update auth and tls settings (#160)

* update auth and tls settings Co-authored-by: guangning <guangning@apache.org>
streamnative · May 21, 2021 · 66e7b97 · 66e7b97
1 parent 094eae7
commit 66e7b97
Show file tree

Hide file tree

Showing 26 changed files with 367 additions and 179 deletions.
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -31,7 +31,18 @@ type PulsarMessaging struct {
 	// webServiceURL
 	// brokerServiceURL
 	PulsarConfig string `json:"pulsarConfig,omitempty"`
-	AuthConfig   string `json:"authConfig,omitempty"`
+
+	// The auth secret should contain the following fields
+	// clientAuthenticationPlugin
+	// clientAuthenticationParameters
+	AuthSecret string `json:"authSecret,omitempty"`
+
+	// The TLS secret should contain the following fields
+	// use_tls
+	// tls_allow_insecure
+	// hostname_verification_enabled
+	// tls_trust_cert_path
+	TLSSecret string `json:"tlsSecret,omitempty"`
 }
 
 type PodPolicy struct {

diff --git a/config/crd/bases/compute.functionmesh.io_functionmeshes.yaml b/config/crd/bases/compute.functionmesh.io_functionmeshes.yaml
@@ -2192,10 +2192,12 @@ spec:
                     type: string
                   pulsar:
                     properties:
-                      authConfig:
+                      authSecret:
                         type: string
                       pulsarConfig:
                         type: string
+                      tlsSecret:
+                        type: string
                     type: object
                   python:
                     properties:
@@ -4363,10 +4365,12 @@ spec:
                     type: string
                   pulsar:
                     properties:
-                      authConfig:
+                      authSecret:
                         type: string
                       pulsarConfig:
                         type: string
+                      tlsSecret:
+                        type: string
                     type: object
                   python:
                     properties:
@@ -6513,10 +6517,12 @@ spec:
                     type: string
                   pulsar:
                     properties:
-                      authConfig:
+                      authSecret:
                         type: string
                       pulsarConfig:
                         type: string
+                      tlsSecret:
+                        type: string
                     type: object
                   python:
                     properties:

diff --git a/config/crd/bases/compute.functionmesh.io_functions.yaml b/config/crd/bases/compute.functionmesh.io_functions.yaml
@@ -2193,10 +2193,12 @@ spec:
               type: string
             pulsar:
               properties:
-                authConfig:
+                authSecret:
                   type: string
                 pulsarConfig:
                   type: string
+                tlsSecret:
+                  type: string
               type: object
             python:
               properties:

diff --git a/config/crd/bases/compute.functionmesh.io_sinks.yaml b/config/crd/bases/compute.functionmesh.io_sinks.yaml
@@ -2128,10 +2128,12 @@ spec:
               type: string
             pulsar:
               properties:
-                authConfig:
+                authSecret:
                   type: string
                 pulsarConfig:
                   type: string
+                tlsSecret:
+                  type: string
               type: object
             python:
               properties:

diff --git a/config/crd/bases/compute.functionmesh.io_sources.yaml b/config/crd/bases/compute.functionmesh.io_sources.yaml
@@ -2103,10 +2103,12 @@ spec:
               type: string
             pulsar:
               properties:
-                authConfig:
+                authSecret:
                   type: string
                 pulsarConfig:
                   type: string
+                tlsSecret:
+                  type: string
               type: object
             python:
               properties:

diff --git a/config/samples/compute_v1alpha1_function.yaml b/config/samples/compute_v1alpha1_function.yaml
@@ -34,7 +34,8 @@ spec:
         key: "password"
   pulsar:
     pulsarConfig: "test-pulsar"
-    #authConfig: "test-auth"
+    authSecret: "test-auth"
+    tlsSecret: "test-tls"
   volumeMounts:
     - mountPath: /cache
       name: cache-volume
@@ -73,6 +74,23 @@ metadata:
 data:
     webServiceURL: http://test-pulsar-broker.default.svc.cluster.local:8080
     brokerServiceURL: pulsar://test-pulsar-broker.default.svc.cluster.local:6650
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-auth
+stringData:
+  clientAuthenticationPlugin: admin
+  clientAuthenticationParameters: t0p-Secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-tls
+stringData:
+  tlsTrustCertsFilePath: "uvw"
+  tlsAllowInsecureConnection: "false"
+  tlsHostnameVerificationEnable: "true"
 #---
 #apiVersion: v1
 #kind: ConfigMap

