[feat][fn] PIP-257: Support mounting k8s ServiceAccount for OIDC auth #19888
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaeljmarshall
added
area/function
area/security
doc-required
michaeljmarshall
requested review from
lhotari,
gaozhangmin,
eolivelli and
nlu90
eolivelli
reviewed
Mar 22, 2023
| } | ||
|
|
||
| @Override | ||
| public void initialize(CoreV1Api coreClient) { |
There was a problem hiding this comment.
this method is not meant to be called, I suggest to throw an exception here
There was a problem hiding this comment.
The Pulsar Function Worker does not call this method. We could probably deprecate now and remove it later, if we want. It is used in another implementation here:
From an API design perspective, it seems like we only need the initialize method and could deprecate the setCaBytes and setNamespaceProviderFunc methods as well since they are only called in the initialize method and never outside of the class.
| @FieldContext( | ||
| doc = "The Kubernetes secret containing the broker's trust certs. If it is not set, the function will not" | ||
| + " use a custom trust store. The secret must already exist in each function's target namespace." | ||
| + " The secret must contain a key named `ca.crt` with the trust certs." |
There was a problem hiding this comment.
is there any expectations about the "format" of the file ?
should we have an entry which describes the format used to create the file ?
There was a problem hiding this comment.
Great question. First, I think I might have needed to use ca.pem. Would that clear things up?
Second, the current design reads the bytes from the file at this path:
and that relies on:
So we do not allow for configuration at the moment, and we expect users to provide the right format already. We can, of course, improve on that design.
|
/pulsarbot rerun-failure-checks |
…worker-k8s-service-account
Codecov Report
@@ Coverage Diff @@
## master #19888 +/- ##
============================================
+ Coverage 71.70% 72.85% +1.15%
- Complexity 31368 31611 +243
============================================
Files 1848 1862 +14
Lines 137151 137453 +302
Branches 15111 15133 +22
============================================
+ Hits 98338 100138 +1800
+ Misses 30904 29357 -1547
- Partials 7909 7958 +49
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
Hi @michaeljmarshall thanks for bringing this feature! I see this PR is labeled with doc-required, for these new configurations, do we need to add some instructions and usage examples to function docs? If so, feel free to add docs and ping me review. Thank you! |
1 task
michaeljmarshall
added a commit
that referenced
this pull request
Apr 19, 2023
…20144) PIP: #19849 ### Motivation The new `KubernetesServiceAccountTokenAuthProvider` introduced by #19888 does not configure the authentication for download because there is an unnecessary check that the `getFunctionAuthenticationSpec` is not `null`. Given that we do not use this spec in creating the auth, it is unnecessary to use here. Further, when we construct the function's authentication, we do not have this null check. See: https://github.com/apache/pulsar/blob/ec102fb024a6ea2b195826778300f20e330dff06/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/RuntimeUtils.java#L411-L417 ### Modifications * Update the `KubernetesRuntime` to add authentication params to the download command when provided. ### Verifying this change A new test is added. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping for this trivial PR
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Apr 19, 2023
…apache#19888) PIP: apache#19771 In order to make OIDC work with functions, we must give them a way to authenticate with the broker using tokens that are able to be validated by an using an Authorization Server. This PR introduces the `KubernetesServiceAccountAuthProvider`. * Create an `KubernetesServiceAccountAuthProvider` implementation. It adds a service account token volume projection as defined in the k8s docs [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection). The implementation provides a way to specify the expiration time that the token will receive. * Instead of creating a secret with the broker's trusted `ca.crt` in it, this new `KubernetesServiceAccountAuthProvider` expects a secret to already exist with the `ca.crt`. The major advantage for this implementation is that when the `ca.crt` is rotated, we can refresh it (assuming the client is configured to observe the updated file). * Add support for specifying the token's expiration and audience. * One point of divergence from the `KubernetesSecretsTokenAuthProvider` implementation is that I did not provide a way for functions to authenticate as the anonymous role. It seems like a stretch that functions would use such authentication because it will not be multi-tenant. However, if that is a concern, we can add the support. * The feature will be configured with the following yaml: ```yaml functionRuntimeFactoryConfigs: kubernetesFunctionAuthProviderConfig: brokerClientTrustCertsSecretName: "secret-name" serviceAccountTokenExpirationSeconds: 3600 serviceAccountTokenAudience: "pulsar-cluster-audience" ``` I verified the correctness of the code with unit tests. I'll verify the integration with k8s once we've determined this PR's design is correct. This adds new configuration options to the function worker. - [x] `doc-required` PR in forked repository: #36 (cherry picked from commit 067e3c0)
michaeljmarshall
added a commit
that referenced
this pull request
Apr 19, 2023
…20144) PIP: #19849 ### Motivation The new `KubernetesServiceAccountTokenAuthProvider` introduced by #19888 does not configure the authentication for download because there is an unnecessary check that the `getFunctionAuthenticationSpec` is not `null`. Given that we do not use this spec in creating the auth, it is unnecessary to use here. Further, when we construct the function's authentication, we do not have this null check. See: https://github.com/apache/pulsar/blob/ec102fb024a6ea2b195826778300f20e330dff06/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/RuntimeUtils.java#L411-L417 ### Modifications * Update the `KubernetesRuntime` to add authentication params to the download command when provided. ### Verifying this change A new test is added. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping for this trivial PR (cherry picked from commit 4f2b8e2)
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Apr 20, 2023
…pache#20144) PIP: apache#19849 ### Motivation The new `KubernetesServiceAccountTokenAuthProvider` introduced by apache#19888 does not configure the authentication for download because there is an unnecessary check that the `getFunctionAuthenticationSpec` is not `null`. Given that we do not use this spec in creating the auth, it is unnecessary to use here. Further, when we construct the function's authentication, we do not have this null check. See: https://github.com/apache/pulsar/blob/ec102fb024a6ea2b195826778300f20e330dff06/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/RuntimeUtils.java#L411-L417 ### Modifications * Update the `KubernetesRuntime` to add authentication params to the download command when provided. ### Verifying this change A new test is added. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping for this trivial PR (cherry picked from commit 4f2b8e2)
1 task
Anonymitaet
removed
the
doc-required
Anonymitaet
added
the
doc-complete
1 task
|
Docs added here: apache/pulsar-site#570 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PIP: #19771
Motivation
In order to make OIDC work with functions, we must give them a way to authenticate with the broker using tokens that are able to be validated by an using an Authorization Server. This PR introduces the
KubernetesServiceAccountAuthProvider.Modifications
Create an
KubernetesServiceAccountAuthProviderimplementation. It adds a service account token volume projection as defined in the k8s docs here. The implementation provides a way to specify the expiration time that the token will receive.Instead of creating a secret with the broker's trusted
ca.crtin it, this newKubernetesServiceAccountAuthProviderexpects a secret to already exist with theca.crt. The major advantage for this implementation is that when theca.crtis rotated, we can refresh it (assuming the client is configured to observe the updated file).Add support for specifying the token's expiration and audience.
One point of divergence from the
KubernetesSecretsTokenAuthProviderimplementation is that I did not provide a way for functions to authenticate as the anonymous role. It seems like a stretch that functions would use such authentication because it will not be multi-tenant. However, if that is a concern, we can add the support.The feature will be configured with the following yaml:
Verifying this change
I verified the correctness of the code with unit tests. I'll verify the integration with k8s once we've determined this PR's design is correct.
Does this pull request potentially affect one of the following parts:
This adds new configuration options to the function worker.
Documentation
doc-requiredMatching PR in forked repository
PR in forked repository: michaeljmarshall#36