Add support for generating JWT secrets during install#672
Add support for generating JWT secrets during install#672lhotari merged 4 commits intoapache:masterfrom
Conversation
smbecker
force-pushed
the
sb-jwt-generation
branch
from
7a3e30f to
b49cc0e
Compare
smbecker
force-pushed
the
sb-jwt-generation
branch
from
b49cc0e to
c641785
Compare
|
Thanks for the contribution @smbecker, very useful improvement. |
There was a problem hiding this comment.
Pull request overview
Adds Helm chart support for optionally generating Pulsar JWT signing keys and per-superuser JWT token Kubernetes Secrets during install/upgrade, removing the need to pre-create these secrets externally.
Changes:
- Add
auth.authentication.jwt.generateSecretsconfiguration to enable a pre-install/pre-upgrade secret init Job. - Add
auth.authentication.jwt.secretAnnotationsto optionally annotate generated secrets. - Add
images.kubectl.pullPolicyvalue to control the kubectl image pull policy.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| charts/pulsar/values.yaml | Introduces values to enable/shape JWT secret generation and secret annotations; adds kubectl pullPolicy value. |
| charts/pulsar/templates/jwt-secret-init.yaml | New hook Job + RBAC to generate JWT keys/tokens and create corresponding Kubernetes Secrets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lhotari
left a comment
lhotari
left a comment
There was a problem hiding this comment.
Please add an integration test to CI to validate the behavior. It might require multiple changes in .ci and hack directories besides .github/workflows/pulsar-helm-chart-ci.yaml. For example, you can add a new values file based on .ci/clusters/values-jwt-asymmetric.yaml. The CI scripts would require changes to disable the solution that creates the JWT tokens using the manual way. You can test the CI changes by enabling GitHub Actions in your own fork and creating a PR to your own fork to trigger the workflow run without waiting for maintainer approvals on apache/pulsar-helm-chart. In forks, it's also possible to ssh into the GitHub Action runner to investigate issues.
|
I already merged this PR, but would you also like to update README.md to reflect the changes made by this PR? |
I don't see much that would need to change in the README, perhaps just updating the examples, which I can update if you want. The bigger change would need to happen in the documentation site where it directs you to use the |
Motivation
This eliminates the need for generating the JWT tokens outside of the helm chart before feeding the values into the chart.
Modifications
Adds an optional pre-install hook that generates the necessary JWT tokens and saves them as the expected Kubernetes secrets
Verifying this change