Mortom123 opened a new issue, #472:
URL: https://github.com/apache/pulsar-helm-chart/issues/472
**Describe the bug**
Deploying Pulsar with JWT-Authentication enabled is impossible for me. Would
be very glad for any advice :)
I populated the key for JWT authentification using this script (basically a
very shortened `prepare_pulsar_release.sh` script using StreamNative's
pulsarctl:
```
set -e
SCRIPT_DIR=$(dirname $0)
PULSAR_CTL=${SCRIPT_DIR}/pulsarctl
echo $SCRIPT_DIR
ls $SCRIPT_DIR
chmod +x "$PULSAR_CTL"
usage() {
cat <<EOF
This script is used to generate token secret key for a given pulsar helm
release.
Options:
-h,--help prints the usage message
--namespace the k8s namespace to install the pulsar
helm chart
--release the pulsar helm release name
--pulsar-superusers
Usage:
$0 --namespace pulsar --release pulsar --pulsar_superusers
proxy-admin,broker-admin,admin,cim
EOF
}
symmetric=false
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
--namespace)
namespace="$2"
shift
shift
;;
--release)
release="$2"
shift
shift
;;
--pulsar_superusers)
pulsar_superusers="$2"
shift
shift
;;
-h|--help)
usage
exit 0
;;
*)
echo "unknown option: $key"
usage
exit 1
;;
esac
done
function pulsar::jwt::generate_asymmetric_key_secret() {
local secret_name="${release}-token-asymmetric-key"
privatekeytmpfile=$(mktemp)
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
publickeytmpfile=$(mktemp)
trap "test -f $publickeytmpfile && rm $publickeytmpfile" RETURN
echo "${PULSAR_CTL} token create-key-pair -a RS256 --output-private-key
${privatekeytmpfile} --output-public-key ${publickeytmpfile}"
${PULSAR_CTL} token create-key-pair -a RS256 --output-private-key
${privatekeytmpfile} --output-public-key ${publickeytmpfile}
mv $privatekeytmpfile PRIVATEKEY
mv $publickeytmpfile PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace}
--from-file=PRIVATEKEY --from-file=PUBLICKEY
rm PRIVATEKEY
rm PUBLICKEY
}
function pulsar::jwt::get_secret() {
local type=$1
local tmpfile=$2
local secret_name=$3
echo ${secret_name}
if [[ "${local}" == "true" ]]; then
cp ${type} ${tmpfile}
else
echo "kubectl get -n ${namespace} secrets ${secret_name} -o
jsonpath="{.data.${type}}" | base64 --decode > ${tmpfile}"
kubectl get -n ${namespace} secrets ${secret_name} -o
jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
fi
}
function pulsar::jwt::generate_asymmetric_token() {
role=$1
echo "${role}"
local token_name="${release}-token-${role}"
local secret_name="${release}-token-asymmetric-key"
privatekeytmpfile=$(mktemp)
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
pulsar::jwt::get_secret PRIVATEKEY ${privatekeytmpfile} ${secret_name}
${PULSAR_CTL} token create -a RS256 --private-key-file
${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace}
--from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
}
pulsar::jwt::generate_asymmetric_key_secret
IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
for user in "${superusers[@]}"
do
echo "generate the token for $user" >&2
pulsar::jwt::generate_asymmetric_token $user
done
```
`values.yaml` auth section is set to:
```
# Enable or disable broker authentication and authorization.
auth:
authentication:
enabled: true
provider: "jwt"
jwt:
# Enable JWT authentication
# If the token is generated by a secret key, set the usingSecretKey as
true.
# If the token is generated by a private key, set the usingSecretKey
as false.
usingSecretKey: false
authorization:
enabled: true
superUsers:
# broker to broker communication
broker: "broker-admin"
# proxy to broker communication
proxy: "proxy-admin"
# pulsar-admin client to broker/proxy communication
client: "admin"
```
This results in the following error:
```
at
org.apache.pulsar.broker.PulsarService.startWorkerService(PulsarService.java:1624)
~[org.apache.pulsar-pulsar-broker-2.10.4.jar:2.10.4]
2024-03-18T16:18:13.576164634Z at
org.apache.pulsar.broker.PulsarService.start(PulsarService.java:808)
~[org.apache.pulsar-pulsar-broker-2.10.4.jar:2.10.4]
... 2 more
Suppressed:
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException:
HTTP 401 Unauthorized
at
org.apache.pulsar.client.admin.internal.BaseResource.getApiException(BaseResource.java:232)
~[org.apache.pulsar-pulsar-client-admin-original-2.10.4.jar:2.10.4]
```
**To Reproduce**
Steps to reproduce the behavior:
1. Download release 2.10.4
2. Enable auth in `values.yaml`
3. Use the script together with [pulsarctl
](https://github.com/streamnative/pulsarctl) to generate a pair of asymmetric
keys and tokens, Put the `pulsarctl` as a sibling of the script and run:
`generate_secrets.sh --namespace pulsar --release pulsar --pulsar_superusers
proxy-admin,broker-admin,admin`
4. `helm install -n pulsar ...`
**Expected behavior**
I expect the helm chart to install successfully with no errors on side of
the broker.
**Additional context**
I am using an older version of the helm-chart (2.10.4)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
