apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OpenID: introducing support for OpenID configuration (#509)

Browse Source 
* feat!(openid): introducing support for openid configuration

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled

* add upgrading to 4.1.0

* add validation for deprecated values

* add openid CI with keycloak

* fix chart-testing lint new-line-at-end-of-file

* fix keycloak dependency repository

* fix keycloak repository

* fix yaml to json convert error

* disable keycloak to validate github actions before re-enable it

* disable openid test scenario

* disable keycloak in values

* enable keycloak without authentication and authorization

* add openid test scenario

* disable test scenario other than openid

* enable all test scenario

* disable functions component

* create openid resources

* test truncate command

* test truncate command

* change client_secret generator

* change client_secret generator

* test python

* fix script

* fix script

* print python result

* test python

* test python

* fix client_secret generation

* fix create openid resources

* fix secret name

* fix mount keycloak config

* fix keycloak service

* exclude keycloak from chart

* add license

* add license

* wait keycloak is alive

* fix keycloak chart install namespace

* add test pulsar real openid config

* fix keycloak issuer url

* fix pod name

* remove check keycloak alive

* check realm pulsar openid configuration

* change keycloak service

* remove test keyclock service

* remove selector to get all pod log

* wait keycloak is alive

* check keycloak realm pulsar urls

* wait until keycloak is ready

* add wait timeout

* fix realm pulsar name

* add log to debug

* add openid for toolset

* set authorization

* set authorization

* fix client template filename

* fix install keycloak

* disable authorization

* debug sub claim value

* fix sub claim value

* cleanup

* enable all build

---------

Co-authored-by: glecroc <guillaume.lecroc@cnp.fr>
This commit is contained in:
Bruno Domenici 2025-05-20 13:09:12 +02:00 committed by GitHub
parent 52d3164b8d
commit a9f2ba76ae
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
21 changed files with 2170 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1738
.ci/auth/keycloak/0-realm-pulsar-partial-export.json Normal file
View File

File diff suppressed because it is too large Load Diff

73
.ci/auth/keycloak/1-client-template.json Normal file
View File

@ -0,0 +1,73 @@
{
"clientId": $ARGS.named.CLIENT_ID,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": $ARGS.named.CLIENT_SECRET,
"standardFlowEnabled" : false,
"implicitFlowEnabled" : false,
"serviceAccountsEnabled": true,
"protocol": "openid-connect",
"attributes": {
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"client.secret.creation.time": "1735689600",
"backchannel.logout.session.required": "true",
"standard.token.exchange.enabled": "false",
"frontchannel.logout.session.required": "true",
"oauth2.device.authorization.grant.enabled": "false",
"display.on.consent.screen": "false",
"backchannel.logout.revoke.offline.tokens": "false"
},
"protocolMappers": [
{
"name": "sub",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"introspection.token.claim": "true",
"claim.value": $ARGS.named.SUB_CLAIM_VALUE,
"userinfo.token.claim": "true",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "sub",
"jsonType.label": "String",
"access.tokenResponse.claim": "false"
}
},
{
"name": "nbf",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"introspection.token.claim": "true",
"claim.value": "1735689600",
"userinfo.token.claim": "true",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "nbf",
"jsonType.label": "long",
"access.tokenResponse.claim": "false"
}
}
],
"defaultClientScopes": [
"web-origins",
"service_account",
"acr",
"profile",
"roles",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"organization",
"offline_access",
"microprofile-jwt"
]
}

26
.ci/auth/keycloak/README.md Normal file
View File

@ -0,0 +1,26 @@
# Keycloak
Keycloak is used to validate OIDC configuration.
To create the pulsar realm configuration, we use :
* `0-realm-pulsar-partial-export.json` : after creating pulsar realm in Keycloack UI, this file is the result of the partial export in Keycloak UI without options.
* `1-client-template.json` : this is the template to create pulsar clients.
To create the final `realm-pulsar.json`, merge files with `jq` command :
* create a client with `CLIENT_ID`, `CLIENT_SECRET` and `SUB_CLAIM_VALUE` :
```
CLIENT_ID=xx
CLIENT_SECRET=yy
SUB_CLAIM_VALUE=zz
jq -n --arg CLIENT_ID "$CLIENT_ID" --arg CLIENT_SECRET "$CLIENT_SECRET" --arg SUB_CLAIM_VALUE "$SUB_CLAIM_VALUE" 1-client-template.json > client.json
```
* then merge the realm and the client :
```
jq '.clients += [input]' 0-realm-pulsar-partial-export.json client.json > realm-pulsar.json
```

