apache · lhotari · Feb 21, 2024 · Jan 31, 2022 · Feb 16, 2024 · Feb 16, 2024
diff --git a/.ci/chart_test.sh b/.ci/chart_test.sh
@@ -27,6 +27,7 @@ VALUES_FILE=$1
 TLS=${TLS:-"false"}
 SYMMETRIC=${SYMMETRIC:-"false"}
 FUNCTION=${FUNCTION:-"false"}
+MANAGER=${MANAGER:-"false"}
 
 source ${PULSAR_HOME}/.ci/helm.sh
 
@@ -38,6 +39,10 @@ if [[ "x${SYMMETRIC}" == "xtrue" ]]; then
     extra_opts="-s"
 fi
 
+if [[ "x${EXTRA_SUPERUSERS}" != "x" ]]; then
+    extra_opts="${extra_opts} --pulsar-superusers proxy-admin,broker-admin,admin,${EXTRA_SUPERUSERS}"
+fi
+
 # install pulsar chart
 ci::install_pulsar_chart ${PULSAR_HOME}/${VALUES_FILE} ${extra_opts}
 
@@ -49,5 +54,9 @@ if [[ "x${FUNCTION}" == "xtrue" ]]; then
     ci::test_pulsar_function
 fi
 
+if [[ "x${MANAGER}" == "xtrue" ]]; then
+    ci::test_pulsar_manager ${TLS}
+fi
+
 # delete the cluster
 ci::delete_cluster
diff --git a/.ci/clusters/values-jwt-asymmetric.yaml b/.ci/clusters/values-jwt-asymmetric.yaml
@@ -28,10 +28,10 @@ monitoring:
 affinity:
   anti_affinity: false
 
-# disable auto recovery and pulsar manager
+# disable auto recovery. enable pulsar manager for jwt connectivity testing
 components:
   autorecovery: false
-  pulsar_manager: false
+  pulsar_manager: true
 
 zookeeper:
   replicaCount: 1
@@ -79,3 +79,5 @@ auth:
     proxy: "proxy-admin"
     # pulsar-admin client to broker/proxy communication
     client: "admin"
+    # pulsar-manager to broker communication
+    manager: "manager-admin"
diff --git a/.ci/clusters/values-jwt-symmetric.yaml b/.ci/clusters/values-jwt-symmetric.yaml
@@ -28,10 +28,10 @@ monitoring:
 affinity:
   anti_affinity: false
 
-# disable auto recovery and pulsar manager
+# disable auto recovery. enable pulsar manager for jwt connectivity testing
 components:
   autorecovery: false
-  pulsar_manager: false
+  pulsar_manager: true
 
 zookeeper:
   replicaCount: 1
@@ -79,3 +79,5 @@ auth:
     proxy: "proxy-admin"
     # pulsar-admin client to broker/proxy communication
     client: "admin"
+    # pulsar manager to broker
+    manager: "manager-admin"
diff --git a/.ci/clusters/values-tls.yaml b/.ci/clusters/values-tls.yaml
@@ -28,10 +28,10 @@ monitoring:
 affinity:
   anti_affinity: false
 
-# disable auto recovery and pulsar manager
+# disable auto recovery. enable pulsar manager for unauthenticated connectivity testing
 components:
   autorecovery: false
-  pulsar_manager: false
+  pulsar_manager: true
 
 zookeeper:
   replicaCount: 1

diff --git a/.ci/helm.sh b/.ci/helm.sh
@@ -101,7 +101,7 @@ function ci::collect_k8s_logs() {
 
 function ci::install_pulsar_chart() {
     local value_file=$1
-    local extra_opts=$2
+    local extra_opts="$2 $3 $4 $5 $6"
 
