gulecroc commented on PR #509: URL: https://github.com/apache/pulsar-helm-chart/pull/509#issuecomment-2867055027
Hi @lhotari, For the moment I have configure the authentication : * added bitnami keycloak chart as dependency with default value `keycloak.enabled: false` * import Datastax `pulsar-realm.json` on keycloak startup * create a keycloak mapper to set `nbf` claim in the JWT token because it is not set by keycloak and pulsar check it * manually create a `pulsar-broker` client, build the `credentials_file.json` with `client_id` and `client_secret`, mount it on broker pod and configure [the broker/proxy authentication](https://pulsar.apache.org/docs/4.0.x/security-oauth2/#enable-oauth2-authentication-on-brokersproxies) What I suggest for CI to automate the creation of component client secret : * generate a client secret * create `credentials_file.json` file + create pulsar-<component>-credentials secret + mount to `/pulsar/auth/<component>/credentials_file.json` + set auth plugin and params * populate `pulsar-realm.json` file with the client secret (so the client is created in keycloak with the secret we generate) For the authorization part from what I saw on the JWT part you need 4 clients : * `pulsar-broker` client with `broker-admin` role * `pulsar-proxy` client with `proxy-admin` role * `pulsar-admin-cli` client with `admin` role * `pulsar-manager` client with `manager-admin` role Is it correct? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
