Skip to content

[functions] Distribute the CA for KubernetesSecretsTokenAuthProvider #5398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sijie merged 1 commit into from
Oct 28, 2019
Merged

[functions] Distribute the CA for KubernetesSecretsTokenAuthProvider #5398

sijie merged 1 commit into from
Oct 28, 2019

Conversation

@addisonj
Copy link
Contributor

@addisonj addisonj commented Oct 16, 2019

Motivation

Currently, if a user has TLS enabled and is using a custom CA that isn't
baked into the image, when the functions worker starts, it won't have
the CA in order to validate the cert presented by the broker.

Modifications

This adds support to have the KubernetesSecretsTokenAuthProvider
also distribute the CA via the same kubernetes secret used for the
token.

Verifying this change

  • [x ] Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

  • Added tests to ensure that the code paths work with and without a CA
  • Added tests to ensure that the filename returned is as expected

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): no
  • The public API: no
  • The schema: no
  • The default values of configurations: no
  • The wire protocol: no
  • The rest endpoints: no
  • The admin cli options: no
  • Anything that affects deployment: no

Documentation

  • Does this pull request introduce a new feature? yes
  • If yes, how is the feature documented? not documented, but the KubernetesSecretsTokenAuthProvider is missing docs complete
  • If a feature is not applicable for documentation, explain why? It does need docs, but the functionality as a whole is missing docs
  • If a feature is not documented yet in this PR, please create a followup issue for adding the documentation

@addisonj
Copy link
Contributor Author

addisonj commented Oct 16, 2019

Added a follow up issue for docs: #5399

@addisonj addisonj mentioned this pull request Oct 16, 2019
Merged
1 task
@addisonj
Copy link
Contributor Author

addisonj commented Oct 16, 2019

This conflicts with #5400, will need rebased if that is merged first

@addisonj addisonj mentioned this pull request Oct 16, 2019
Merged
jerrypeng
jerrypeng approved these changes Oct 16, 2019
View reviewed changes
Copy link
Contributor

@jerrypeng jerrypeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@addisonj thanks for contributing this! I am also in process to make FunctionAuthProvider pluggable. Currently which one that is used is hard coded

@addisonj
Copy link
Contributor Author

addisonj commented Oct 21, 2019

rerun java8 tests
rerun integration tests

1 similar comment
@addisonj
Copy link
Contributor Author

addisonj commented Oct 21, 2019

rerun java8 tests
rerun integration tests

[functions] Distributed the CA for KubernetesSecretsTokenAuthProvider
60e2847 
Currently, if a user has TLS enabled and is using a custom CA that isn't
baked into the image, when the functions worker starts, it won't have
the CA in order to validate the cert presented by the broker.

This adds support to have  the `KubernetesSecretsTokenAuthProvider`
also distribute the CA via the same kubernetes secret used for the
token.
@addisonj
Copy link
Contributor Author

addisonj commented Oct 27, 2019

rerun java8 tests

1 similar comment
@addisonj
Copy link
Contributor Author

addisonj commented Oct 28, 2019

rerun java8 tests

@sijie sijie added this to the 2.5.0 milestone Oct 28, 2019
@sijie sijie merged commit 28b0c3a into apache:master Oct 28, 2019
jerrypeng pushed a commit to jerrypeng/incubator-pulsar that referenced this pull request Dec 17, 2019
@addisonj
[functions] Distributed the CA for KubernetesSecretsTokenAuthProvider (
e341ab9 
…apache#5398)

Currently, if a user has TLS enabled and is using a custom CA that isn't
baked into the image, when the functions worker starts, it won't have
the CA in order to validate the cert presented by the broker.

This adds support to have  the `KubernetesSecretsTokenAuthProvider`
also distribute the CA via the same kubernetes secret used for the
token.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sijie sijie sijie approved these changes

@jerrypeng jerrypeng jerrypeng approved these changes

Assignees

@addisonj addisonj

Labels

area/function area/security

Projects

None yet

Milestone

2.5.0

Development

Successfully merging this pull request may close these issues.

3 participants

@addisonj @sijie @jerrypeng