Comments (3)
rockybean
commented on June 9, 2024
@addisonj
The relative settings are as below.
{{- if .Values.auth.authentication.enabled }}
authenticationEnabled: "true"
authenticationProviders: "io.streamnative.pulsar.broker.authentication.AuthenticationProviderOIDCToken"
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
PULSAR_PREFIX_vaultHost: {{ template "pulsar.vault.url" . }}
PULSAR_PREFIX_OIDCPublicKeyPath: "{{ template "pulsar.vault.url" . }}/v1/identity/oidc/.well-known/keys"
superUserRoles: "admin"
{{- end }}
As the token can't be generated until vault server starts up and vault-init script runs, we can't set token via chart config. Here k8s secret named xxx-sn-platform-vault-secret-env-injection is used to inject token to pods via env parameters. It's something like below.
apiVersion: v1
data:
PULSAR_PREFIX_OIDCTokenAudienceID: TUE5ZUVvSDdVYW8zZ3pHbjRkNkkyQ215NkEsRWFheUVacTRITlJBeFczMmZrcHl5SjhQdFksZlc0RUZ1dVF0eTdpYThIS1FkYlVUWkNKeGgsYVJ1TVZzWndpcEZaMHIyak1qbWFyTzYxc2U=
VAULT_APPROLE_MOUNT_ACCESSOR: YXV0aF9hcHByb2xlX2YwMWViNDg1
VAULT_APPROLE_ROLE_ID: YjRkNzgwZGEtN2NkYS1kMTNjLWJjZDYtYTc0M2M3YzZkMDli
VAULT_APPROLE_SECRET_ID: NTY0MGVhYWMtMjNhNS1mYWM4LWE1OTAtMGEwNzhiMjlhOWM0
VAULT_APPROLE_SUPER_NAME: YXBhY2hlcHVsc2Fy
VAULT_APPROLE_SUPER_TOKEN: cy55eEJoZERPeGlYNjhIc1Nib2kySUVNdHE=
VAULT_HOST: aHR0cDovL2RlbW8tc24tcGxhdGZvcm0tdmF1bHQ6ODIwMA==
VAULT_SUPER_USER_NAME: YWRtaW4=
VAULT_SUPER_USER_PASSWORD: M1Y3ZWpTbFFVWUpT
VAULT_SUPER_USER_TOKEN: cy55eEJoZERPeGlYNjhIc1Nib2kySUVNdHE=
VAULT_USERPASS_MOUNT_ACCESSOR: YXV0aF91c2VycGFzc18yMzZmYTBhYw==
brokerClientAuthenticationParameters: WWpSa056Z3daR0V0TjJOa1lTMWtNVE5qTFdKalpEWXRZVGMwTTJNM1l6WmtNRGxpT2pVMk5EQmxZV0ZqTFRJellUVXRabUZqT0MxaE5Ua3dMVEJoTURjNFlqSTVZVGxqTkFvPQ==
kind: Secret
metadata:
creationTimestamp: "2021-08-17T02:04:09Z"
name: demo-sn-platform-vault-secret-env-injection
namespace: pulsar-demo
resourceVersion: "32442561"
uid: 5af60465-d3a2-4641-9ffe-34ed4847fb45
type: Opaque
The relative settings for pod is something like below.
- name: PULSAR_PREFIX_OIDCTokenAudienceID
valueFrom:
secretKeyRef:
name: {{ template "pulsar.vault-secret-key-name" . }}
key: PULSAR_PREFIX_OIDCTokenAudienceID
- name: brokerClientAuthenticationParameters
valueFrom:
secretKeyRef:
name: {{ template "pulsar.vault-secret-key-name" . }}
key: brokerClientAuthenticationParameters
Then this broker can communicate with vault and other brokers correctly.
Hope this can help you~
from charts.
rockybean
commented on June 9, 2024
Vault token generation script is as below.
from charts.
addisonj
commented on June 9, 2024
Closing as this was just misunderstanding on my part :)
from charts.
Related Issues (20)
- [sn-platform] Remove the presto config `pulsar.managed-ledger-num-worker-threads`
- sn-platform-streamnative-console failed to initialize as /pulsar-manager/gateway/gateway-entrypoint.sh not found HOT 5
- Pulsar Operator: PulsarProxy is not able configure correct Liveness check for WebSocket HOT 3
- Toolset initContainer busybox crash
- Busybox cli not work in toolset
- Pulsarctl config can't be loaded
- Improve logic when jwt and vault enabled both
- [pulsar-operator]Fix rbac issue when watching specific namespace
- upgrade pulsar image to 3.0
- Wrong namespace for RBAC and clusterrole with multi-namespace
- [sn-platform][fix]: toolset.kafka container doesn't support non-root user
- [charts/sn-platform] pulsar detector only support "token" auth in template. HOT 1
- [pulsar-operator] how to set different kafkaAdvertisedListeners for different pulsar broker pod
- [sn-platform] Support migrate from non-Istio to Istio
- fix: detector missed the resources limit on the server container.
- feat: support some extra configures on the detector
- [sn-platform] Avoid downloading in Job jwt-secret-init
- Can't specify imagePullSecret for jwt init job
- Support setting the resources for the backup service
- [pulsar-operator] Disable/Debug startup probe failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.