34
.ci/auth/keycloak/values.yaml Normal file
View File

@ -0,0 +1,34 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
tls:
enabled: false
# This block sets up an example Pulsar Realm
# https://www.keycloak.org/server/importExport#_importing_a_realm_from_a_directory
extraEnvVars:
- name: KEYCLOAK_EXTRA_ARGS
value: "--import-realm"
extraVolumes:
- name: realm-config
secret:
secretName: keycloak-ci-realm-config
extraVolumeMounts:
- name: realm-config
mountPath: "/opt/bitnami/keycloak/data/import"
readOnly: true

5
.ci/auth/oauth2/credentials_file.json Normal file
View File

@ -0,0 +1,5 @@
{
"type": "client_credentials",
"client_id": $ARGS.named.CLIENT_ID,
"client_secret": $ARGS.named.CLIENT_SECRET
}

2
.ci/clusters/values-jwt-asymmetric.yaml
View File

@ -21,9 +21,9 @@
auth: auth:
authentication: authentication:
enabled: true enabled: true
provider: "jwt"
jwt: jwt:
# Enable JWT authentication # Enable JWT authentication
enabled: true
# If the token is generated by a secret key, set the usingSecretKey as true. # If the token is generated by a secret key, set the usingSecretKey as true.
# If the token is generated by a private key, set the usingSecretKey as false. # If the token is generated by a private key, set the usingSecretKey as false.
usingSecretKey: false usingSecretKey: false

2
.ci/clusters/values-jwt-symmetric.yaml
View File

@ -21,9 +21,9 @@
auth: auth:
authentication: authentication:
enabled: true enabled: true
provider: "jwt"
jwt: jwt:
# Enable JWT authentication # Enable JWT authentication
enabled: true
# If the token is generated by a secret key, set the usingSecretKey as true. # If the token is generated by a secret key, set the usingSecretKey as true.
# If the token is generated by a private key, set the usingSecretKey as false. # If the token is generated by a private key, set the usingSecretKey as false.
usingSecretKey: true usingSecretKey: true

94
.ci/clusters/values-openid.yaml Normal file
View File

@ -0,0 +1,94 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Mount crendentials to each component
proxy:
configData:
# Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-proxy-credentials
secret:
secretName: pulsar-proxy-credentials
extraVolumeMounts:
- name: pulsar-proxy-credentials
mountPath: "/pulsar/auth/proxy"
readOnly: true
broker:
configData:
# Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-broker-credentials
secret:
secretName: pulsar-broker-credentials
extraVolumeMounts:
- name: pulsar-broker-credentials
mountPath: "/pulsar/auth/broker"
readOnly: true
toolset:
configData:
authPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
authParams: '{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-admin-credentials
secret:
secretName: pulsar-admin-credentials
extraVolumeMounts:
- name: pulsar-admin-credentials
mountPath: "/pulsar/auth/admin"
readOnly: true
auth:
authentication:
enabled: true
openid:
# Enable openid authentication
enabled: true
# https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
openIDAllowedTokenIssuers:
- http://keycloak-ci-headless:8080/realms/pulsar
openIDAllowedAudiences:
- account
#openIDTokenIssuerTrustCertsFilePath:
openIDRoleClaim: "sub"
openIDAcceptedTimeLeewaySeconds: "0"
openIDCacheSize: "5"
openIDCacheRefreshAfterWriteSeconds: "64800"
openIDCacheExpirationSeconds: "86400"
openIDHttpConnectionTimeoutMillis: "10000"
openIDHttpReadTimeoutMillis: "10000"
openIDKeyIdCacheMissRefreshSeconds: "300"
openIDRequireIssuersUseHttps: "false"
openIDFallbackDiscoveryMode: "DISABLED"
authorization:
enabled: true
superUsers:
# broker to broker communication
broker: "broker-admin"
# proxy to broker communication
proxy: "proxy-admin"
# pulsar-admin client to broker/proxy communication
client: "admin"
# pulsar manager to broker
manager: "manager-admin"