diff --git a/config/samples/compute_v1alpha1_function_crypto.yaml b/config/samples/compute_v1alpha1_function_crypto.yaml
@@ -51,7 +51,6 @@ spec:
       key: "password"
   pulsar:
     pulsarConfig: "test-pulsar"
-    #authConfig: "test-auth"
   java:
     jar: pulsar-functions-api-examples.jar
     jarLocation: public/default/nlu-test-java-function
@@ -66,18 +65,6 @@ metadata:
 data:
   webServiceURL: http://test-pulsar-broker.default.svc.cluster.local:8080
   brokerServiceURL: pulsar://test-pulsar-broker.default.svc.cluster.local:6650
-#---
-#apiVersion: v1
-#kind: ConfigMap
-#metadata:
-#  name: test-auth
-#data:
-#  clientAuthenticationPlugin: "abc"
-#  clientAuthenticationParameters: "xyz"
-#  tlsTrustCertsFilePath: "uvw"
-#  useTls: "true"
-#  tlsAllowInsecureConnection: "false"
-#  tlsHostnameVerificationEnable: "true"
 ---
 apiVersion: v1
 data:

diff --git a/config/samples/compute_v1alpha1_function_key_based_batcher.yaml b/config/samples/compute_v1alpha1_function_key_based_batcher.yaml
@@ -37,7 +37,6 @@ spec:
       key: "password"
   pulsar:
     pulsarConfig: "test-pulsar"
-    #authConfig: "test-auth"
   volumeMounts:
     - mountPath: /cache
       name: cache-volume
@@ -75,18 +74,6 @@ metadata:
 data:
   webServiceURL: http://test-pulsar-broker.default.svc.cluster.local:8080
   brokerServiceURL: pulsar://test-pulsar-broker.default.svc.cluster.local:6650
-#---
-#apiVersion: v1
-#kind: ConfigMap
-#metadata:
-#  name: test-auth
-#data:
-#  clientAuthenticationPlugin: "abc"
-#  clientAuthenticationParameters: "xyz"
-#  tlsTrustCertsFilePath: "uvw"
-#  useTls: "true"
-#  tlsAllowInsecureConnection: "false"
-#  tlsHostnameVerificationEnable: "true"
 ---
 apiVersion: v1
 data:

diff --git a/config/samples/compute_v1alpha1_go_function.yaml b/config/samples/compute_v1alpha1_go_function.yaml
@@ -31,7 +31,6 @@ spec:
         key: "password"
   pulsar:
     pulsarConfig: "test-go-pulsar"
-    #authConfig: "test-auth"
   golang:
     go: go_func_all
     goLocation: public/default/nlu-test-go-function
@@ -48,18 +47,6 @@ metadata:
 data:
     webServiceURL: http://test-pulsar-broker.default.svc.cluster.local:8080
     brokerServiceURL: pulsar://test-pulsar-broker.default.svc.cluster.local:6650
-#---
-#apiVersion: v1
-#kind: ConfigMap
-#metadata:
-#  name: test-auth
-#data:
-#  clientAuthenticationPlugin: "abc"
-#  clientAuthenticationParameters: "xyz"
-#  tlsTrustCertsFilePath: "uvw"
-#  useTls: "true"
-#  tlsAllowInsecureConnection: "false"
-#  tlsHostnameVerificationEnable: "true"
 ---
 apiVersion: v1
 data:

diff --git a/config/samples/compute_v1alpha1_py_function.yaml b/config/samples/compute_v1alpha1_py_function.yaml
@@ -32,7 +32,6 @@ spec:
         key: "password"
   pulsar:
     pulsarConfig: "test-py-pulsar"
-    #authConfig: "test-auth"
   python:
     py: exclamation_function.py
     pyLocation: public/default/nlu-test-py-function
@@ -49,18 +48,6 @@ metadata:
 data:
     webServiceURL: http://test-pulsar-broker.default.svc.cluster.local:8080
     brokerServiceURL: pulsar://test-pulsar-broker.default.svc.cluster.local:6650
-#---
-#apiVersion: v1
-#kind: ConfigMap
-#metadata:
-#  name: test-auth
-#data:
-#  clientAuthenticationPlugin: "abc"
-#  clientAuthenticationParameters: "xyz"
-#  tlsTrustCertsFilePath: "uvw"
-#  useTls: "true"
-#  tlsAllowInsecureConnection: "false"
-#  tlsHostnameVerificationEnable: "true"
 ---
 apiVersion: v1
 data:

diff --git a/controllers/spec/common.go b/controllers/spec/common.go
@@ -161,9 +161,11 @@ func MakePodTemplate(container *corev1.Container, volumes []corev1.Volume,
 	}
 }
 
