apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
pulsar-helm-chart/.ci/clusters/values-openid.yaml
Bruno Domenici a9f2ba76ae
OpenID: introducing support for OpenID configuration (#509) 
* feat!(openid): introducing support for openid configuration

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled

* add upgrading to 4.1.0

* add validation for deprecated values

* add openid CI with keycloak

* fix chart-testing lint new-line-at-end-of-file

* fix keycloak dependency repository

* fix keycloak repository

* fix yaml to json convert error

* disable keycloak to validate github actions before re-enable it

* disable openid test scenario

* disable keycloak in values

* enable keycloak without authentication and authorization

* add openid test scenario

* disable test scenario other than openid

* enable all test scenario

* disable functions component

* create openid resources

* test truncate command

* test truncate command

* change client_secret generator

* change client_secret generator

* test python

* fix script

* fix script

* print python result

* test python

* test python

* fix client_secret generation

* fix create openid resources

* fix secret name

* fix mount keycloak config

* fix keycloak service

* exclude keycloak from chart

* add license

* add license

* wait keycloak is alive

* fix keycloak chart install namespace

* add test pulsar real openid config

* fix keycloak issuer url

* fix pod name

* remove check keycloak alive

* check realm pulsar openid configuration

* change keycloak service

* remove test keyclock service

* remove selector to get all pod log

* wait keycloak is alive

* check keycloak realm pulsar urls

* wait until keycloak is ready

* add wait timeout

* fix realm pulsar name

* add log to debug

* add openid for toolset

* set authorization

* set authorization

* fix client template filename

* fix install keycloak

* disable authorization

* debug sub claim value

* fix sub claim value

* cleanup

* enable all build

---------

Co-authored-by: glecroc <guillaume.lecroc@cnp.fr>
2025-05-20 14:09:12 +03:00

95 lines
3.8 KiB
YAML
Raw Blame History

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Mount crendentials to each component
proxy:
configData:
# Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-proxy-credentials
secret:
secretName: pulsar-proxy-credentials
extraVolumeMounts:
- name: pulsar-proxy-credentials
mountPath: "/pulsar/auth/proxy"
readOnly: true
broker:
configData:
# Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-broker-credentials
secret:
secretName: pulsar-broker-credentials
extraVolumeMounts:
- name: pulsar-broker-credentials
mountPath: "/pulsar/auth/broker"
readOnly: true
toolset:
configData:
authPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
authParams: '{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
extraVolumes:
- name: pulsar-admin-credentials
secret:
secretName: pulsar-admin-credentials
extraVolumeMounts:
- name: pulsar-admin-credentials
mountPath: "/pulsar/auth/admin"
readOnly: true
auth:
authentication:
enabled: true
openid:
# Enable openid authentication
enabled: true
# https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
openIDAllowedTokenIssuers:
- http://keycloak-ci-headless:8080/realms/pulsar
openIDAllowedAudiences:
- account
#openIDTokenIssuerTrustCertsFilePath:
openIDRoleClaim: "sub"
openIDAcceptedTimeLeewaySeconds: "0"
openIDCacheSize: "5"
openIDCacheRefreshAfterWriteSeconds: "64800"
openIDCacheExpirationSeconds: "86400"
openIDHttpConnectionTimeoutMillis: "10000"
openIDHttpReadTimeoutMillis: "10000"
openIDKeyIdCacheMissRefreshSeconds: "300"
openIDRequireIssuersUseHttps: "false"
openIDFallbackDiscoveryMode: "DISABLED"
authorization:
enabled: true
superUsers:
# broker to broker communication
broker: "broker-admin"
# proxy to broker communication
proxy: "proxy-admin"
# pulsar-admin client to broker/proxy communication
client: "admin"
# pulsar manager to broker
manager: "manager-admin"
Reference in New Issue View Git Blame Copy Permalink