diff --git a/apikeys/APIKeys.postman_collection.json b/apikeys/APIKeys.postman_collection.json new file mode 100644 index 0000000..21a0602 --- /dev/null +++ b/apikeys/APIKeys.postman_collection.json @@ -0,0 +1,199 @@ +{ + "info": { + "_postman_id": "2d96fac2-4eaa-4508-bfc0-c4bf2e09adce", + "name": "APIKeys", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", + "_exporter_id": "11878109", + "_collection_link": "https://fpaycx.postman.co/workspace/SN~f695694f-237c-4f17-b833-692ddf7c68dd/collection/11878109-2d96fac2-4eaa-4508-bfc0-c4bf2e09adce?action=share&source=collection_link&creator=11878109" + }, + "item": [ + { + "name": "http://localhost:8080/admin/v2/tenants", + "request": { + "method": "GET", + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "url": { + "raw": "http://localhost:8080/admin/v2/tenants", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8080", + "path": [ + "admin", + "v2", + "tenants" + ] + } + }, + "response": [] + }, + { + "name": "http://localhost:8081/v1/tokens", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "http://localhost:8081/v1/tokens", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8081", + "path": [ + "v1", + "tokens" + ] + } + }, + "response": [] + }, + { + "name": "http://localhost:8081/v1/revocation-list", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "http://localhost:8081/v1/revocation-list", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8081", + "path": [ + "v1", + "revocation-list" + ] + } + }, + "response": [] + }, + { + "name": "https://localhost:8081/v1/tokens", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\"name\": \"test1\"}" + }, + "url": { + "raw": "http://localhost:8081/v1/tokens", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8081", + "path": [ + "v1", + "tokens" + ] + } + }, + "response": [] + }, + { + "name": "http://localhost:8081/v1/tokens", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\"name\": \"test1\",\"exp\":1719590340}" + }, + "url": { + "raw": "http://localhost:8081/v1/tokens", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8081", + "path": [ + "v1", + "tokens" + ] + } + }, + "response": [] + }, + { + "name": "http://localhost:8081/v1/tokens/{{tokenid}}", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "http://localhost:8081/v1/tokens/revoke/{{tokenid}}", + "protocol": "http", + "host": [ + "localhost" + ], + "port": "8081", + "path": [ + "v1", + "tokens", + "revoke", + "{{tokenid}}" + ] + } + }, + "response": [] + } + ], + "auth": { + "type": "bearer", + "bearer": [ + { + "key": "token", + "value": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjcwMDdkZGY5LWJlYWMtNGU3NC04ZTMyLWYwMzQ1M2ZlYTNlMCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1cm46c246cHVsc2FyOnB1bHNhcjpwcml2YXRlLWNsb3VkIiwiaWF0IjoxNjkyMTg3MDgzLCJpc3MiOiJodHRwOi8vcHJpdmF0ZS1jbG91ZC1hcGlrZXlzLnB1bHNhci5zdmMuY2x1c3Rlci5sb2NhbDo4MDgxLyIsImp0aSI6ImFwaWtleXMtOGZmOWNmMTg2MmI0NDJlNTlkMzkzOTU4ZjFmZTRhZjgiLCJyZXZvY2FibGUiOiJmYWxzZSIsInN1YiI6ImFkbWluIn0.Emcp9c_7hczMkCl0f_kErBhLoZtzOyuqxlyGVasdeDDv4KGJBNlGtE-Y6TLAQEJF6wqfkdDisuoLxYrS9HZYKxSRUMEV8kdClEiDa4N_OWC25nUPD0K4fCSTIm_7qiuwSELHObqPEhrAaZb9y7rWcIib59g1zyBKItTDiGYSSDM7ZKkHqxogcSpBokiG46c5OoSYtZMAyaieE4WJWhVfUfbFJHTPr1LgVhsMslZMJH0fpoJJeevgnMzoo2U147AjgplO6zCNDr0q9sZuqgUv3I9TB7X6ZsxUH_1J73_jU3bG3hD4Jp3uUxbDk5tLwBXH8bdDH9nazB0I-l59ZslQYQ", + "type": "string" + } + ] + }, + "event": [ + { + "listen": "prerequest", + "script": { + "type": "text/javascript", + "exec": [ + "" + ] + } + }, + { + "listen": "test", + "script": { + "type": "text/javascript", + "exec": [ + "" + ] + } + } + ], + "variable": [ + { + "key": "tokenid", + "value": "", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/apikeys/README.md b/apikeys/README.md new file mode 100644 index 0000000..09a7c87 --- /dev/null +++ b/apikeys/README.md @@ -0,0 +1,69 @@ +## test with kind +- kind create cluster +- install olm, refer https://docs.streamnative.io/operator/pulsar-operator-install-olm, `curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.23.1/install.sh | bash -s v0.23.1` +- k apply -f catalogsource.yaml +- k apply -f subscriptions.yaml +- k create ns pulsar +- comment the apikey configurations code in this yaml file +- downscale sn-operator, edit the deployment replicas to 0 of sn-operator in namespace operators +- make install +- export OPERATOR_NAMESPACE=operators WEBHOOK_SERVER_CERT=sn-operator-controller-manager-service-cert +- make copy-running-certs +- WEBHOOK_SERVICE_ADDRESS=https://host.docker.internal:9443 make webhook-proxy +- OPERATOR_NAMESPACE=operators;RUN_PULSAR_CONTROLLERS=false;SN_OPERATOR_FLINK_ENABLE=false;SN_OPERATOR_PFSQL_ENABLE=false make run +- uncomment the apikey configurations code in this yaml file +- k apply -f cluster.yaml +- kgsec private-cloud-apikeys-key -n pulsar -o json | jq -r .data.token | base64 -d +- k port-forward svc/private-cloud-streamnative-console -n pulsar 9527:9527 + +## debug console ui and server +- kgsec private-cloud-apikeys-key -n pulsar -o json | jq -r '.data.token' | base64 -d > super-token +- `kubectl exec -it private-cloud-console-0 -c private-cloud-console -n pulsar -- cat /pulsar-manager/pulsar-manager/application.properties > src/main/resources/application.properties` + +- update application.properties file +``` +#spring.datasource.driver-class-name=org.postgresql.Driver +#spring.datasource.url=jdbc:postgresql://127.0.0.1:5688/pulsar_manager +#spring.datasource.username=pulsar +#spring.datasource.password=pulsar + +spring.datasource.driver-class-name=org.sqlite.JDBC +spring.datasource.url=jdbc:sqlite:pulsar_manager.db +spring.sql.init.mode=always +spring.sql.init.schema-locations=classpath:/META-INF/sql/sqlite-schema.sql +spring.datasource.username= +spring.datasource.password= + +jwt.broker.super-token=file:///Users/lili/space/sn/sn-pulsar-manager/super-token +``` + +- vim hosts file +``` +127.0.0.1 private-cloud-broker.pulsar.svc.cluster.local +127.0.0.1 private-cloud-broker +127.0.0.1 private-cloud-apikeys.pulsar.svc.cluster.local +``` + +- forward service + +```shell +k port-forward svc/private-cloud-apikeys -n pulsar 8081:8081 +k port-forward svc/private-cloud-broker -n pulsar 8080:8080 +``` + +- launch gateway +``` +mvn clean package +java --add-opens java.base/java.time=ALL-UNNAMED -cp "./target/classes:./target/build/libs/*" io.streamnative.gateway.Application +``` +- launch console application with debug model + +List of problems: +- The version of pulsar-operator is wrong, it needs to be upgraded to 0.17.5, the solution is to create the catalogsource of sn, refer to sn-catalogsource.yaml +- The apikeys log reports that Pulsar is not available, and the broker log reports that the number of bookies is insufficient. The reason: because the replicas configuration is 1, which is inconsistent with the write configuration. The solution is to add the configuration PULSAR_PREFIX_managedLedgerDefaultEnsembleSize: "1";PULSAR_PREFIX_managedLedgerDefaultWriteQuorum: "1"; PULSAR_PREFIX_managedLedgerDefaultAckQuorum: "1" +- Console startup error imageCapabilities null pointer, the reason is that imageCapabilities failed to load because of wrong namespace (default sn_system), the solution is to add startup environment variable OPERATOR_NAMESPACE=operators +- To avoid the conflict between the installed sn-operator and the debug sn-operator, modify the deployment replicas of the installed sn-operator to 0 +- Because of the webhook penetration problem, it is recommended to use kind to deploy the test locally + +## build console image +`docker buildx build -f docker/Dockerfile --platform linux/amd64,linux/arm64/v8 -t streamnative/private-cloud-console:v3.0.0-beta2 . --push` \ No newline at end of file diff --git a/apikeys/cluster.yaml b/apikeys/cluster.yaml new file mode 100644 index 0000000..6498f69 --- /dev/null +++ b/apikeys/cluster.yaml @@ -0,0 +1,156 @@ +apiVersion: k8s.streamnative.io/v1alpha1 +kind: PulsarCoordinator +metadata: + name: private-cloud + namespace: pulsar +spec: + image: streamnative/private-cloud:3.0.1.6 + authentication: + apiKey: + enabled: true +--- +apiVersion: zookeeper.streamnative.io/v1alpha1 +kind: ZooKeeperCluster +metadata: + name: private-cloud + namespace: pulsar + labels: + k8s.streamnative.io/coordinator-name: private-cloud +spec: + image: streamnative/private-cloud:3.0.1.6 + replicas: 1 + pod: + resources: + requests: + cpu: 500m + memory: 1Gi + securityContext: + runAsNonRoot: true +--- +apiVersion: bookkeeper.streamnative.io/v1alpha1 +kind: BookKeeperCluster +metadata: + name: private-cloud + namespace: pulsar + labels: + k8s.streamnative.io/coordinator-name: private-cloud +spec: + image: streamnative/private-cloud:3.0.1.6 + replicas: 1 + zkServers: private-cloud-zk:2181 + pod: + resources: + requests: + cpu: 500m + memory: 1Gi + securityContext: + runAsNonRoot: true + storage: + journal: + numDirsPerVolume: 1 + numVolumes: 1 + volumeClaimTemplate: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + ledger: + numDirsPerVolume: 1 + numVolumes: 1 + volumeClaimTemplate: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + reclaimPolicy: Delete +--- +apiVersion: pulsar.streamnative.io/v1alpha1 +kind: PulsarBroker +metadata: + name: private-cloud + namespace: pulsar + labels: + k8s.streamnative.io/coordinator-name: private-cloud +spec: + image: streamnative/private-cloud:3.0.1.6 + replicas: 1 + zkServers: private-cloud-zk:2181 + config: + custom: + PULSAR_PREFIX_managedLedgerDefaultEnsembleSize: "1" + PULSAR_PREFIX_managedLedgerDefaultWriteQuorum: "1" + PULSAR_PREFIX_managedLedgerDefaultAckQuorum: "1" + pod: + securityContext: + runAsNonRoot: true + resources: + requests: + cpu: 500m + memory: 1Gi +# --- +# apiVersion: pulsar.streamnative.io/v1alpha1 +# kind: PulsarProxy +# metadata: +# name: private-cloud +# namespace: pulsar +# labels: +# k8s.streamnative.io/coordinator-name: private-cloud +# spec: +# image: streamnative/private-cloud:3.0.1.6 +# replicas: 1 +# brokerAddress: private-cloud-broker +# pod: +# resources: +# requests: +# cpu: 200m +# memory: 512Mi +# securityContext: +# runAsNonRoot: true +--- +apiVersion: k8s.streamnative.io/v1alpha1 +kind: Console +metadata: + name: private-cloud + namespace: pulsar + labels: + k8s.streamnative.io/coordinator-name: private-cloud +spec: + image: streamnative/private-cloud-console:v3.0.0-beta3 + webServiceUrl: http://private-cloud-broker:8080 +--- +apiVersion: k8s.streamnative.io/v1alpha1 +kind: ApiKeys +metadata: + name: private-cloud + namespace: pulsar + labels: + cloud.streamnative.io/app: apikeys + cloud.streamnative.io/cluster: private-cloud + cloud.streamnative.io/component: apikeys + cluster: private-cloud + component: apikeys +spec: + replicas: 1 + # image: docker.cloudsmith.io/streamnative/sn-api-keys-svc/sn-api-keys-svc:v0.9.5 + image: docker.cloudsmith.io/streamnative/sn-api-keys-svc/sn-api-keys-svc:sha-0bde403 + hostname: http://private-cloud-apikeys.pulsar.svc.cluster.local:8081 + issuerPathPrefix: / + brokerServiceUrl: "pulsar://private-cloud-broker.pulsar.svc.cluster.local:6650" + config: + server: + audience: "urn:sn:pulsar:pulsar:private-cloud" + claimsToCopy: # These claims from the request token would be copied to the issued tokens. + - sub + - permissions + - aud + - scope + currentKid: 7007ddf9-beac-4e74-8e32-f03453fea3e0 + backend: + pulsarTopic: "api_keys_api.example" + authenticator: + enabled: true + issuers: + - http://private-cloud-apikeys.pulsar.svc.cluster.local:8081/ + acceptedAudience: "urn:sn:pulsar:pulsar:private-cloud"