
     public static final String APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED = "APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED";
     public static final String APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION = "APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION";
     public static final String APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED = "APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED";

operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSql.java

@@ -12,6 +12,7 @@
 
 import java.util.Map;
 
+import static io.apicurio.registry.operator.EnvironmentVariables.KAFKASQL_SECURITY_PROTOCOL;
 import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
 import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.addEnvVar;
 import static io.apicurio.registry.operator.utils.Utils.isBlank;
@@ -25,7 +26,7 @@ public class KafkaSql {
     public static String ENV_KAFKASQL_BOOTSTRAP_SERVERS = "APICURIO_KAFKASQL_BOOTSTRAP_SERVERS";
 
     public static void configureKafkaSQL(ApicurioRegistry3 primary, Deployment deployment,
-            Map<String, EnvVar> env) {
+                                         Map<String, EnvVar> env) {
         ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getApp).map(AppSpec::getStorage)
                 .map(StorageSpec::getKafkasql).ifPresent(kafkasql -> {
                     if (!isBlank(kafkasql.getBootstrapServers())) {
@@ -34,14 +35,30 @@ public static void configureKafkaSQL(ApicurioRegistry3 primary, Deployment deplo
                         addEnvVar(env, new EnvVarBuilder().withName(ENV_KAFKASQL_BOOTSTRAP_SERVERS)
                                 .withValue(kafkasql.getBootstrapServers()).build());
 
-                        if (KafkaSqlTLS.configureKafkaSQLTLS(primary, deployment, REGISTRY_APP_CONTAINER_NAME,
-                                env)) {
+                        boolean sslConfigured = KafkaSqlTLS.configureKafkaSQLTLS(primary, deployment, REGISTRY_APP_CONTAINER_NAME,
+                                env);
+
+                        boolean oAuthConfigured = KafkaSqlAuth.configureKafkaSQLOauth(primary,
+                                env);
+
+                        if (sslConfigured) {
                             log.info("KafkaSQL storage with TLS security configured.");
                         }
 
-                        if (KafkaSqlAuth.configureKafkaSQLOauth(primary, env)) {
+                        if (oAuthConfigured) {
                             log.info("KafkaSQL storage with Oauth security configured.");
                         }
+
+                        // Set the security protocol
+                         if (sslConfigured) {
+                            if (oAuthConfigured) {
+                                addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SASL_SSL");
+                            } else {
+                                addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SSL");
+                            }
+                        } else if (oAuthConfigured) {
+                            addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SASL_PLAINTEXT");
+                        }
                     }
                 });
     }

operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlAuth.java

@@ -29,17 +29,15 @@ public static boolean configureKafkaSQLOauth(ApicurioRegistry3 primary, Map<Stri
                 .orElse(null), "client-secret");
 
         if (clientSecret.isValid()) {
-
             getKafkaSqlAuthSpec(primary)
                     .filter(KafkaSqlAuthSpec::getEnabled)
                     .ifPresent(kafkaSqlAuthSpec -> {
-                        addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL, kafkaSqlAuthSpec.getProtocol());
                         addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_ENABLED, kafkaSqlAuthSpec.getEnabled().toString());
                         addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM, kafkaSqlAuthSpec.getMechanism());
-                        addEnvVar(env, APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID, kafkaSqlAuthSpec.getClientId());
+                        addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID, kafkaSqlAuthSpec.getClientId());
                         addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET, new SecretKeyRefTool(kafkaSqlAuthSpec.getClientSecretRef(), "client-secret").getSecretVolumeKeyPath());
-                        addEnvVar(env, APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT, kafkaSqlAuthSpec.getTokenEndpoint());
-                        addEnvVar(env, APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS, kafkaSqlAuthSpec.getLoginHandlerClass());
+                        addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT, kafkaSqlAuthSpec.getTokenEndpoint());
+                        addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS, kafkaSqlAuthSpec.getLoginHandlerClass());
                     });
 
             return true;

operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlTLS.java

@@ -44,9 +44,6 @@ public static boolean configureKafkaSQLTLS(ApicurioRegistry3 primary, Deployment
         boolean configured = false;
 