     echo "Installing the pulsar chart"
     ${KUBECTL} create namespace ${NAMESPACE}
@@ -212,3 +212,30 @@ function ci::test_pulsar_function() {
     # ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m "hello pulsar function!" pulsar-ci/test/test_input
     # ci::wait_message_processed
 }
+
+function ci::test_pulsar_manager() {
+    # Get a CSRF token
+    local manager_base_url="http://${CLUSTER}-pulsar-manager:9527/pulsar-manager"
+    local toolset_exec="${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 --"
+    local csrf_token=$(${toolset_exec} curl ${manager_base_url}/csrf-token)
+    local tls=${1:-"false"}
+
+    # Attempt login
+    ${toolset_exec} curl -i --dump-header /tmp/headers -H "X-XSRF-TOKEN: ${csrf_token}" -b "XSRF-TOKEN=${csrf_token}" -H 'Content-Type: application/json' -X POST ${manager_base_url}/login -d "{\"username\":\"pulsar\",\"password\":\"pulsar\"}"
+
+    local admin_token=$(${toolset_exec} grep "token:" /tmp/headers | cut -d' ' -f 2 | sed 's/\r//')
+    local jsessionid=$(${toolset_exec} grep -o -E "JSESSIONID=[A-F0-9]+" /tmp/headers | sed 's/\r//')
+
+    if [[ "x${tls}" == "xtrue" ]]; then
+      local broker_base_url="https://${CLUSTER}-broker:8443"
+    else
+      local broker_base_url="http://${CLUSTER}-broker:8080"
+    fi
+
+    echo "Configuring Manager with pulsar cluster for url ${broker_base_url}"
+
+    # Create the Pulsar cluster, then try to access its contents. This will require that the manager query the broker (using the JWT if configured to do so).    
+    ${toolset_exec} curl -b "${jsessionid}; XSRF-TOKEN=${csrf_token}; ${csrf_token}=${csrf_token}; Admin-Token=${admin_token}; tenant=pulsar; username=pulsar" -H "X-XSRF-TOKEN: ${csrf_token}" -H "token: ${admin_token}" -H "username: pulsar" -H "tenant: pulsar" -H "environment: undefined" -H "Content-Type: application/json" -X PUT ${manager_base_url}/environments/environment -d "{\"name\":\"pulsar\",\"broker\":\"${broker_base_url}\"}"
+
+    ${toolset_exec} curl -b "${jsessionid}; XSRF-TOKEN=${csrf_token}; ${csrf_token}=${csrf_token}; Admin-Token=${admin_token}; tenant=pulsar; username=pulsar; Admin-Environment=pulsar" -H "X-XSRF-TOKEN: ${csrf_token}" -H "token: ${admin_token}" -H "username: pulsar" -H "tenant: pulsar" -H "environment: pulsar" ${manager_base_url}/admin/v2/tenants | grep -o '"tenant":"public"'
+}
diff --git a/.github/workflows/pulsar_jwt_asymmetric.yml b/.github/workflows/pulsar_jwt_asymmetric.yml
@@ -17,7 +17,7 @@
 # under the License.
 #
 
-name: Precommit - Pulsar Helm Chart (JWT Secret Key Installation)
+name: Precommit - Pulsar Helm Chart (JWT Public/Private Key + Manager Installation)
 on:
   pull_request:
     branches:
@@ -49,6 +49,8 @@ jobs:
           .ci/chart_test.sh .ci/clusters/values-jwt-asymmetric.yaml
         env:
           SYMMETRIC: "false"
+          EXTRA_SUPERUSERS: "manager-admin"
+          MANAGER: "true"
         # Only build a kind cluster if there are chart changes to test.
         if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
 

diff --git a/.github/workflows/pulsar_jwt_symmetric.yml b/.github/workflows/pulsar_jwt_symmetric.yml
@@ -17,7 +17,7 @@
 # under the License.
 #
 
-name: Precommit - Pulsar Helm Chart (JWT Public/Private Key Installation)
+name: Precommit - Pulsar Helm Chart (JWT Secret Key + Manager Installation)
 on:
   pull_request:
     branches:
@@ -49,6 +49,8 @@ jobs:
           .ci/chart_test.sh .ci/clusters/values-jwt-symmetric.yaml
         env:
           SYMMETRIC: "true"
+          EXTRA_SUPERUSERS: "manager-admin"
+          MANAGER: "true"
         # Only build a kind cluster if there are chart changes to test.
         if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
 

diff --git a/.github/workflows/pulsar_tls.yml b/.github/workflows/pulsar_tls.yml
@@ -17,7 +17,7 @@
 # under the License.
 #
 
-name: Precommit - Pulsar Helm Chart (TLS Installation)
+name: Precommit - Pulsar Helm Chart (TLS + Manager Installation)
 on:
   pull_request:
     branches:
@@ -47,6 +47,9 @@ jobs:
       - name: Install chart
         run: |
           .ci/chart_test.sh .ci/clusters/values-tls.yaml
+        env:
+          MANAGER: "true"
+          TLS: "true"        
         # Only build a kind cluster if there are chart changes to test.
         if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
 

diff --git a/charts/pulsar/templates/broker-configmap.yaml b/charts/pulsar/templates/broker-configmap.yaml
@@ -110,7 +110,7 @@ data:
   authenticationEnabled: "true"
   {{- if .Values.auth.authorization.enabled }}
   authorizationEnabled: "true"
-  superUserRoles: {{ .Values.auth.superUsers | values | join "," }}
+  superUserRoles: {{ .Values.auth.superUsers | values | compact | join "," }}
   {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration

diff --git a/charts/pulsar/templates/proxy-configmap.yaml b/charts/pulsar/templates/proxy-configmap.yaml
@@ -65,7 +65,7 @@ data:
   # disable authorization on proxy and forward authorization credentials to broker
   authorizationEnabled: "false"
   forwardAuthorizationCredentials: "true"
-  superUserRoles: {{ .Values.auth.superUsers | values | join "," }}
+  superUserRoles: {{ .Values.auth.superUsers | values | compact | join "," }}
   {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration

diff --git a/charts/pulsar/templates/pulsar-manager-deployment.yaml b/charts/pulsar/templates/pulsar-manager-deployment.yaml
@@ -65,13 +65,60 @@ spec:
           volumeMounts:
           - name: pulsar-manager-data
             mountPath: /data
+        {{- if .Values.auth.authentication.enabled }}
+        {{- if eq .Values.auth.authentication.provider "jwt" }}
+          - name: pulsar-manager-keys
+            mountPath: /pulsar-manager/keys
+        {{- end }}
+        {{- end }}
           envFrom:
           - configMapRef:
               name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}"
           env:
           - name: PULSAR_CLUSTER
             value: {{ template "pulsar.fullname" . }}
-          - name: USERNAME
+          - name: PULSAR_MANAGER_OPTS
+            value: "$(PULSAR_MANAGER_OPTS) -Dlog4j2.formatMsgNoLookups=true"
+        {{- if .Values.auth.authentication.enabled }}
+        {{- if eq .Values.auth.authentication.provider "jwt" }}
+        {{- if .Values.auth.superUsers.manager }}
+          - name: JWT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                key: TOKEN
+                name: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.manager }}"
+        {{- end }}
+        {{- if .Values.auth.authentication.jwt.usingSecretKey }}
+          - name: SECRET_KEY
+            value: file:///pulsar-manager/keys/token/secret.key
+        {{- else }}
+          - name: PRIVATE_KEY
+            value: file:///pulsar-manager/keys/token/private.key
+          - name: PUBLIC_KEY
+            value: file:///pulsar-manager/keys/token/public.key
+        {{- end }}        
+        {{- end }}
+        {{- end }}          
+        {{- include "pulsar.imagePullSecrets" . | nindent 6}}
+      {{- if .Values.pulsar_manager.autoCreateAdminAccount }}
+        - args:
+          - |
+            until curl http://localhost:7750/pulsar-manager; do
+              sleep 3;
+            done;
+            CSRF_TOKEN=$(curl http://localhost:7750/pulsar-manager/csrf-token);
+            curl \
+              -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
+              -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN;" \
+              -H 'Content-Type: application/json' \
+              -X PUT http://localhost:7750/pulsar-manager/users/superuser \
+              -d "{\"name\": \"$SUPERUSER_NAME\", \"password\": \"$SUPERUSER_PASSWORD\", \"description\": \"superuser\", \"email\": \"[email protected]\"}";
+            sleep 1000000000000;
+          command:
+          - sh
+          - -c
+          env:
+          - name: SUPERUSER_NAME
             valueFrom:
               secretKeyRef:
                 key: PULSAR_MANAGER_ADMIN_USER
@@ -80,7 +127,7 @@ spec:
                 {{- else }}
                 name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret"
                 {{- end }}
-          - name: PASSWORD
+          - name: SUPERUSER_PASSWORD
             valueFrom:
               secretKeyRef:
                 key: PULSAR_MANAGER_ADMIN_PASSWORD
@@ -89,11 +136,33 @@ spec:
                 {{- else }}
                 name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret"
                 {{- end }}
-          - name: PULSAR_MANAGER_OPTS
-            value: "$(PULSAR_MANAGER_OPTS) -Dlog4j2.formatMsgNoLookups=true"
-        {{- include "pulsar.imagePullSecrets" . | nindent 6}}
+          image: curlimages/curl:7.81.0
+          imagePullPolicy: IfNotPresent
+          name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-superuser-init"
+      {{- end }}          
       volumes:
         - name: pulsar-manager-data
           emptyDir: {}
-
+      {{- if .Values.auth.authentication.enabled }}
+      {{- if eq .Values.auth.authentication.provider "jwt" }}
+        - name: pulsar-manager-keys
+          secret:
+            defaultMode: 420
+          {{- if .Values.auth.authentication.jwt.usingSecretKey }}
+            secretName: "{{ .Release.Name }}-token-symmetric-key"
+          {{- else }}
+            secretName: "{{ .Release.Name }}-token-asymmetric-key"          
+          {{- end }}
+            items:
+          {{- if .Values.auth.authentication.jwt.usingSecretKey }}
+            - key: SECRETKEY
+              path: token/secret.key
+          {{- else }}
+            - key: PRIVATEKEY
+              path: token/private.key
+            - key: PUBLICKEY
+              path: token/public.key
+          {{- end }}
+      {{- end }}
+      {{- end }}
 {{- end }}
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
@@ -259,6 +259,8 @@ auth:
     proxy: "proxy-admin"
     # pulsar-admin client to broker/proxy communication
     client: "admin"
+    # pulsar-manager to broker communication. If left empty, no jwt setup will be performed in the manager
+    manager: ""
 
 ######################################################################
 # External dependencies
@@ -1105,8 +1107,14 @@ pulsar_manager:
   configData:
     REDIRECT_HOST: "http://127.0.0.1"
     REDIRECT_PORT: "9527"
+    ## DRIVER_CLASS_NAME, URL, USERNAME, and PASSWORD set the datasource connection parameters, the values
+    ## of which have been effectively hardcoded by the container's startup procedure. Changing them
+    ## will probably break pulsar manager, unless you've also customized the image, database, and/or
+    ## database init script.
     DRIVER_CLASS_NAME: org.postgresql.Driver
     URL: jdbc:postgresql://127.0.0.1:5432/pulsar_manager
+    USERNAME: pulsar
+    PASSWORD: pulsar
     LOG_LEVEL: DEBUG
     ## If you enabled authentication support
     ## JWT_TOKEN: <token>
@@ -1134,6 +1142,10 @@ pulsar_manager:
     hostname: ""
     path: "/"
 
+  ## If true, automatically create a Pulsar Manager user account for the admin when the container starts.
+  ## The account's username/password will be set to the values in the configured admin secret. 
+  autoCreateAdminAccount: true
+
   ## If set use existing secret with specified name to set pulsar admin credentials.
   existingSecretName:
   admin: