[Broker] Support disabling non-TLS service ports

[lhotari]

Fixes #11548

Motivation

Disabling non-TLS service ports isn't possible at the moment. Issue #11548 has been reported and contains instructions to reproduce the issue.

Modifications

• Make changes to supports disabling non-TLS service ports in broker.conf/standalone.conf by providing empty values:

brokerServicePort=
webServicePort=

• there were a few locations where the Optional port value was not checked for existence.
• embedded Function Worker Service didn't work with TLS only broker. Fix issues in configuring Function Worker Service.
• add support for MockedPulsarServiceBaseTest tests to disable non-TLS ports.

[sijie]

I am not sure how does your PR solve #11548. From what I can see, you are basically changing the function worker service and tests. There is nothing related to brokers. Can you clarify how does your PR fix #11548?

[eolivelli]

Overall looks good to me.
I left one comment PTAL

[lhotari]

I am not sure how does your PR solve #11548. From what I can see, you are basically changing the function worker service and tests. There is nothing related to brokers. Can you clarify how does your PR fix #11548?

@sijie This is the first issue to hit with "pulsar standalone":

12:11:04.314 [main] ERROR org.apache.pulsar.broker.PulsarService - Failed to start Pulsar service: No value present
java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:148) ~[?:?]
	at org.apache.pulsar.broker.loadbalance.NoopLoadManager.start(NoopLoadManager.java:55) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startLoadManagementService(PulsarService.java:1047) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:751) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]
12:11:04.314 [main] ERROR org.apache.pulsar.PulsarStandaloneStarter - Failed to start pulsar service.
org.apache.pulsar.broker.PulsarServerException: java.util.NoSuchElementException: No value present
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:796) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]
Caused by: java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:148) ~[?:?]
	at org.apache.pulsar.broker.loadbalance.NoopLoadManager.start(NoopLoadManager.java:55) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startLoadManagementService(PulsarService.java:1047) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:751) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	... 2 more

Perhaps the PR description is currently confusing. In PR #11548, the problem is that when you set non-tls ports to an empty value, exceptions will happen. I tested with Pulsar development version by building Pulsar locally and appending these settings to standalone.conf:

brokerServicePort=
brokerServicePortTls=6651
webServicePort=
webServicePortTls=8443
brokerClientTlsEnabled=true
tlsEnabled=true
tlsAllowInsecureConnection=true
tlsCertificateFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.cert.pem
tlsKeyFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.key-pk8.pem
tlsTrustCertsFilePath=pulsar-broker/src/test/resources/authentication/tls-http/ca.cert.pem

and then starting Pulsar with ./bin/pulsar standalone. I simply kept iterating until the problems were fixed.

I also added unit tests to verify that an empty port value gets converted to Optional.empty. The unit test for TLS without non-TLS ports enabled is also added to verify that in unit tests. That's the reason to add these tests. I added these tests before starting to work on testing it manually with Pulsar standalone.

The reason why the change to Function Worker service is required is that "useTls" setting is deprecated in configuration:

pulsar/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java

Lines 357 to 360 in 047fb6a

	// TLS for Functions -> Broker
	// @deprecated use "pulsar+ssl://" in serviceUrl to enable
	@Deprecated
	private boolean useTls = false;

The same applies to "tlsEnabled" in broker.conf. It has been marked as deprecated.
tlsEnabled was deprecated by PR #2988 many years ago.
At first I was testing without setting tlsEnabled=true and that's why I hit the issue and needed to make the changes.

@sijie I didn't record all of the exceptions that happen without the changes and what this PR fixes. Is that necessary for accepting this PR?

[lhotari]

@sijie This was the 2nd exception that this PR fixed in Pulsar Standalone (with TLS ports only config mentioned in my previous comment):

12:29:46.424 [main] ERROR org.apache.pulsar.functions.worker.PulsarWorkerService - Error Starting up in worker
java.lang.NullPointerException: null
	at org.apache.pulsar.client.admin.internal.PulsarAdminImpl.<init>(PulsarAdminImpl.java:189) ~[pulsar-client-admin-original.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.client.admin.internal.PulsarAdminBuilderImpl.build(PulsarAdminBuilderImpl.java:47) ~[pulsar-client-admin-original.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.WorkerUtils.getPulsarAdminClient(WorkerUtils.java:221) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.WorkerUtils.getPulsarAdminClient(WorkerUtils.java:196) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.PulsarWorkerService$1.newPulsarAdmin(PulsarWorkerService.java:144) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.PulsarWorkerService.start(PulsarWorkerService.java:433) [pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startWorkerService(PulsarService.java:1575) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:764) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]

[lhotari]

without making any changes, disabling non-TLS service ports works for Pulsar Stanadlone when Function Worker is disabled and when loadManagerClassName=org.apache.pulsar.broker.loadbalance.impl.ModularLoadManagerImpl setting is used.
I verified by appending these lines to conf/standalone.conf

brokerServicePort=
brokerServicePortTls=6651
webServicePort=
webServicePortTls=8443
brokerClientTlsEnabled=true
tlsEnabled=true
tlsAllowInsecureConnection=true
tlsCertificateFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.cert.pem
tlsKeyFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.key-pk8.pem
tlsTrustCertsFilePath=pulsar-broker/src/test/resources/authentication/tls-http/ca.cert.pem
loadManagerClassName=org.apache.pulsar.broker.loadbalance.impl.ModularLoadManagerImpl

and starting with ./bin/pulsar standalone --no-functions-worker --no-stream-storage

@sijie This is the reason why this fix contains some changes to Functions worker configuration.

[Anonymitaet]

Thanks for your contribution. Do we need to update docs here https://pulsar.apache.org/docs/en/next/reference-configuration/#broker?

[michaeljmarshall]

LGTM

It's worth adding that the helm chart already creates the pulsar broker service in such a way that either the non-TLS port or the TLS port (exclusively) is open for the pulsar protocol: https://github.com/apache/pulsar-helm-chart/blob/c3e4ea272b15d7e806d2585059686e8270b98b67/charts/pulsar/templates/broker-service.yaml#L32-L45

  ports:
  # prometheus needs to access /metrics endpoint
  - name: http
    port: {{ .Values.broker.ports.http }}
  {{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }}
  - name: pulsar
    port: {{ .Values.broker.ports.pulsar }}
  {{- end }}
  {{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
  - name: https
    port: {{ .Values.broker.ports.https }}
  - name: pulsarssl
    port: {{ .Values.broker.ports.pulsarssl }}
  {{- end }}

[lhotari]

Thanks for your contribution. Do we need to update docs here https://pulsar.apache.org/docs/en/next/reference-configuration/#broker?

@Anonymitaet Yes, it would be useful to add docs that it's possible to disable the non-TLS ports brokerServicePort and webServicePort by providing an empty value. In this case it's necessary to specify brokerClientTlsEnabled=true and either set tlsAllowInsecureConnection=true or configure brokerClientTlsEnabledWithKeyStore=true and the related settings brokerClientTlsTrustStore and brokerClientTlsTrustStorePassword. I'll add this to the docs.

[lhotari]

@Anonymitaet I added docs to security-tls-keystore.md file. Please review

[Anonymitaet]

Thanks for your contribution. I've made some comments, PTAL.

[lhotari]

Thanks for your contribution. I've made some comments, PTAL.

@Anonymitaet thanks for the suggestions. I committed them. Please PTAL

[lhotari]

PR for cherry-picking to branch-2.7 is #11724

[lhotari]

#20535 is also required for supporting disabling of non-TLS service ports.