83
.ci/helm.sh
View File

@ -90,8 +90,8 @@ function ci::helm_repo_add() {
} }
function ci::print_pod_logs() { function ci::print_pod_logs() {
echo "Logs for all pulsar containers:" echo "Logs for all containers:"
for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -l app=pulsar -o=name); do for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -o=name); do
${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --tail=100 || true ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --tail=100 || true
done; done;
} }
@ -99,7 +99,7 @@ function ci::print_pod_logs() {
function ci::collect_k8s_logs() { function ci::collect_k8s_logs() {
mkdir -p "${K8S_LOGS_DIR}" && cd "${K8S_LOGS_DIR}" mkdir -p "${K8S_LOGS_DIR}" && cd "${K8S_LOGS_DIR}"
echo "Collecting k8s logs to ${K8S_LOGS_DIR}" echo "Collecting k8s logs to ${K8S_LOGS_DIR}"
for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -l app=pulsar -o=name); do for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -o=name); do
filebase="${k8sobject//\//_}" filebase="${k8sobject//\//_}"
${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true > "${filebase}.$$.log.txt" || true ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true > "${filebase}.$$.log.txt" || true
${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --previous=true > "${filebase}.previous.$$.log.txt" || true ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --previous=true > "${filebase}.previous.$$.log.txt" || true
@ -149,6 +149,11 @@ function ci::install_pulsar_chart() {
# configure metallb # configure metallb
${KUBECTL} apply -f ${BINDIR}/metallb/metallb-config.yaml ${KUBECTL} apply -f ${BINDIR}/metallb/metallb-config.yaml
install_args="" install_args=""
# create auth resources
if [[ "x${AUTHENTICATION_PROVIDER}" == "xopenid" ]]; then
ci::create_openid_resources
fi
else else
install_args="--wait --wait-for-jobs --timeout 360s --debug" install_args="--wait --wait-for-jobs --timeout 360s --debug"
fi fi
@ -272,6 +277,7 @@ function ci::retry() {
} }
function ci::test_pulsar_admin_api_access() { function ci::test_pulsar_admin_api_access() {
echo "Test pulsar admin api access"
ci::retry ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin tenants list ci::retry ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin tenants list
} }
@ -483,6 +489,77 @@ function _ci::validate_kustomize_yaml() {
}' }'
} }
# Create all resources needed for openid authentication
function ci::create_openid_resources() {
echo "Creating openid resources"
cp ${PULSAR_HOME}/.ci/auth/keycloak/0-realm-pulsar-partial-export.json /tmp/realm-pulsar.json
for component in broker proxy admin manager; do
echo "Creating openid resources for ${component}"
local client_id=pulsar-${component}
# Github action hang up when read string from /dev/urandom, so use python to generate a random string
local client_secret=$(python -c "import secrets; import string; length = 32; random_string = ''.join(secrets.choice(string.ascii_letters + string.digits) for _ in range(length)); print(random_string);")
if [[ "${component}" == "admin" ]]; then
local sub_claim_value="admin"
else
local sub_claim_value="${component}-admin"
fi
# Create the client credentials file
jq -n --arg CLIENT_ID $client_id --arg CLIENT_SECRET "$client_secret" -f ${PULSAR_HOME}/.ci/auth/oauth2/credentials_file.json > /tmp/${component}-credentials_file.json
# Create the secret for the client credentials
local secret_name="pulsar-${component}-credentials"
${KUBECTL} create secret generic ${secret_name} --from-file=credentials_file.json=/tmp/${component}-credentials_file.json -n ${NAMESPACE}
# Create the keycloak client file
jq -n --arg CLIENT_ID $client_id --arg CLIENT_SECRET "$client_secret" --arg SUB_CLAIM_VALUE "$sub_claim_value" -f ${PULSAR_HOME}/.ci/auth/keycloak/1-client-template.json > /tmp/${component}-keycloak-client.json
# Merge the keycloak client file with the realm
jq '.clients += [input]' /tmp/realm-pulsar.json /tmp/${component}-keycloak-client.json > /tmp/realm-pulsar.json.tmp
mv /tmp/realm-pulsar.json.tmp /tmp/realm-pulsar.json
done
echo "Create keycloak realm configuration"
${KUBECTL} create secret generic keycloak-ci-realm-config --from-file=realm-pulsar.json=/tmp/realm-pulsar.json -n ${NAMESPACE}
echo "Installing keycloak helm chart"
${HELM} install keycloak-ci oci://registry-1.docker.io/bitnamicharts/keycloak --version 24.6.4 --values ${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
echo "Wait until keycloak is running"
WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
counter=1
while [[ ${WC} -lt 1 ]]; do
((counter++))
echo ${WC};
sleep 15
${KUBECTL} get pods,jobs -n ${NAMESPACE}
${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
if [[ $((counter % 20)) -eq 0 ]]; then
ci::print_pod_logs
if [[ $counter -gt 100 ]]; then
echo >&2 "Timeout waiting..."
exit 1
fi
fi
WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
done
echo "Wait until keycloak is ready"
${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-0 -n ${NAMESPACE} --timeout 180s
echo "Check keycloack realm pulsar issuer url"
${KUBECTL} exec -n ${NAMESPACE} keycloak-ci-0 -c keycloak -- bash -c 'curl -sSL http://keycloak-ci-headless:8080/realms/pulsar'
}
# lists all available functions in this tool # lists all available functions in this tool
function ci::list_functions() { function ci::list_functions() {
declare -F | awk '{print $NF}' | sort | grep -E '^ci::' | sed 's/^ci:://' declare -F | awk '{print $NF}' | sort | grep -E '^ci::' | sed 's/^ci:://'

