apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove the dependency to pulsarctl when generating JWT tokens (#584)

Browse Source
This commit is contained in:
Lari Hotari 2025-03-04 20:18:10 +02:00 committed by GitHub
parent 43f8dfa04e
commit a55b1bb560
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 66 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -17,5 +17,3 @@ charts/**/*.lock
PRIVATEKEY PRIVATEKEY
PUBLICKEY PUBLICKEY
.vagrant/ .vagrant/
pulsarctl-*-*.tar.gz
pulsarctl-*-*/

37
scripts/pulsar/common_auth.sh
View File

@ -18,34 +18,13 @@
# under the License. # under the License.
# #
if [ -z "$CHART_HOME" ]; then if [ -z "$PULSAR_VERSION" ]; then
echo "error: CHART_HOME should be initialized" if command -v yq &> /dev/null; then
exit 1 # use yq to get the appVersion from the Chart.yaml file
PULSAR_VERSION=$(yq .appVersion charts/pulsar/Chart.yaml)
else
# use a default version if yq is not installed
PULSAR_VERSION="4.0.3"
fi fi
OUTPUT=${CHART_HOME}/output
OUTPUT_BIN=${OUTPUT}/bin
PULSARCTL_VERSION=v3.0.2.6
PULSARCTL_BIN=${HOME}/.pulsarctl/pulsarctl
export PATH=${HOME}/.pulsarctl/plugins:${PATH}
test -d "$OUTPUT_BIN" || mkdir -p "$OUTPUT_BIN"
function pulsar::verify_pulsarctl() {
if test -x "$PULSARCTL_BIN"; then
return
fi fi
return 1 PULSAR_TOKENS_CONTAINER_IMAGE="apachepulsar/pulsar:${PULSAR_VERSION}"
}
function pulsar::ensure_pulsarctl() {
if pulsar::verify_pulsarctl; then
return 0
fi
echo "Get pulsarctl install.sh script ..."
install_script=$(mktemp)
trap "test -f $install_script && rm $install_script" RETURN
curl --retry 10 -L -o $install_script https://raw.githubusercontent.com/streamnative/pulsarctl/master/install.sh
chmod +x $install_script
$install_script --user --version ${PULSARCTL_VERSION}
}

48
scripts/pulsar/generate_token.sh
View File

@ -20,9 +20,12 @@
set -e set -e
CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd) SCRIPT_DIR="$(unset CDPATH && cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
CHART_HOME=$(unset CDPATH && cd "$SCRIPT_DIR/../.." && pwd)
cd ${CHART_HOME} cd ${CHART_HOME}
source "${SCRIPT_DIR}/common_auth.sh"
usage() { usage() {
cat <<EOF cat <<EOF
This script is used to generate token for a given pulsar role. This script is used to generate token for a given pulsar role.
@ -86,10 +89,6 @@ if [[ "x${role}" == "x" ]]; then
exit 1 exit 1
fi fi
source ${CHART_HOME}/scripts/pulsar/common_auth.sh
pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
@ -101,7 +100,6 @@ function pulsar::jwt::get_secret() {
if [[ "${local}" == "true" ]]; then if [[ "${local}" == "true" ]]; then
cp ${type} ${tmpfile} cp ${type} ${tmpfile}
else else
echo "kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data.${type}}" | base64 --decode > ${tmpfile}"
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile} kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
fi fi
} }
@ -110,31 +108,41 @@ function pulsar::jwt::generate_symmetric_token() {
local token_name="${release}-token-${role}" local token_name="${release}-token-${role}"
local secret_name="${release}-token-symmetric-key" local secret_name="${release}-token-symmetric-key"
tmpfile=$(mktemp)
trap "test -f $tmpfile && rm $tmpfile" RETURN local tmpdir=$(mktemp -d)
tokentmpfile=$(mktemp) trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN secretkeytmpfile=${tmpdir}/secret.key
pulsar::jwt::get_secret SECRETKEY ${tmpfile} ${secret_name} tokentmpfile=${tmpdir}/token.jwt
${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp) pulsar::jwt::get_secret SECRETKEY ${secretkeytmpfile} ${secret_name}
docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create -a HS256 --subject "${role}" --secret-key=file:/keydir/secret.key > ${tokentmpfile}
newtokentmpfile=${tmpdir}/token.jwt.new
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
echo "kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}"
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client} kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
rm -rf $tmpdir
} }
function pulsar::jwt::generate_asymmetric_token() { function pulsar::jwt::generate_asymmetric_token() {
local token_name="${release}-token-${role}" local token_name="${release}-token-${role}"
local secret_name="${release}-token-asymmetric-key" local secret_name="${release}-token-asymmetric-key"
privatekeytmpfile=$(mktemp) local tmpdir=$(mktemp -d)
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN privatekeytmpfile=${tmpdir}/privatekey.der
tokentmpfile=${tmpdir}/token.jwt
pulsar::jwt::get_secret PRIVATEKEY ${privatekeytmpfile} ${secret_name} pulsar::jwt::get_secret PRIVATEKEY ${privatekeytmpfile} ${secret_name}
${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp) # Generate token
docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create -a RS256 --subject "${role}" --private-key=file:/keydir/privatekey.der > ${tokentmpfile}
newtokentmpfile=${tmpdir}/token.jwt.new
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client} kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
rm -rf $tmpdir
} }
if [[ "${symmetric}" == "true" ]]; then if [[ "${symmetric}" == "true" ]]; then

46
scripts/pulsar/generate_token_secret_key.sh
View File

@ -20,9 +20,12 @@
set -e set -e
CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd) SCRIPT_DIR="$(unset CDPATH && cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
CHART_HOME=$(unset CDPATH && cd "$SCRIPT_DIR/../.." && pwd)
cd ${CHART_HOME} cd ${CHART_HOME}
source "${SCRIPT_DIR}/common_auth.sh"
usage() { usage() {
cat <<EOF cat <<EOF
This script is used to generate token secret key for a given pulsar helm release. This script is used to generate token secret key for a given pulsar helm release.
@ -74,10 +77,6 @@ case $key in
esac esac
done done
source ${CHART_HOME}/scripts/pulsar/common_auth.sh
pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
local_cmd=${file:+-o yaml --dry-run=client >secret.yaml} local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
@ -85,31 +84,38 @@ local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
function pulsar::jwt::generate_symmetric_key() { function pulsar::jwt::generate_symmetric_key() {
local secret_name="${release}-token-symmetric-key" local secret_name="${release}-token-symmetric-key"
tmpfile=$(mktemp) local tmpdir=$(mktemp -d)
trap "test -f $tmpfile && rm $tmpfile" RETURN trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile} local tmpfile=${tmpdir}/SECRETKEY
docker run --rm -t ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create-secret-key > "${tmpfile}"
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=$tmpfile ${local:+ -o yaml --dry-run=client}
# if local is true, keep the file available for debugging purposes
if [[ "${local}" == "true" ]]; then
mv $tmpfile SECRETKEY mv $tmpfile SECRETKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
if [[ "${local}" != "true" ]]; then
rm SECRETKEY
fi fi
rm -rf $tmpdir
} }
function pulsar::jwt::generate_asymmetric_key() { function pulsar::jwt::generate_asymmetric_key() {
local secret_name="${release}-token-asymmetric-key" local secret_name="${release}-token-asymmetric-key"
privatekeytmpfile=$(mktemp) local tmpdir=$(mktemp -d)
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
publickeytmpfile=$(mktemp)
trap "test -f $publickeytmpfile && rm $publickeytmpfile" RETURN privatekeytmpfile=${tmpdir}/PRIVATEKEY
${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile} publickeytmpfile=${tmpdir}/PUBLICKEY
# Generate key pair
docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create-key-pair --output-private-key=/keydir/PRIVATEKEY --output-public-key=/keydir/PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=$privatekeytmpfile --from-file=$publickeytmpfile ${local:+ -o yaml --dry-run=client}
# if local is true, keep the files available for debugging purposes
if [[ "${local}" == "true" ]]; then
mv $privatekeytmpfile PRIVATEKEY mv $privatekeytmpfile PRIVATEKEY
mv $publickeytmpfile PUBLICKEY mv $publickeytmpfile PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
if [[ "${local}" != "true" ]]; then
rm PRIVATEKEY
rm PUBLICKEY
fi fi
rm -rf $tmpdir
} }
if [[ "${symmetric}" == "true" ]]; then if [[ "${symmetric}" == "true" ]]; then

4
scripts/pulsar/get_token.sh
View File

@ -74,10 +74,6 @@ if [[ "x${role}" == "x" ]]; then
exit 1 exit 1
fi fi
source ${CHART_HOME}/scripts/pulsar/common_auth.sh
pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}