diff --git a/charts/sn-platform/templates/_helpers.tpl b/charts/sn-platform/templates/_helpers.tpl index 566a9ba5f..aa05a1a9f 100644 --- a/charts/sn-platform/templates/_helpers.tpl +++ b/charts/sn-platform/templates/_helpers.tpl @@ -202,6 +202,8 @@ Define function for save authenticaiton configuration {{- define "pulsar.authConfiguration" }} {{- if .Values.auth.vault.enabled }} brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" PULSAR_PREFIX_chainAuthenticationEnabled: "true" PULSAR_PREFIX_vaultHost: {{ template "pulsar.vault.url" . }} {{- if .Values.broker.readPublicKeyFromFile }} @@ -213,6 +215,8 @@ PULSAR_PREFIX_OIDCPublicKeyPath: "{{ template "pulsar.vault.url" . }}/v1/identit {{- if .Values.auth.oauth.enabled }} PULSAR_PREFIX_oauthIssuerUrl: "{{ .Values.auth.oauth.oauthIssuerUrl }}" PULSAR_PREFIX_oauthAudience: "{{ .Values.auth.oauth.oauthAudience }}" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" {{- if .Values.auth.oauth.oauthAdminScope }} PULSAR_PREFIX_oauthAdminScope: "{{ .Values.auth.oauth.oauthAdminScope }}" {{- end }} @@ -233,6 +237,20 @@ PULSAR_PREFIX_oauthSubjectClaim: "{{ .Values.auth.oauth.oauthSubjectClaim }}" {{- end }} {{- if .Values.auth.authentication.jwt.enabled }} brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" +{{- end }} +{{- if and (eq .Component "proxy") .Values.auth.authentication.tls.enabled }} +brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" +brokerClientAuthenticationParameters: "tlsCertFile:/etc/tls/pulsar-proxy-tls/tls.crt,tlsKeyFile:/etc/tls/pulsar-proxy-tls/tls.key" +forwardAuthorizationCredentials: "false" +tlsEnabledWithBroker: "true" +{{- end }} +{{- if and (eq .Component "broker") .Values.auth.authentication.tls.enabled }} +brokerClientTlsEnabled: "true" +tlsTrustCertsFilePath: /etc/tls/pulsar-broker/ca.crt +brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" +brokerClientAuthenticationParameters: "tlsCertFile:/etc/tls/pulsar-broker/tls.crt,tlsKeyFile:/etc/tls/pulsar-broker/tls.key" {{- end }} {{- end }} diff --git a/charts/sn-platform/templates/broker/broker-cluster.yaml b/charts/sn-platform/templates/broker/broker-cluster.yaml index ab4f914d9..0925d192e 100644 --- a/charts/sn-platform/templates/broker/broker-cluster.yaml +++ b/charts/sn-platform/templates/broker/broker-cluster.yaml @@ -286,14 +286,21 @@ spec: {{- end }} {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" - authenticateOriginalAuthData: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} -{{- include "pulsar.authConfiguration" . | indent 6 }} +{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.broker.component "Release" .Release "Chart" .Chart) | indent 6 }} + {{- if .Values.tls.broker.enabled }} + superUserRoles: "{{ .Values.auth.superUsers.broker }},{{ .Release.Name }}-sn-platform-broker,{{ .Release.Name }}-sn-platform-proxy,{{ .Release.Name }}-sn-platform-toolset" + {{- else }} superUserRoles: "{{ .Values.auth.superUsers.broker }}" + {{- end }} {{- if .Values.auth.superUsers.proxyRolesEnabled }} + {{- if .Values.tls.broker.enabled }} + proxyRoles: {{ .Release.Name }}-sn-platform-proxy + {{- else }} proxyRoles: {{ .Values.auth.superUsers.proxyRoles }} {{- end }} {{- end }} + {{- end }} {{- if .Values.auth.authorization.enabled }} {{- include "pulsar.authorizationProvider" . | indent 6 }} {{- end }} diff --git a/charts/sn-platform/templates/proxy/proxy-cluster.yaml b/charts/sn-platform/templates/proxy/proxy-cluster.yaml index e45b7958e..a70e18ce6 100644 --- a/charts/sn-platform/templates/proxy/proxy-cluster.yaml +++ b/charts/sn-platform/templates/proxy/proxy-cluster.yaml @@ -146,10 +146,8 @@ spec: {{- end }} {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" - authenticateOriginalAuthData: "true" - forwardAuthorizationCredentials: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} -{{- include "pulsar.authConfiguration" . | indent 6 }} +{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.proxy.component "Release" .Release "Chart" .Chart) | indent 6 }} superUserRoles: "{{ .Values.auth.superUsers.proxy }}" {{- end }} {{- if and (.Values.tls.enabled) (.Values.tls.proxy.enabled) }} diff --git a/charts/sn-platform/templates/toolset/_toolset.tpl b/charts/sn-platform/templates/toolset/_toolset.tpl index d303bc7ff..a0b045bd7 100644 --- a/charts/sn-platform/templates/toolset/_toolset.tpl +++ b/charts/sn-platform/templates/toolset/_toolset.tpl @@ -41,7 +41,7 @@ Define toolset token mounts */}} {{- define "pulsar.toolset.token.volumeMounts" -}} {{- if .Values.auth.authentication.enabled }} -{{- if eq .Values.auth.authentication.provider "jwt" }} +{{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} - mountPath: "/pulsar/tokens" name: client-token readOnly: true @@ -54,7 +54,7 @@ Define toolset token volumes */}} {{- define "pulsar.toolset.token.volumes" -}} {{- if .Values.auth.authentication.enabled }} -{{- if eq .Values.auth.authentication.provider "jwt" }} +{{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} - name: client-token secret: secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" diff --git a/charts/sn-platform/templates/toolset/toolset-configmap.yaml b/charts/sn-platform/templates/toolset/toolset-configmap.yaml index 08d5ee7bc..a1a897985 100644 --- a/charts/sn-platform/templates/toolset/toolset-configmap.yaml +++ b/charts/sn-platform/templates/toolset/toolset-configmap.yaml @@ -38,6 +38,8 @@ data: tlsAllowInsecureConnection: "false" tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" tlsEnableHostnameVerification: "false" + authParams: tlsCertFile:/pulsar/certs/toolset/tls.crt,tlsKeyFile:/pulsar/certs/toolset/tls.key + authPlugin: org.apache.pulsar.client.impl.auth.AuthenticationTls {{- else }} webServiceUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-headless:{{ .Values.broker.ports.http }}/" brokerServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-headless:{{ .Values.broker.ports.pulsar }}/" @@ -62,7 +64,7 @@ data: {{- end }} # Authentication Settings {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} authParams: "file:///pulsar/tokens/client/token" authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" {{- end }} @@ -73,7 +75,7 @@ data: {{ (.Files.Glob "conf/toolset/log4j2.yaml").AsConfig | indent 2 }} kafka.properties: | {{- if and .Values.tls.broker.enabled .Values.toolset.kafka.enabled }} -{{- if and .Values.auth.authentication.enabled (eq .Values.auth.authentication.provider "jwt") }} +{{- if and .Values.auth.authentication.enabled (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} security.protocol=SASL_SSL sasl.mechanism=PLAIN {{- else }} @@ -99,7 +101,7 @@ data: tls_allow_insecure_connection: false token: "" {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} tokenFile: "/pulsar/tokens/client/token" {{- end }} {{- end }}