Comments (3)
@addisonj
The relative settings are as below.
{{- if .Values.auth.authentication.enabled }}
authenticationEnabled: "true"
authenticationProviders: "io.streamnative.pulsar.broker.authentication.AuthenticationProviderOIDCToken"
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
PULSAR_PREFIX_vaultHost: {{ template "pulsar.vault.url" . }}
PULSAR_PREFIX_OIDCPublicKeyPath: "{{ template "pulsar.vault.url" . }}/v1/identity/oidc/.well-known/keys"
superUserRoles: "admin"
{{- end }}
As the token can't be generated until vault server starts up and vault-init script runs, we can't set token via chart config. Here k8s secret named xxx-sn-platform-vault-secret-env-injection
is used to inject token to pods via env parameters. It's something like below.
apiVersion: v1
data:
PULSAR_PREFIX_OIDCTokenAudienceID: TUE5ZUVvSDdVYW8zZ3pHbjRkNkkyQ215NkEsRWFheUVacTRITlJBeFczMmZrcHl5SjhQdFksZlc0RUZ1dVF0eTdpYThIS1FkYlVUWkNKeGgsYVJ1TVZzWndpcEZaMHIyak1qbWFyTzYxc2U=
VAULT_APPROLE_MOUNT_ACCESSOR: YXV0aF9hcHByb2xlX2YwMWViNDg1
VAULT_APPROLE_ROLE_ID: YjRkNzgwZGEtN2NkYS1kMTNjLWJjZDYtYTc0M2M3YzZkMDli
VAULT_APPROLE_SECRET_ID: NTY0MGVhYWMtMjNhNS1mYWM4LWE1OTAtMGEwNzhiMjlhOWM0
VAULT_APPROLE_SUPER_NAME: YXBhY2hlcHVsc2Fy
VAULT_APPROLE_SUPER_TOKEN: cy55eEJoZERPeGlYNjhIc1Nib2kySUVNdHE=
VAULT_HOST: aHR0cDovL2RlbW8tc24tcGxhdGZvcm0tdmF1bHQ6ODIwMA==
VAULT_SUPER_USER_NAME: YWRtaW4=
VAULT_SUPER_USER_PASSWORD: M1Y3ZWpTbFFVWUpT
VAULT_SUPER_USER_TOKEN: cy55eEJoZERPeGlYNjhIc1Nib2kySUVNdHE=
VAULT_USERPASS_MOUNT_ACCESSOR: YXV0aF91c2VycGFzc18yMzZmYTBhYw==
brokerClientAuthenticationParameters: WWpSa056Z3daR0V0TjJOa1lTMWtNVE5qTFdKalpEWXRZVGMwTTJNM1l6WmtNRGxpT2pVMk5EQmxZV0ZqTFRJellUVXRabUZqT0MxaE5Ua3dMVEJoTURjNFlqSTVZVGxqTkFvPQ==
kind: Secret
metadata:
creationTimestamp: "2021-08-17T02:04:09Z"
name: demo-sn-platform-vault-secret-env-injection
namespace: pulsar-demo
resourceVersion: "32442561"
uid: 5af60465-d3a2-4641-9ffe-34ed4847fb45
type: Opaque
The relative settings for pod is something like below.
- name: PULSAR_PREFIX_OIDCTokenAudienceID
valueFrom:
secretKeyRef:
name: {{ template "pulsar.vault-secret-key-name" . }}
key: PULSAR_PREFIX_OIDCTokenAudienceID
- name: brokerClientAuthenticationParameters
valueFrom:
secretKeyRef:
name: {{ template "pulsar.vault-secret-key-name" . }}
key: brokerClientAuthenticationParameters
Then this broker can communicate with vault and other brokers correctly.
Hope this can help you~
from charts.
Vault token generation script is as below.
from charts.
Closing as this was just misunderstanding on my part :)
from charts.
Related Issues (20)
- [sn-platform] Remove the presto config `pulsar.managed-ledger-num-worker-threads`
- sn-platform-streamnative-console failed to initialize as /pulsar-manager/gateway/gateway-entrypoint.sh not found HOT 5
- Pulsar Operator: PulsarProxy is not able configure correct Liveness check for WebSocket HOT 3
- Toolset initContainer busybox crash
- Busybox cli not work in toolset
- Pulsarctl config can't be loaded
- Improve logic when jwt and vault enabled both
- [pulsar-operator]Fix rbac issue when watching specific namespace
- upgrade pulsar image to 3.0
- Wrong namespace for RBAC and clusterrole with multi-namespace
- [sn-platform][fix]: toolset.kafka container doesn't support non-root user
- [charts/sn-platform] pulsar detector only support "token" auth in template. HOT 1
- [pulsar-operator] how to set different kafkaAdvertisedListeners for different pulsar broker pod
- [sn-platform] Support migrate from non-Istio to Istio
- fix: detector missed the resources limit on the server container.
- feat: support some extra configures on the detector
- [sn-platform] Avoid downloading in Job jwt-secret-init
- Can't specify imagePullSecret for jwt init job
- Support setting the resources for the backup service
- [pulsar-operator] Disable/Debug startup probe failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.