7
.github/workflows/pulsar-helm-chart-ci.yaml vendored
View File

@ -32,6 +32,7 @@ concurrency:
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
preconditions: preconditions:
name: Preconditions name: Preconditions
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
@ -229,6 +230,9 @@ jobs:
- name: Oxia - name: Oxia
values_file: .ci/clusters/values-oxia.yaml values_file: .ci/clusters/values-oxia.yaml
shortname: oxia shortname: oxia
- name: OpenID
values_file: .ci/clusters/values-openid.yaml
shortname: openid
include: include:
- k8sVersion: - k8sVersion:
version: "1.25.16" version: "1.25.16"
@ -289,6 +293,9 @@ jobs:
"jwt-asymmetric") "jwt-asymmetric")
export EXTRA_SUPERUSERS=manager-admin export EXTRA_SUPERUSERS=manager-admin
;; ;;
"openid")
export AUTHENTICATION_PROVIDER=openid
;;
esac esac
if [[ "${{ matrix.testScenario.type || 'install' }}" == "upgrade" ]]; then if [[ "${{ matrix.testScenario.type || 'install' }}" == "upgrade" ]]; then
export UPGRADE_FROM_VERSION="${{ matrix.testScenario.upgradeFromVersion || 'latest' }}" export UPGRADE_FROM_VERSION="${{ matrix.testScenario.upgradeFromVersion || 'latest' }}"

9
README.md
View File

@ -51,7 +51,13 @@ existing security implementations.
As per the [Pulsar Proxy documentation](https://pulsar.apache.org/docs/3.1.x/administration-proxy/), it is explicitly stated that the Pulsar proxy is not designed for exposure to the public internet. The design assumes that deployments will be protected by network perimeter security measures. It is crucial to understand that relying solely on the default configuration can expose your deployment to significant security vulnerabilities. As per the [Pulsar Proxy documentation](https://pulsar.apache.org/docs/3.1.x/administration-proxy/), it is explicitly stated that the Pulsar proxy is not designed for exposure to the public internet. The design assumes that deployments will be protected by network perimeter security measures. It is crucial to understand that relying solely on the default configuration can expose your deployment to significant security vulnerabilities.
### Important Change in 4.0.0 version of the Apache Pulsar Helm chart ### Upgrading
#### To 4.1.0
This version introduces `OpenID` authentication. Setting `auth.authentication.provider` is no longer supported, you need to enable the provider with `auth.authentication.<provider>.enabled`.
#### To 4.0.0
The default service type for the Pulsar proxy has changed from `LoadBalancer` to `ClusterIP` for security reasons. This limits access to within the Kubernetes environment by default. The default service type for the Pulsar proxy has changed from `LoadBalancer` to `ClusterIP` for security reasons. This limits access to within the Kubernetes environment by default.
@ -157,6 +163,7 @@ It includes support for:
- [x] ZooKeeper - [x] ZooKeeper
- [x] Authentication - [x] Authentication
- [x] JWT - [x] JWT
- [x] OpenID
- [ ] Mutal TLS - [ ] Mutal TLS
- [ ] Kerberos - [ ] Kerberos
- [x] Authorization - [x] Authorization

25
charts/pulsar/templates/_values_validation.tpl Normal file
View File

@ -0,0 +1,25 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
*/}}
{{/*
Check deprecated setting auth.authentication.provider since 4.1.0
*/}}
{{- if (and .Values.auth.authentication.enabled (not (empty .Values.auth.authentication.provider))) }}
{{- fail "ERROR: Setting auth.authentication.provider is no longer supported. For details, see the migration guide in README.md." }}
{{- end }}

26
charts/pulsar/templates/broker-configmap.yaml
View File

@ -217,9 +217,14 @@ data:
proxyRoles: {{ .Values.auth.superUsers.proxy }} proxyRoles: {{ .Values.auth.superUsers.proxy }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
# token authentication configuration # token authentication configuration
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled .Values.auth.authentication.openid.enabled }}
authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID"
{{- end }}
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled ( not .Values.auth.authentication.openid.enabled ) }}
authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
{{- end }}
brokerClientAuthenticationParameters: "file:///pulsar/tokens/broker/token" brokerClientAuthenticationParameters: "file:///pulsar/tokens/broker/token"
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
{{- if .Values.auth.authentication.jwt.usingSecretKey }} {{- if .Values.auth.authentication.jwt.usingSecretKey }}
@ -228,6 +233,25 @@ data:
tokenPublicKey: "file:///pulsar/keys/token/public.key" tokenPublicKey: "file:///pulsar/keys/token/public.key"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled }}
# openid authentication configuration
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled ( not .Values.auth.authentication.jwt.enabled ) }}
authenticationProviders: "org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID"
{{- end }}
PULSAR_PREFIX_openIDAllowedTokenIssuers: {{ .Values.auth.authentication.openid.openIDAllowedTokenIssuers | uniq | compact | sortAlpha | join "," | quote }}
PULSAR_PREFIX_openIDAllowedAudiences: {{ .Values.auth.authentication.openid.openIDAllowedAudiences | uniq | compact | sortAlpha | join "," | quote }}
PULSAR_PREFIX_openIDTokenIssuerTrustCertsFilePath: {{ .Values.auth.authentication.openid.openIDTokenIssuerTrustCertsFilePath | quote }}
PULSAR_PREFIX_openIDRoleClaim: {{ .Values.auth.authentication.openid.openIDRoleClaim | quote }}
PULSAR_PREFIX_openIDAcceptedTimeLeewaySeconds: {{ .Values.auth.authentication.openid.openIDAcceptedTimeLeewaySeconds | quote }}
PULSAR_PREFIX_openIDCacheSize: {{ .Values.auth.authentication.openid.openIDCacheSize | quote }}
PULSAR_PREFIX_openIDCacheRefreshAfterWriteSeconds: {{ .Values.auth.authentication.openid.openIDCacheRefreshAfterWriteSeconds | quote }}
PULSAR_PREFIX_openIDCacheExpirationSeconds: {{ .Values.auth.authentication.openid.openIDCacheExpirationSeconds | quote }}
PULSAR_PREFIX_openIDHttpConnectionTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpConnectionTimeoutMillis | quote }}
PULSAR_PREFIX_openIDHttpReadTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpReadTimeoutMillis | quote }}
PULSAR_PREFIX_openIDKeyIdCacheMissRefreshSeconds: {{ .Values.auth.authentication.openid.openIDKeyIdCacheMissRefreshSeconds | quote }}
PULSAR_PREFIX_openIDRequireIssuersUseHttps: {{ .Values.auth.authentication.openid.openIDRequireIssuersUseHttps | quote }}
PULSAR_PREFIX_openIDFallbackDiscoveryMode: {{ .Values.auth.authentication.openid.openIDFallbackDiscoveryMode | quote }}
{{- end }}
{{- end }} {{- end }}
{{- if and .Values.tls.enabled .Values.tls.bookie.enabled }} {{- if and .Values.tls.enabled .Values.tls.bookie.enabled }}

4
charts/pulsar/templates/broker-statefulset.yaml
View File

@ -276,7 +276,7 @@ spec:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
volumeMounts: volumeMounts:
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- mountPath: "/pulsar/keys" - mountPath: "/pulsar/keys"
name: token-keys name: token-keys
readOnly: true readOnly: true
@ -329,7 +329,7 @@ spec:
{{ toYaml .Values.broker.extraVolumes | indent 6 }} {{ toYaml .Values.broker.extraVolumes | indent 6 }}
{{- end }} {{- end }}
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- name: token-keys - name: token-keys
secret: secret:
{{- if not .Values.auth.authentication.jwt.usingSecretKey }} {{- if not .Values.auth.authentication.jwt.usingSecretKey }}