         if (truststore.isValid() && truststorePassword.isValid()) {
-
-            addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SSL");
-
             // ===== Truststore
 
             addEnvVar(env, KAFKASQL_SSL_TRUSTSTORE_TYPE, "PKCS12");

operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml

@@ -3158,7 +3158,7 @@ kind: Secret
 metadata:
   name: keycloak-truststore
 data:
-  truststore: MIILIAIBAzCCCtYGCSqGSIb3DQEHAaCCCscEggrDMIIKvzCCBQoGCSqGSIb3DQEHBqCCBPswggT3AgEAMIIE8AYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDn4CIMajvaNozhj/sL9kKiAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQOglKxdNL07e7TsHpFzm+ooCCBIA58+CNnYjvMf+A1QgOXKAhmPahQ+r801Z4j5fYejxXzahxdxNqdmWoalOqyn44b1QzuyRILta79ZKzivGnON9KQo6GhvoIjTi45qqxYt4Lju+4UJiTdVpS8WH29sVIWdtoOGNZ1RvjqBI4Y4a/F7k+606MCaK+oNUtyoT3sl84bzebICxdfackE26ePg7z5d8wnFLozQUpydz1X9B2r3iPgBlnTep6BWQ1/nQ+VzwmXGkIpFtlfYFgeyAyzcYeVbnd1OsHpH/rLbCwZ+xW/aP0CBWzdJ2aXImr0lePjvi6SPM+wiKrPU1JWjIWswbcpjhFS3Bpkj6j5UXAP7dx67tMvoqruQJ8OnhI6rFg8vvJkla6cndeG8dkQtOYVBnl3RSEUggyXr8QGGdNRHDsjfF/RmQaAM3ozrOTCGylr7BzvG7xH+dYEJ1bVSSsXcQsYMplDkhfH7sLtOJLD+4PqOpHDxmCqQxGt+tLupKiDgHj1AMkpxzwBpgwjGFPO3jhH8NYkAaLfDt+ES8iCuBszhZejYtMDN6HS8Dvm+tPcn5uIpUrwfCZ59yu6UqNWMDVv65yvaneGTfnAjGdDvOdPyvCBpgZ/5iQofpwcUcuN7ZVK8X9+CrCVNVvKKNX10MJz0MuqG2AolbrQPW3W6G0KrYps1P1QiGcmbOx8QoxSDbMVWigwRiAprE0/YFFwLpgNm5Bl6vjfEyjUtdTJVaiI26iH2IXoR9qUBXczic83Lpo30ySrvBWr6g77y+Ib35VdxMBEKZoTtqO6q/HnsqK5tPsAostQkWsLtuyLIwVC4WnaaaXcAPAQs/6Z8R4TCSxdyjqoqouRB1aE0Loe7eoDDhHsik0C3GBa9MX2tzSs9CTih+2EvOQ6WBC0XWTfkICXMduZBg4FbuB4jlqRnm9Adi6Eu3Laa0LeQe+8FUN+cQcFu3G14XgHVtkpj65OXqYZpsUcxyRVsZ/QgbNpTV6bUimj8NaMMnshdMXp22bgH0qFXa0iKIgUG9xQdSuutKokcbuQK9M8IF7UtO/A38gPxRf2FJHN/l8nKaaYH68vfFNFpYlfgm5vY/E5OHATIqPZmP3he0Bj8oHx1Zzj/HaNM092c8amHtWgrKWJ76gq734yBTFp7cBkUhwoThCtIC4RNRwbQcL2lsTYp7iAJ1Oh++cg+70E/eGJSdgwIDhJxDgnp3CiR8TPYL3yTvqozpYSikLsBd3LPCkZobYq/K5rXQCB3y5bY+8LI2e4/GzqTR4q1tvyQ+7yP9Em7MdA5ohXycrYOTIRwpe8I4oEZ/aybfHQixy3N00YEehpbMePms3F4OQDNEJMrE/u0Gqg9T4xX196MMIFFth4o42N5dDi9997mxeLPWmGV1k82GNvJYCAgM4W+QUbqUbtNFvUaK/w60KPPkHZK3A/N91B0HX6OMOF++2/owJJwytyZgWZY6Fp01NFbag7H6K4QbArqsiyNT8DSymmsR76BeDLkyQI5gddZ2plbDPX1JGzcom7/ANjjLuiJ++/JDMxWE1XJvbQC4wggWtBgkqhkiG9w0BBwGgggWeBIIFmjCCBZYwggWSBgsqhkiG9w0BDAoBAqCCBTkwggU1MF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDetqzZxOvqJumSDz2EX/2/AgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQtEVpQcFjXX1X05ALfJ8rCASCBNBgvZ5M3otctDoekXJFiCGXioYrmotnO4LV0lvjlsMBCjiI3mB65WoZT+HX7yL0qU62deoi3quZLNg3BsTzZ2sVeNddxRuE+EC0J3CvNlq1b3xGLNmsQ7OGgWkOBY26HJWJgxqlJzhhvNeU1kXRpPRKn/flzLGSOMi68O5ou+et0prxYmqusmkQy5KYLJRkgg44kSq5HU92vpW/T2Bp30sbHpNfq6wz7Ik9LIxSAlVC+N6nw/9MbpC8EVzIeGYnpdsijxsE+U3gEjT3f+P715UaOMu9YpTAp2OCGGuNUUsMAIUXe9oYpb1Tb5eDPhJTPaOxL6wyRfr2RIsvDE2+Ch2t0XrF8b2Snpknu44KzuxX66yIDWTUp8ihraew0T0p3qZApHtMbAFAzjooDOohog2BSLKQ7j16YRXh5EonzHGNG319uuPk9mXSS7TPosn4hNJlu7q0QSzo6t51LfkcTVngtjZfTox3qJE3wbjEceMdVXNe1Y92LCG8ioDJgjy1VfKexs85Gn8C9+WFcfckBaPGnbGaD1Wbdm5Dz+kqu27s0VJYdF1XIAPt+lrVHtkBfS+JucbEz8yLhJ+axJCFHdTFfOq4LwGHzPOmmLDLVen1Q8EbrHnjOY0JXusvpZbSPXW4LwKw6YFC8gWrZXOY1XCF6e/mZltkZZIcuAn6ZJKn3d8JuvMffoPpvt7XLGwD5dm4riuzeZ8JU2S5HzEVYS/o3+G/XDTgxWkgAiqC9lI4Wz1o3kcQMSeuVqhcs5mmOEChLauExWGlQia4siGjqCJvrXSldhihwK+7Vg8+EuneznqdMhvkXgdAKXMyupwZIVLhTafR21YeyCF4vezxGOUsrrtGEJU/Cdu0ND8NG1OLY/ZXqzxuGfkCaMlPuu2C1xHvI45E/WyyQKEWWWHTTjo1Fu/t1o0JgWN6F6HJno9zcLctq3USxVZrfblvVXljBF0OtptboPHVrOH98kd5FSK3QHDOtgMoyVhjBKHaM6Ut0MYannmJ0YBZghtgzZ18s9bYoQoVbDJtPAV55dhrKJp6gWdDCbyNBLTZ0E3aDx7vupGZch/pUKrnQ2m4BzuJABBtSlV4VnqllbHt6obOCezf7gVaWCwBIewl/T8BoQ5qMbixLkZ1G2jtcA2pZo1QSxGlQJGd1wfcy07Xu29yFrbh9hQLiX1beJo8UiN5C+P0aQ0Xbg/b9JtxNOdAzOpyYIgaAcPTE4D5dhqSa5Oe86XJy5FGX7S7RpAH4O9fs0mo6RWPw+cN8gI66/vCJN0+Ym2CzG9//Kr9f5mXCqMDJy7MHO+FfFEiR2IekiDu1VZl/tPohWusR0yCqM0Zz29cW7jtMFwFrPTpwFIgUh5ZXpIJem80CKeLgW4eWqQr0QTc4ghutOT50GK+PDrzrs/sp3JD1K0INphbvVn6V0SHeJLrLuQnT9+o0d2T9ep6gko0G+UgoI+xCybcmgipQH6MCxnPUoy7voKrRYGijgU2YBKSbaW+uYngL+S5zwd9gwE4XccmOTRjEcPaCOTd7jOgGxGkeXvouxNwGTIX9oc5SUbfzd8Fs2bW5omC64MaFzMKCXhdbT0+RNGyjYH58uL7+2h7zuWNjoosU7ODeAsN/35rEDAwDODrp+I18U7FSMAA/TFGMB8GCSqGSIb3DQEJFDESHhAAawBlAHkAYwBsAG8AYQBrMCMGCSqGSIb3DQEJFTEWBBTa7p1A+fn/spfdXFP1QSRoRetsEDBBMDEwDQYJYIZIAWUDBAIBBQAEIE0bqSV/+ruRpyhTLVyeuKwFEK5s5AyJl6aPdGIudg1SBAg7YpTb884DsgICCAA=
+  truststore: MIIFcgIBAzCCBRwGCSqGSIb3DQEHAaCCBQ0EggUJMIIFBTCCBQEGCSqGSIb3DQEHBqCCBPIwggTuAgEAMIIE5wYJKoZIhvcNAQcBMGYGCSqGSIb3DQEFDTBZMDgGCSqGSIb3DQEFDDArBBTWDbaAWuj7/2kDLsPby+f+u/1Z3AICJxACASAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEECppmZjl3PrTBtH62M3mmFmAggRwW9sTJl6adVUupqaTBWcRXpGPOkt3XB6f7roOvxTEBNjTulERNlTQxeWVi/OctAF0qzlavQebsmkgFDRkRrbyvAXgQKHYH3wlcnQCg2IcVbAPfyUkQksKqjAqCZaCDeMJLamgSEHuSO8Mr9ghLaGgOxeq0QK+DtkVQB8Ejkdb27VljHtYaxmdyDhqbtF3mIh5NTtkXWBL4I3XR77dYMtbdZYcMdnriJPxW1g1c02zCQ80WzxtvbJIkR03RyMHvwqpI2GbPpWMwuIw1NhpiFm7ho2leZj40hlzg4TkgvKiscxcRtnU9ZbztQyHGFg1oYLK6iUCaw5x6w9Kae5F7ChKMMvARgUuk5rlUwVd9TWQnfp6ZShpXRJtR0YKxge/CxQK87hpB1v0w8q9lIXf0QwUnueUTr7ffnu4f2oI7bZ0JDBvuTUU6U1xJuwZ90IoerhdfCvGNBdjwENTl7K45E26qLONzm41zCdihVkRG3oG7Oc4GWr1oh9qqnzn5X3bJp3iyYdUPbwrsh0Lt3BQNTJ9KOymJJGcJuG72LV+2KEhicF2sl8EgkI7mWhwTVGJfgDD+MIeG1lzL46USTl2EtBT9Nio3T/VWwwV4bpGEHSAo67WDqu/kKj59+2WZvH/uP67qpGYkvEQiztILJQFGYa4Kra4xQ3U+mCs3SMyS17x9qPEcnizivuUn6okrUqJjiiqpfsFT0uuX/YE18dyQ9BRAyXY32YnLaa4YS7tg1OBl8ufdfwLSsABd4i8472B4j9Y+mL44KGoRbo9dci97+y4LbbaqWKsX3v3Bs7Dtmpgrsl+pDCS3ChWhjWirtTKLMfRojFJOtv8DpdwNgWPjNX3/L5S0bonk0CIOn2FveiGnH0YSeK79++32DzEitBLY3mfIB45uFZPVhaX86EGi97k6H/GPh8kwBg61pt6lc0zFkaRXQCajngnoJ+jSnN8at6WFfXfayx5WxJP3Ryrndu1bI3AMCLHcEIMwy2IOQTQgOYT9YdgHqRTkMGyq9jphsGyQLdQQjNMC2TplLPrKjKBm9/rQdeVv7DIVWG/jfGn162Hm1C8knvxJhlRfel2tYAcp6HAkU/M7K1a5bsvL2n1BBFOYUwM2Tthkm148NGaH9SuQfQepSo52oC2H2Ycd854z+FTb2Uhq0RkVNWxrT1tG1nlvjGdeMCvdBoak1GNaePXXHKb5CwCIckpRiIdBzwvyF7AHNI87xqY0Q006oUGFhFMLYDi822cd/rcapjHa6sTY/cbWUge4b5d7KqKvJqARY4Fb2sVfokhEx2Fogj36iR6ipg/y2lJGcWFLOllU3nHPRpXvn/LEYAhF9c3xBBGN3XjuBIrNeTg275R/yAI4hIzHri58t7L1XPSCdJK5uBf1nkEaYKxDuJ+0cEtdKyPrRIHRJ8dgilxqPsST5stC26Bjw8ZZG+GHO++ha3WqCAl6eBC/RThLYpHUlrMEc3tnId85gDKDnPthW2bZzMuE0+5QUceATeejXQNc+yOcwcwTTAxMA0GCWCGSAFlAwQCAQUABCBEWEfkGKp/2eG5VysVzM8H1XxQKWPhycOyr4tl50hxDQQUxZwV85wj5XqTVYXuRyOl8C7kFQwCAicQ
   password: YXBpY3VyaW8=
 ---
 apiVersion: apps/v1

operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml

@@ -3,6 +3,9 @@ kind: ApicurioRegistry3
 metadata:
   name: simple
 spec:
+  env:
+    - name: QUARKUS_OIDC_TLS_VERIFICATION
+      value: "none"
   app:
     ingress:
       host: simple-app.apps.cluster.example
@@ -13,14 +16,13 @@ spec:
       authServerUrl: https://simple-keycloak.apps.cluster.example/realms/registry
       redirectURI: https://simple-ui.apps.cluster.example
       logoutURL: https://simple-ui.apps.cluster.example
-      tls:
-        tlsVerificationType: required
-        truststoreSecretRef:
-          name: keycloak-truststore
-          key: truststore
-        truststorePasswordSecretRef:
-          name: keycloak-truststore
-          key: password
+    tls:
+      truststoreSecretRef:
+        name: keycloak-truststore
+        key: truststore
+      truststorePasswordSecretRef:
+        name: keycloak-truststore
+        key: password
   ui:
     ingress:
       host: simple-ui.apps.cluster.example

operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-cluster.yaml

@@ -39,6 +39,8 @@ spec:
     config:
       inter.broker.protocol.version: "3.8"
       offsets.topic.replication.factor: 1
+      sasl.enabled.mechanisms: OAUTHBEARER
+      listener.name.tls.sasl.enabled.mechanisms: OAUTHBEARER
     storage:
       type: ephemeral
   zookeeper:

operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-kafkasql-tls.apicurioregistry3.yaml

@@ -10,7 +10,7 @@ spec:
     storage:
       type: kafkasql
       kafkasql:
-        bootstrapServers: "<service name>.<namespace>.svc:9092"
+        bootstrapServers: "<service name>.<namespace>.svc:9093"
         # Try using Strimzi/Red Hat AMQ Streams Operator!
         tls:
           truststoreSecretRef:
@@ -20,7 +20,6 @@ spec:
             name: keycloak-truststore
             key: password
         auth:
-          protocol: "SASL_SSL"
           enabled: true
           mechanism: "OAUTHBEARER"
           clientId: "admin-client"

operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/KafkaSqlAuthSpec.java

@@ -21,7 +21,7 @@
 
 @JsonDeserialize(using = JsonDeserializer.None.class)
 @JsonInclude(NON_NULL)
-@JsonPropertyOrder({ "enabled", "mechanism", "protocol", "clientId", "clientSecretRef", "tokenEndpoint",
+@JsonPropertyOrder({ "enabled", "mechanism", "clientId", "clientSecretRef", "tokenEndpoint",
         "loginHandlerClass" })
 @NoArgsConstructor
 @AllArgsConstructor(access = PRIVATE)
@@ -38,12 +38,6 @@ public class KafkaSqlAuthSpec {
     @JsonSetter(nulls = SKIP)
     private Boolean enabled;
 
-    @JsonProperty("protocol")
-    @JsonPropertyDescription("""
-            The protocol used to authenticate to Kafka.""")
-    @JsonSetter(nulls = SKIP)
-    private String protocol;
-
     @JsonProperty("mechanism")
     @JsonPropertyDescription("""
             The mechanism used to authenticate to Kafka.""")