Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/pulsar manager v0.2.0 with jwt setup admin account creation #219

Merged
merged 9 commits into from
Feb 21, 2024
Merged

Feature/pulsar manager v0.2.0 with jwt setup admin account creation #219

merged 9 commits into from
Feb 21, 2024

Conversation

csthomas1
Copy link
Contributor

@csthomas1 csthomas1 commented Jan 27, 2022
edited

Fixes #133
Fixes #108
Fixes #86
Fixes #31

Motivation

The docker image for Pulsar Manager v0.2.0 includes support for JWT-based configurations, so long as the appropriate environment variables are specified:

  • JWT_TOKEN
  • PRIVATE_KEY/PUBLIC_KEY -or- SECRET_KEY

The k8s secrets that can populate each of the above environment variables are created by the 'prepare_helm_release.sh' script when it is run prior to installation of the helm chart. Unfortunately, the helm chart doesn't current provide a way to directly expose these secrets to the Pulsar Manager deployment. Instead, it requires that these values be separately set in the "configData" map of the "pulsar_manager" section, which creates the opportunity for them to go out of sync. Further, it exposes in clear text potentially sensitive values (the superuser token and the key material) in the ConfigMap alongside other environment settings.

Pulsar Manager v0.2.0 has also introduced a user management capability that is enabled by default, and requires that the initial admin/superuser account be created via web service call (see https://github.com/apache/pulsar-manager/blob/master/README.md).

Finally, the current helm chart mistakenly conflates the Pulsar Manager admin user's credentials with those of the Postgres user account used to establish a connection to the Pulsar Manager's internal database -- it mounts the admin user's credentials secret to the "USERNAME" and "PASSWORD" environment variables, despite the fact that these control only the datasource connection parameters as described above. Further, with the current secret mounting approach, changing the admin credentials actually breaks the Pulsar Manager deployment because the pulsar database credentials are hardcoded in the postgres db initialization script.

The changes included in this PR do the following:

  1. Enable mounting of the appropriate JWT and key secrets to the appropriate environment variables when JWT authentication is enabled;
  2. Automatically (when requested) creates the initial admin account via web service call on container startup. This initial account will be configured with the credentials contained in the manager's admin secret.
  3. The manager's admin secret will no longer be used to set the USERNAME and PASSWORD environment variables for reasons described above; hence, changing the admin secret will now correctly only affect the credentials recognized as the default login to the Pulsar Manager and will no longer break the connection to Pulsar Manager's internal database.

Modifications

  1. In charts/pulsar/values.yaml:
  • Added auth.superUsers type "manager," which defaults to blank. Setting a value here determines the JWT secret (generated by the prepare_helm_release.sh script) that will be used by the Pulsar Manager to communicate with the Pulsar brokers when JWT authentication is enabled.
  • Added pulsar_manager.autoCreateAdminAccount, which defaults to true. When this value is set to true, a sidecar will be added to the Pulsar Manager pod that will create the admin's account from the configured credentials when the container launches.
  • Added 'USERNAME' and 'PASSWORD' with values of pulsar/pulsar to pulsar_manager.configData, since these values currently must agree with the hardcoded values in the database initialization script
  1. In charts/pulsar/templates/pulsar-manager-deployment.yaml:
  • REMOVED the mounts of the pulsar admin secret to the USERNAME and PASSWORD environment variables.
  • ADDED env secretKeyRefs for JWT_TOKEN to the "manager" superUser token when jwt authentication is enabled
  • ADDED env file path value for SECRET_KEY when jwt authentication is enabled and jwt.usingSecretKey is true
  • ADDED env file path value for PRIVATE_KEY and PUBLIC_KEY when jwt authentication is enabled and jwt.usingSecretKey is false
  • ADDED volume mount for pulsar-manager-keys when jwt authentication is enabled
  • ADDED volume for the symmetric token signing key when jwt authentication is enabled and jwt.usingSecretKey is true
  • ADDED volume for the asymmetric token signing key when jwt authentication is enabled and jwt.usingSecretKey is false
  • ADDED sidecar container to initialize admin user account when pulsar_manager.autoCreateAdminAccount is true.
    Upon launch, the sidecar will attempt to curl the pulsar-manager's main page every 3 seconds until it receives a successful status. At that point, it will perform the procedure described in the pulsar manager README.md (get a CSRF token, then
    make another service call to create the admin account). It will then sleep forever.

Verifying this change

  • Make sure that the change passes the CI checks.

@csthomas1
Copy link
Contributor Author

csthomas1 commented Jan 28, 2022
edited

Okay, tests done and passing, I think this is good to go.

@csthomas1 csthomas1 force-pushed the feature/pulsar-manager-v0.2.0-with-jwt-setup-admin-account-creation branch from b4ffe85 to 71a73fb Compare January 31, 2022 23:00
@mzwennes
Copy link

mzwennes commented Aug 3, 2022

@tuteng Could these changes be merged? I would love to be able to set the JWT via a Secret.

@lhotari
Copy link
Member

lhotari commented Feb 14, 2024

@csthomas1 would you like to rebase the changes?

@Mortom123 Please review this. Would something like this be useful?

@csthomas1
Copy link
Contributor Author

csthomas1 commented Feb 14, 2024 via email

@lhotari
Copy link
Member

lhotari commented Feb 14, 2024

Yes, I'll try to take a look at this later this week.

@csthomas1 Awesome! Please ensure compatibility with changes that @Mortom123 made in #457. Looking forward to your contribution!

@csthomas1
Merge branch 'master' into jwt-merge
0c90fc3 
Conflicts:
	.ci/chart_test.sh
	.ci/clusters/values-jwt-asymmetric.yaml
	.ci/clusters/values-jwt-symmetric.yaml
	.ci/clusters/values-tls.yaml
	.ci/helm.sh
	.github/workflows/pulsar_jwt_asymmetric.yml
	.github/workflows/pulsar_jwt_symmetric.yml
	.github/workflows/pulsar_tls.yml
	charts/pulsar/templates/broker-configmap.yaml
	charts/pulsar/templates/proxy-configmap.yaml
	charts/pulsar/templates/pulsar-manager-statefulset.yaml
	charts/pulsar/values.yaml
@csthomas1
Removed variables accidentally re-added and comments no longer relevant
279c454
@csthomas1 csthomas1 force-pushed the feature/pulsar-manager-v0.2.0-with-jwt-setup-admin-account-creation branch from c9285e2 to 279c454 Compare February 16, 2024 21:40
@lhotari
Copy link
Member

lhotari commented Feb 16, 2024
edited

@csthomas1 It's possible to get a ssh shell into the build VM if you open a PR to your own fork. This comment and screenshot might help with that: #448 (comment) . The ssh shell is only available in fork builds because of security reasons. It won't get activated for the master branch build in the fork since the rule is based a PR event.

In the shell, you can run k9s or kubectl get all -A and any kubectl commands after the cluster is running.

lhotari
lhotari approved these changes Feb 21, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job! Thanks for the contribution @csthomas1 !

@lhotari lhotari merged commit cb269bb into apache:master Feb 21, 2024
27 of 30 checks passed
@lhotari lhotari mentioned this pull request Feb 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@tuteng tuteng tuteng approved these changes

@sijie sijie Awaiting requested review from sijie

@MarvinCai MarvinCai Awaiting requested review from MarvinCai

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@csthomas1 @mzwennes @lhotari @tuteng