26
charts/pulsar/templates/proxy-configmap.yaml
View File

@ -70,9 +70,14 @@ data:
superUserRoles: {{ .Values.auth.superUsers | values | compact | sortAlpha | join "," }} superUserRoles: {{ .Values.auth.superUsers | values | compact | sortAlpha | join "," }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
# token authentication configuration # token authentication configuration
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled .Values.auth.authentication.openid.enabled }}
authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID"
{{- end }}
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled ( not .Values.auth.authentication.openid.enabled ) }}
authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
{{- end }}
brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token" brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token"
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
{{- if .Values.auth.authentication.jwt.usingSecretKey }} {{- if .Values.auth.authentication.jwt.usingSecretKey }}
@ -81,6 +86,25 @@ data:
tokenPublicKey: "file:///pulsar/keys/token/public.key" tokenPublicKey: "file:///pulsar/keys/token/public.key"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled }}
# openid authentication configuration
{{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled ( not .Values.auth.authentication.jwt.enabled ) }}
authenticationProviders: "org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID"
{{- end }}
PULSAR_PREFIX_openIDAllowedTokenIssuers: {{ .Values.auth.authentication.openid.openIDAllowedTokenIssuers | uniq | compact | sortAlpha | join "," | quote }}
PULSAR_PREFIX_openIDAllowedAudiences: {{ .Values.auth.authentication.openid.openIDAllowedAudiences | uniq | compact | sortAlpha | join "," | quote }}
PULSAR_PREFIX_openIDTokenIssuerTrustCertsFilePath: {{ .Values.auth.authentication.openid.openIDTokenIssuerTrustCertsFilePath | quote }}
PULSAR_PREFIX_openIDRoleClaim: {{ .Values.auth.authentication.openid.openIDRoleClaim | quote }}
PULSAR_PREFIX_openIDAcceptedTimeLeewaySeconds: {{ .Values.auth.authentication.openid.openIDAcceptedTimeLeewaySeconds | quote }}
PULSAR_PREFIX_openIDCacheSize: {{ .Values.auth.authentication.openid.openIDCacheSize | quote }}
PULSAR_PREFIX_openIDCacheRefreshAfterWriteSeconds: {{ .Values.auth.authentication.openid.openIDCacheRefreshAfterWriteSeconds | quote }}
PULSAR_PREFIX_openIDCacheExpirationSeconds: {{ .Values.auth.authentication.openid.openIDCacheExpirationSeconds | quote }}
PULSAR_PREFIX_openIDHttpConnectionTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpConnectionTimeoutMillis | quote }}
PULSAR_PREFIX_openIDHttpReadTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpReadTimeoutMillis | quote }}
PULSAR_PREFIX_openIDKeyIdCacheMissRefreshSeconds: {{ .Values.auth.authentication.openid.openIDKeyIdCacheMissRefreshSeconds | quote }}
PULSAR_PREFIX_openIDRequireIssuersUseHttps: {{ .Values.auth.authentication.openid.openIDRequireIssuersUseHttps | quote }}
PULSAR_PREFIX_openIDFallbackDiscoveryMode: {{ .Values.auth.authentication.openid.openIDFallbackDiscoveryMode | quote }}
{{- end }}
{{- end }} {{- end }}
{{ toYaml .Values.proxy.configData | indent 2 }} {{ toYaml .Values.proxy.configData | indent 2 }}
{{- end }} {{- end }}

4
charts/pulsar/templates/proxy-statefulset.yaml
View File

@ -237,7 +237,7 @@ spec:
{{- if or .Values.proxy.extraVolumeMounts .Values.auth.authentication.enabled (and .Values.tls.enabled (or .Values.tls.proxy.enabled .Values.tls.broker.enabled)) }} {{- if or .Values.proxy.extraVolumeMounts .Values.auth.authentication.enabled (and .Values.tls.enabled (or .Values.tls.proxy.enabled .Values.tls.broker.enabled)) }}
volumeMounts: volumeMounts:
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- mountPath: "/pulsar/keys" - mountPath: "/pulsar/keys"
name: token-keys name: token-keys
readOnly: true readOnly: true
@ -267,7 +267,7 @@ spec:
{{ toYaml .Values.proxy.extraVolumes | indent 8 }} {{ toYaml .Values.proxy.extraVolumes | indent 8 }}
{{- end }} {{- end }}
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- name: token-keys - name: token-keys
secret: secret:
{{- if not .Values.auth.authentication.jwt.usingSecretKey }} {{- if not .Values.auth.authentication.jwt.usingSecretKey }}

