From a5f27badcd60e9c52298e9808892fd605156856b Mon Sep 17 00:00:00 2001 From: guangning Date: Wed, 13 Sep 2023 17:54:25 +0800 Subject: [PATCH 1/3] Improve tls authentication --- charts/sn-platform/templates/_helpers.tpl | 18 ++++++++++++++++++ .../templates/broker/broker-cluster.yaml | 9 ++++++++- .../templates/proxy/proxy-cluster.yaml | 2 -- .../sn-platform/templates/toolset/_toolset.tpl | 4 ++-- .../templates/toolset/toolset-configmap.yaml | 8 +++++--- 5 files changed, 33 insertions(+), 8 deletions(-) diff --git a/charts/sn-platform/templates/_helpers.tpl b/charts/sn-platform/templates/_helpers.tpl index 566a9ba5f..3232c4077 100644 --- a/charts/sn-platform/templates/_helpers.tpl +++ b/charts/sn-platform/templates/_helpers.tpl @@ -202,6 +202,8 @@ Define function for save authenticaiton configuration {{- define "pulsar.authConfiguration" }} {{- if .Values.auth.vault.enabled }} brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" PULSAR_PREFIX_chainAuthenticationEnabled: "true" PULSAR_PREFIX_vaultHost: {{ template "pulsar.vault.url" . }} {{- if .Values.broker.readPublicKeyFromFile }} @@ -213,6 +215,8 @@ PULSAR_PREFIX_OIDCPublicKeyPath: "{{ template "pulsar.vault.url" . }}/v1/identit {{- if .Values.auth.oauth.enabled }} PULSAR_PREFIX_oauthIssuerUrl: "{{ .Values.auth.oauth.oauthIssuerUrl }}" PULSAR_PREFIX_oauthAudience: "{{ .Values.auth.oauth.oauthAudience }}" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" {{- if .Values.auth.oauth.oauthAdminScope }} PULSAR_PREFIX_oauthAdminScope: "{{ .Values.auth.oauth.oauthAdminScope }}" {{- end }} @@ -233,6 +237,20 @@ PULSAR_PREFIX_oauthSubjectClaim: "{{ .Values.auth.oauth.oauthSubjectClaim }}" {{- end }} {{- if .Values.auth.authentication.jwt.enabled }} brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" +authenticateOriginalAuthData: "true" +forwardAuthorizationCredentials: "true" +{{- end }} +{{- if and (eq .Component "proxy") .Values.auth.authentication.tls.enabled }} +brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" +brokerClientAuthenticationParameters: tlsCertFile:/etc/tls/pulsar-proxy-tls/tls.crt,tlsKeyFile:/etc/tls/pulsar-proxy-tls/tls.key +forwardAuthorizationCredentials: "false" +tlsEnabledWithBroker: "true" +{{- end }} +{{- if and (eq .Component "broker") .Values.auth.authentication.tls.enabled }} +brokerClientTlsEnabled: "true" +tlsTrustCertsFilePath: /etc/tls/pulsar-broker/ca.crt +brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" +brokerClientAuthenticationParameters: tlsCertFile:/etc/tls/pulsar-broker/tls.crt,tlsKeyFile:/etc/tls/pulsar-broker/tls.key {{- end }} {{- end }} diff --git a/charts/sn-platform/templates/broker/broker-cluster.yaml b/charts/sn-platform/templates/broker/broker-cluster.yaml index ab4f914d9..91b415bae 100644 --- a/charts/sn-platform/templates/broker/broker-cluster.yaml +++ b/charts/sn-platform/templates/broker/broker-cluster.yaml @@ -286,14 +286,21 @@ spec: {{- end }} {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" - authenticateOriginalAuthData: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} {{- include "pulsar.authConfiguration" . | indent 6 }} + {{- if .Values.tls.broker.enabled }} + superUserRoles: "{{ .Values.auth.superUsers.broker }},{{ .Release.Name }}-sn-platform-broker,{{ .Release.Name }}-sn-platform-proxy,{{ .Release.Name }}-sn-platform-toolset" + {{- else }} superUserRoles: "{{ .Values.auth.superUsers.broker }}" + {{- end }} {{- if .Values.auth.superUsers.proxyRolesEnabled }} + {{- if .Values.tls.broker.enabled }} + proxyRoles: {{ .Release.Name }}-sn-platform-proxy + {{- else }} proxyRoles: {{ .Values.auth.superUsers.proxyRoles }} {{- end }} {{- end }} + {{- end }} {{- if .Values.auth.authorization.enabled }} {{- include "pulsar.authorizationProvider" . | indent 6 }} {{- end }} diff --git a/charts/sn-platform/templates/proxy/proxy-cluster.yaml b/charts/sn-platform/templates/proxy/proxy-cluster.yaml index e45b7958e..f334965c0 100644 --- a/charts/sn-platform/templates/proxy/proxy-cluster.yaml +++ b/charts/sn-platform/templates/proxy/proxy-cluster.yaml @@ -146,8 +146,6 @@ spec: {{- end }} {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" - authenticateOriginalAuthData: "true" - forwardAuthorizationCredentials: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} {{- include "pulsar.authConfiguration" . | indent 6 }} superUserRoles: "{{ .Values.auth.superUsers.proxy }}" diff --git a/charts/sn-platform/templates/toolset/_toolset.tpl b/charts/sn-platform/templates/toolset/_toolset.tpl index d303bc7ff..a0b045bd7 100644 --- a/charts/sn-platform/templates/toolset/_toolset.tpl +++ b/charts/sn-platform/templates/toolset/_toolset.tpl @@ -41,7 +41,7 @@ Define toolset token mounts */}} {{- define "pulsar.toolset.token.volumeMounts" -}} {{- if .Values.auth.authentication.enabled }} -{{- if eq .Values.auth.authentication.provider "jwt" }} +{{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} - mountPath: "/pulsar/tokens" name: client-token readOnly: true @@ -54,7 +54,7 @@ Define toolset token volumes */}} {{- define "pulsar.toolset.token.volumes" -}} {{- if .Values.auth.authentication.enabled }} -{{- if eq .Values.auth.authentication.provider "jwt" }} +{{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} - name: client-token secret: secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" diff --git a/charts/sn-platform/templates/toolset/toolset-configmap.yaml b/charts/sn-platform/templates/toolset/toolset-configmap.yaml index 08d5ee7bc..a1a897985 100644 --- a/charts/sn-platform/templates/toolset/toolset-configmap.yaml +++ b/charts/sn-platform/templates/toolset/toolset-configmap.yaml @@ -38,6 +38,8 @@ data: tlsAllowInsecureConnection: "false" tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" tlsEnableHostnameVerification: "false" + authParams: tlsCertFile:/pulsar/certs/toolset/tls.crt,tlsKeyFile:/pulsar/certs/toolset/tls.key + authPlugin: org.apache.pulsar.client.impl.auth.AuthenticationTls {{- else }} webServiceUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-headless:{{ .Values.broker.ports.http }}/" brokerServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-headless:{{ .Values.broker.ports.pulsar }}/" @@ -62,7 +64,7 @@ data: {{- end }} # Authentication Settings {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} authParams: "file:///pulsar/tokens/client/token" authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" {{- end }} @@ -73,7 +75,7 @@ data: {{ (.Files.Glob "conf/toolset/log4j2.yaml").AsConfig | indent 2 }} kafka.properties: | {{- if and .Values.tls.broker.enabled .Values.toolset.kafka.enabled }} -{{- if and .Values.auth.authentication.enabled (eq .Values.auth.authentication.provider "jwt") }} +{{- if and .Values.auth.authentication.enabled (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} security.protocol=SASL_SSL sasl.mechanism=PLAIN {{- else }} @@ -99,7 +101,7 @@ data: tls_allow_insecure_connection: false token: "" {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and (eq .Values.auth.authentication.provider "jwt") .Values.auth.authentication.jwt.enabled }} tokenFile: "/pulsar/tokens/client/token" {{- end }} {{- end }} From 185e5ec7d194bdbb1e9cb49b3fabf8595f949975 Mon Sep 17 00:00:00 2001 From: guangning Date: Tue, 19 Sep 2023 12:00:22 +0800 Subject: [PATCH 2/3] Fixed tls --- charts/sn-platform/templates/_helpers.tpl | 6 +++--- charts/sn-platform/templates/broker/broker-cluster.yaml | 2 +- charts/sn-platform/templates/proxy/proxy-cluster.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/sn-platform/templates/_helpers.tpl b/charts/sn-platform/templates/_helpers.tpl index 3232c4077..aa05a1a9f 100644 --- a/charts/sn-platform/templates/_helpers.tpl +++ b/charts/sn-platform/templates/_helpers.tpl @@ -242,15 +242,15 @@ forwardAuthorizationCredentials: "true" {{- end }} {{- if and (eq .Component "proxy") .Values.auth.authentication.tls.enabled }} brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" -brokerClientAuthenticationParameters: tlsCertFile:/etc/tls/pulsar-proxy-tls/tls.crt,tlsKeyFile:/etc/tls/pulsar-proxy-tls/tls.key -forwardAuthorizationCredentials: "false" +brokerClientAuthenticationParameters: "tlsCertFile:/etc/tls/pulsar-proxy-tls/tls.crt,tlsKeyFile:/etc/tls/pulsar-proxy-tls/tls.key" +forwardAuthorizationCredentials: "false" tlsEnabledWithBroker: "true" {{- end }} {{- if and (eq .Component "broker") .Values.auth.authentication.tls.enabled }} brokerClientTlsEnabled: "true" tlsTrustCertsFilePath: /etc/tls/pulsar-broker/ca.crt brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationTls" -brokerClientAuthenticationParameters: tlsCertFile:/etc/tls/pulsar-broker/tls.crt,tlsKeyFile:/etc/tls/pulsar-broker/tls.key +brokerClientAuthenticationParameters: "tlsCertFile:/etc/tls/pulsar-broker/tls.crt,tlsKeyFile:/etc/tls/pulsar-broker/tls.key" {{- end }} {{- end }} diff --git a/charts/sn-platform/templates/broker/broker-cluster.yaml b/charts/sn-platform/templates/broker/broker-cluster.yaml index 91b415bae..7a6b9c8be 100644 --- a/charts/sn-platform/templates/broker/broker-cluster.yaml +++ b/charts/sn-platform/templates/broker/broker-cluster.yaml @@ -287,7 +287,7 @@ spec: {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} -{{- include "pulsar.authConfiguration" . | indent 6 }} +{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.proxy.component "Release" .Release "Chart" .Chart) | indent 6 }} {{- if .Values.tls.broker.enabled }} superUserRoles: "{{ .Values.auth.superUsers.broker }},{{ .Release.Name }}-sn-platform-broker,{{ .Release.Name }}-sn-platform-proxy,{{ .Release.Name }}-sn-platform-toolset" {{- else }} diff --git a/charts/sn-platform/templates/proxy/proxy-cluster.yaml b/charts/sn-platform/templates/proxy/proxy-cluster.yaml index f334965c0..a70e18ce6 100644 --- a/charts/sn-platform/templates/proxy/proxy-cluster.yaml +++ b/charts/sn-platform/templates/proxy/proxy-cluster.yaml @@ -147,7 +147,7 @@ spec: {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} -{{- include "pulsar.authConfiguration" . | indent 6 }} +{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.proxy.component "Release" .Release "Chart" .Chart) | indent 6 }} superUserRoles: "{{ .Values.auth.superUsers.proxy }}" {{- end }} {{- if and (.Values.tls.enabled) (.Values.tls.proxy.enabled) }} From 24b1ad194f8f210a7a1768548e662ae837316c1e Mon Sep 17 00:00:00 2001 From: guangning Date: Tue, 19 Sep 2023 12:04:03 +0800 Subject: [PATCH 3/3] Update tls auth --- charts/sn-platform/templates/broker/broker-cluster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sn-platform/templates/broker/broker-cluster.yaml b/charts/sn-platform/templates/broker/broker-cluster.yaml index 7a6b9c8be..0925d192e 100644 --- a/charts/sn-platform/templates/broker/broker-cluster.yaml +++ b/charts/sn-platform/templates/broker/broker-cluster.yaml @@ -287,7 +287,7 @@ spec: {{- if .Values.auth.authentication.enabled }} authenticationEnabled: "true" authenticationProviders: {{ include "pulsar.authenticationProviders" . }} -{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.proxy.component "Release" .Release "Chart" .Chart) | indent 6 }} +{{- include "pulsar.authConfiguration" (dict "Values" .Values "Component" .Values.broker.component "Release" .Release "Chart" .Chart) | indent 6 }} {{- if .Values.tls.broker.enabled }} superUserRoles: "{{ .Values.auth.superUsers.broker }},{{ .Release.Name }}-sn-platform-broker,{{ .Release.Name }}-sn-platform-proxy,{{ .Release.Name }}-sn-platform-toolset" {{- else }}