From f20756abb848801058ce45c2bb04d564ae349d97 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@users.noreply.github.com>
Date: Tue, 16 Jan 2024 04:48:58 -0800
Subject: [PATCH] Support configuring "proxyRoles" in broker (#430)

* Add support for proxyRoles

* Test produce and consume via Pulsar proxy
---
 .ci/helm.sh                                   | 17 +++++++++++++++++
 charts/pulsar/templates/broker-configmap.yaml |  4 ++++
 charts/pulsar/templates/proxy-configmap.yaml  |  4 ++++
 charts/pulsar/values.yaml                     |  3 +++
 4 files changed, 28 insertions(+)

diff --git a/.ci/helm.sh b/.ci/helm.sh
index 3284b0fd..4838e4e4 100644
--- a/.ci/helm.sh
+++ b/.ci/helm.sh
@@ -164,6 +164,15 @@ function ci::install_pulsar_chart() {
     # ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -L http://pulsar-ci-proxy:8080/status.html)" == "OK" ]; do sleep 3; done'
 }
 
+helm_values_cached=""
+
+function ci::helm_values_for_deployment() {
+    if [[ -z "${helm_values_cached}" ]]; then
+        helm_values_cached=$(helm get values -n ${NAMESPACE} ${CLUSTER} -a -o yaml)
+    fi
+    printf "%s" "${helm_values_cached}"
+}
+
 function ci::test_pulsar_producer_consumer() {
     sleep 120
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done'
@@ -178,6 +187,14 @@ function ci::test_pulsar_producer_consumer() {
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test pulsar-ci/test/test-topic
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m "test-message" pulsar-ci/test/test-topic
     ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client consume -s test pulsar-ci/test/test-topic
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test2 pulsar-ci/test/test-topic
+    if [[ "$(ci::helm_values_for_deployment | yq .tls.proxy.enabled)" == "true" ]]; then
+      PROXY_URL="pulsar+ssl://pulsar-ci-proxy:6651"
+    else
+      PROXY_URL="pulsar://pulsar-ci-proxy:6650"
+    fi
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" produce -m "test-message2" pulsar-ci/test/test-topic
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" consume -s test2 pulsar-ci/test/test-topic
 }
 
 function ci::wait_function_running() {
diff --git a/charts/pulsar/templates/broker-configmap.yaml b/charts/pulsar/templates/broker-configmap.yaml
index c02a4dfd..ab903d14 100644
--- a/charts/pulsar/templates/broker-configmap.yaml
+++ b/charts/pulsar/templates/broker-configmap.yaml
@@ -114,6 +114,10 @@ data:
   {{- if .Values.auth.authorization.enabled }}
   authorizationEnabled: "true"
   superUserRoles: {{ .Values.auth.superUsers | values | sortAlpha | join "," }}
+  {{- if .Values.auth.useProxyRoles }}
+  proxyRoles: {{ .Values.auth.superUsers.proxy }}
+  {{- end }}
+  
   {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration
diff --git a/charts/pulsar/templates/proxy-configmap.yaml b/charts/pulsar/templates/proxy-configmap.yaml
index 5770abae..0d82d8b8 100644
--- a/charts/pulsar/templates/proxy-configmap.yaml
+++ b/charts/pulsar/templates/proxy-configmap.yaml
@@ -64,8 +64,12 @@ data:
   # disable authorization on proxy and forward authorization credentials to broker
   authorizationEnabled: "false"
   forwardAuthorizationCredentials: "true"
+  {{- if .Values.auth.useProxyRoles }}
+  superUserRoles: {{ omit .Values.auth.superUsers "proxy" | values | sortAlpha | join "," }}
+  {{- else }}
   superUserRoles: {{ .Values.auth.superUsers | values | sortAlpha | join "," }}
   {{- end }}
+  {{- end }}
   {{- if eq .Values.auth.authentication.provider "jwt" }}
   # token authentication configuration
   authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 92f1da2b..167b4c64 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -249,6 +249,9 @@ auth:
     proxy: "proxy-admin"
     # pulsar-admin client to broker/proxy communication
     client: "admin"
+  # omits the above proxy role from superusers on the proxy
+  # and configures it as a proxy role on the broker in addition to the superusers
+  useProxyRoles: true
 
 ######################################################################
 # External dependencies