2
charts/pulsar/templates/pulsar-manager-configmap.yaml
View File

@ -31,7 +31,7 @@ data:
PULSAR_MANAGER_OPTS: "-Dlog4j2.formatMsgNoLookups=true" PULSAR_MANAGER_OPTS: "-Dlog4j2.formatMsgNoLookups=true"
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
# auth # auth
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
{{- if .Values.auth.authentication.jwt.usingSecretKey }} {{- if .Values.auth.authentication.jwt.usingSecretKey }}
SECRET_KEY: "file:///pulsar-manager/keys/token/secret.key" SECRET_KEY: "file:///pulsar-manager/keys/token/secret.key"
{{- else }} {{- else }}

6
charts/pulsar/templates/pulsar-manager-statefulset.yaml
View File

@ -82,7 +82,7 @@ spec:
{{ toYaml .Values.pulsar_manager.extraVolumeMounts | indent 10 }} {{ toYaml .Values.pulsar_manager.extraVolumeMounts | indent 10 }}
{{- end }} {{- end }}
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- name: pulsar-manager-keys - name: pulsar-manager-keys
mountPath: /pulsar-manager/keys mountPath: /pulsar-manager/keys
{{- end }} {{- end }}
@ -110,7 +110,7 @@ spec:
{{- end }} {{- end }}
key: DB_PASSWORD key: DB_PASSWORD
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
{{- if .Values.auth.superUsers.manager }} {{- if .Values.auth.superUsers.manager }}
- name: JWT_TOKEN - name: JWT_TOKEN
valueFrom: valueFrom:
@ -126,7 +126,7 @@ spec:
{{ toYaml .Values.pulsar_manager.extraVolumes | indent 8 }} {{ toYaml .Values.pulsar_manager.extraVolumes | indent 8 }}
{{- end }} {{- end }}
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- name: pulsar-manager-keys - name: pulsar-manager-keys
secret: secret:
defaultMode: 420 defaultMode: 420

2
charts/pulsar/templates/toolset-configmap.yaml
View File

@ -61,7 +61,7 @@ data:
{{- end }} {{- end }}
# Authentication Settings # Authentication Settings
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
authParams: "file:///pulsar/tokens/client/token" authParams: "file:///pulsar/tokens/client/token"
authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
{{- end }} {{- end }}

4
charts/pulsar/templates/toolset-statefulset.yaml
View File

@ -96,7 +96,7 @@ spec:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
volumeMounts: volumeMounts:
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- mountPath: "/pulsar/tokens" - mountPath: "/pulsar/tokens"
name: client-token name: client-token
readOnly: true readOnly: true
@ -113,7 +113,7 @@ spec:
{{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
volumes: volumes:
{{- if .Values.auth.authentication.enabled }} {{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }} {{- if .Values.auth.authentication.jwt.enabled }}
- name: client-token - name: client-token
secret: secret:
secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}"

18
charts/pulsar/values.yaml
View File

@ -273,12 +273,28 @@ tls:
auth: auth:
authentication: authentication:
enabled: false enabled: false
provider: "jwt"
jwt: jwt:
enabled: false
# Enable JWT authentication # Enable JWT authentication
# If the token is generated by a secret key, set the usingSecretKey as true. # If the token is generated by a secret key, set the usingSecretKey as true.
# If the token is generated by a private key, set the usingSecretKey as false. # If the token is generated by a private key, set the usingSecretKey as false.
usingSecretKey: false usingSecretKey: false
openid:
enabled: false
# # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
openIDAllowedTokenIssuers: []
openIDAllowedAudiences: []
openIDTokenIssuerTrustCertsFilePath:
openIDRoleClaim:
openIDAcceptedTimeLeewaySeconds: "0"
openIDCacheSize: "5"
openIDCacheRefreshAfterWriteSeconds: "64800"
openIDCacheExpirationSeconds: "86400"
openIDHttpConnectionTimeoutMillis: "10000"
openIDHttpReadTimeoutMillis: "10000"
openIDKeyIdCacheMissRefreshSeconds: "300"
openIDRequireIssuersUseHttps: "true"
openIDFallbackDiscoveryMode: "DISABLED"
authorization: authorization:
enabled: false enabled: false
superUsers: superUsers: