Support configuring "proxyRoles" in broker (#430)

* Add support for proxyRoles

* Test produce and consume via Pulsar proxy

.ci/helm.sh

@@ -164,6 +164,15 @@ function ci::install_pulsar_chart() {
     # ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -L http://pulsar-ci-proxy:8080/status.html)" == "OK" ]; do sleep 3; done'
 }
 
+helm_values_cached=""
+
+function ci::helm_values_for_deployment() {
+    if [[ -z "${helm_values_cached}" ]]; then
+        helm_values_cached=$(helm get values -n ${NAMESPACE} ${CLUSTER} -a -o yaml)
+    fi
+    printf "%s" "${helm_values_cached}"
+}
+
 function ci::test_pulsar_producer_consumer() {
     sleep 120
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done'
@@ -178,6 +187,14 @@ function ci::test_pulsar_producer_consumer() {
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test pulsar-ci/test/test-topic
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m "test-message" pulsar-ci/test/test-topic
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client consume -s test pulsar-ci/test/test-topic
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test2 pulsar-ci/test/test-topic
+    if [[ "$(ci::helm_values_for_deployment | yq .tls.proxy.enabled)" == "true" ]]; then
+      PROXY_URL="pulsar+ssl://pulsar-ci-proxy:6651"
+    else
+      PROXY_URL="pulsar://pulsar-ci-proxy:6650"
+    fi
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" produce -m "test-message2" pulsar-ci/test/test-topic
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" consume -s test2 pulsar-ci/test/test-topic
 }
 
 function ci::wait_function_running() {

charts/pulsar/templates/broker-configmap.yaml

@@ -114,6 +114,10 @@ data:
   {{- if .Values.auth.authorization.enabled }}
   authorizationEnabled: "true"
   superUserRoles: {{ .Values.auth.superUsers | values | sortAlpha | join "," }}
+  {{- if .Values.auth.useProxyRoles }}
+  proxyRoles: {{ .Values.auth.superUsers.proxy }}
+  {{- end }}
+  
   {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration

charts/pulsar/templates/proxy-configmap.yaml

@@ -64,8 +64,12 @@ data:
   # disable authorization on proxy and forward authorization credentials to broker
   authorizationEnabled: "false"
   forwardAuthorizationCredentials: "true"
+  {{- if .Values.auth.useProxyRoles }}
+  superUserRoles: {{ omit .Values.auth.superUsers "proxy" | values | sortAlpha | join "," }}
+  {{- else }}
   superUserRoles: {{ .Values.auth.superUsers | values | sortAlpha | join "," }}
   {{- end }}
+  {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration
   authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"

charts/pulsar/values.yaml

@@ -249,6 +249,9 @@ auth:
     proxy: "proxy-admin"
     # pulsar-admin client to broker/proxy communication
     client: "admin"
+  # omits the above proxy role from superusers on the proxy
+  # and configures it as a proxy role on the broker in addition to the superusers
+  useProxyRoles: true
 
 ######################################################################
 # External dependencies