-func MakeJavaFunctionCommand(downloadPath, packageFile, name, clusterName, details, memory, extraDependenciesDir string, authProvided bool) []string {
+func MakeJavaFunctionCommand(downloadPath, packageFile, name, clusterName, details, memory, extraDependenciesDir string,
+	authProvided, tlsProvided bool) []string {
 	processCommand := setShardIDEnvironmentVariableCommand() + " && " +
-		strings.Join(getProcessJavaRuntimeArgs(name, packageFile, clusterName, details, memory, extraDependenciesDir, authProvided), " ")
+		strings.Join(getProcessJavaRuntimeArgs(name, packageFile, clusterName, details,
+			memory, extraDependenciesDir, authProvided, tlsProvided), " ")
 	if downloadPath != "" {
 		// prepend download command if the downPath is provided
 		downloadCommand := strings.Join(getDownloadCommand(downloadPath, packageFile), " ")
@@ -172,9 +174,11 @@ func MakeJavaFunctionCommand(downloadPath, packageFile, name, clusterName, detai
 	return []string{"sh", "-c", processCommand}
 }
 
-func MakePythonFunctionCommand(downloadPath, packageFile, name, clusterName, details string, authProvided bool) []string {
+func MakePythonFunctionCommand(downloadPath, packageFile, name, clusterName, details string,
+	authProvided, tlsProvided bool) []string {
 	processCommand := setShardIDEnvironmentVariableCommand() + " && " +
-		strings.Join(getProcessPythonRuntimeArgs(name, packageFile, clusterName, details, authProvided), " ")
+		strings.Join(getProcessPythonRuntimeArgs(name, packageFile, clusterName,
+			details, authProvided, tlsProvided), " ")
 	if downloadPath != "" {
 		// prepend download command if the downPath is provided
 		downloadCommand := strings.Join(getDownloadCommand(downloadPath, packageFile), " ")
@@ -231,11 +235,10 @@ func hasPackageNamePrefix(packagesName string) bool {
 }
 
 func setShardIDEnvironmentVariableCommand() string {
-	tlsCommand := "if [ \"$useTls\" = \"true\" ]; then TLS_PARAMETERS=\"--use_tls $useTls --tls_allow_insecure $tlsAllowInsecureConnection --hostname_verification_enabled $tlsHostnameVerificationEnable --tls_trust_cert_path $tlsTrustCertsFilePath\"; else TLS_PARAMETERS=\"--use_tls false\"; fi"
-	return fmt.Sprintf("%s=${POD_NAME##*-} && echo shardId=${%s} && %s", EnvShardID, EnvShardID, tlsCommand)
+	return fmt.Sprintf("%s=${POD_NAME##*-} && echo shardId=${%s}", EnvShardID, EnvShardID)
 }
 
-func getProcessJavaRuntimeArgs(name, packageName, clusterName, details, memory, extraDependenciesDir string, authProvided bool) []string {
+func getProcessJavaRuntimeArgs(name, packageName, clusterName, details, memory, extraDependenciesDir string, authProvided, tlsProvided bool) []string {
 	classPath := "/pulsar/instances/java-instance.jar"
 	if extraDependenciesDir != "" {
 		classPath = fmt.Sprintf("%s:%s/*", classPath, extraDependenciesDir)
@@ -254,12 +257,12 @@ func getProcessJavaRuntimeArgs(name, packageName, clusterName, details, memory,
 		"--jar",
 		packageName,
 	}
-	sharedArgs := getSharedArgs(details, clusterName, authProvided)
+	sharedArgs := getSharedArgs(details, clusterName, authProvided, tlsProvided)
 	args = append(args, sharedArgs...)
 	return args
 }
 
-func getProcessPythonRuntimeArgs(name, packageName, clusterName, details string, authProvided bool) []string {
+func getProcessPythonRuntimeArgs(name, packageName, clusterName, details string, authProvided, tlsProvided bool) []string {
 	args := []string{
 		"exec",
 		"python",
@@ -274,13 +277,13 @@ func getProcessPythonRuntimeArgs(name, packageName, clusterName, details string,
 		"/pulsar/conf/functions-logging/console_logging_config.ini",
 		// TODO: Maybe we don't need installUserCodeDependencies, dependency_repository, and pythonExtraDependencyRepository
 	}
-	sharedArgs := getSharedArgs(details, clusterName, authProvided)
+	sharedArgs := getSharedArgs(details, clusterName, authProvided, tlsProvided)
 	args = append(args, sharedArgs...)
 	return args
 }
 
 // This method is suitable for Java and Python runtime, not include Go runtime.
-func getSharedArgs(details, clusterName string, authProvided bool) []string {
+func getSharedArgs(details, clusterName string, authProvided bool, tlsProvided bool) []string {
 	args := []string{
 		"--instance_id",
 		"${" + EnvShardID + "}",
@@ -312,7 +315,23 @@ func getSharedArgs(details, clusterName string, authProvided bool) []string {
 			"$clientAuthenticationParameters"}...)
 	}
 
-	args = append(args, []string{"$TLS_PARAMETERS"}...)
+	if tlsProvided {
+		args = append(args, []string{
+			"--use_tls",
+			"true",
+			"--tls_allow_insecure",
+			"$tlsAllowInsecureConnection",
+			"--hostname_verification_enabled",
+			"$tlsHostnameVerificationEnable",
+			"--tls_trust_cert_path",
+			"$tlsTrustCertsFilePath",
+		}...)
+	} else {
+		args = append(args, []string{
+			"--use_tls",
+			"false",
+		}...)
+	}
 
 	return args
 }
@@ -418,17 +437,25 @@ func generateContainerEnv(secrets map[string]v1alpha1.SecretRef) []corev1.EnvVar
 	return vars
 }
 
-func generateContainerEnvFrom(messagingConfig string, authConfig string) []corev1.EnvFromSource {
+func generateContainerEnvFrom(messagingConfig string, authSecret string, tlsSecret string) []corev1.EnvFromSource {
 	envs := []corev1.EnvFromSource{{
 		ConfigMapRef: &corev1.ConfigMapEnvSource{
 			LocalObjectReference: corev1.LocalObjectReference{Name: messagingConfig},
 		},
 	}}
 
-	if authConfig != "" {
+	if authSecret != "" {
+		envs = append(envs, corev1.EnvFromSource{
+			SecretRef: &corev1.SecretEnvSource{
+				LocalObjectReference: corev1.LocalObjectReference{Name: authSecret},
+			},
+		})
+	}
+
+	if tlsSecret != "" {
 		envs = append(envs, corev1.EnvFromSource{
-			ConfigMapRef: &corev1.ConfigMapEnvSource{
-				LocalObjectReference: corev1.LocalObjectReference{Name: authConfig},
+			SecretRef: &corev1.SecretEnvSource{
+				LocalObjectReference: corev1.LocalObjectReference{Name: tlsSecret},
 			},
 		})
 	}

diff --git a/controllers/spec/common_test.go b/controllers/spec/common_test.go
@@ -183,12 +183,11 @@ func TestMakeGoFunctionCommand(t *testing.T) {
 	innerCommands := strings.Split(commands[2], "&&")
 	assert.Equal(t, innerCommands[0], "SHARD_ID=${POD_NAME##*-} ")
 	assert.Equal(t, innerCommands[1], " echo shardId=${SHARD_ID} ")
-	assert.Equal(t, innerCommands[2], " if [ \"$useTls\" = \"true\" ]; then TLS_PARAMETERS=\"--use_tls $useTls --tls_allow_insecure $tlsAllowInsecureConnection --hostname_verification_enabled $tlsHostnameVerificationEnable --tls_trust_cert_path $tlsTrustCertsFilePath\"; else TLS_PARAMETERS=\"--use_tls false\"; fi ")
-	assert.True(t, strings.HasPrefix(innerCommands[3], " GO_FUNCTION_CONF"))
-	assert.Equal(t, innerCommands[4], " goFunctionConfigs=${GO_FUNCTION_CONF} ")
-	assert.Equal(t, innerCommands[5], " echo goFunctionConfigs=\"'${goFunctionConfigs}'\" ")
-	assert.Equal(t, innerCommands[6], " chmod +x /pulsar/go-func ")
-	assert.Equal(t, innerCommands[7], " exec /pulsar/go-func -instance-conf ${goFunctionConfigs}")
+	assert.True(t, strings.HasPrefix(innerCommands[2], " GO_FUNCTION_CONF"))
+	assert.Equal(t, innerCommands[3], " goFunctionConfigs=${GO_FUNCTION_CONF} ")
+	assert.Equal(t, innerCommands[4], " echo goFunctionConfigs=\"'${goFunctionConfigs}'\" ")
+	assert.Equal(t, innerCommands[5], " chmod +x /pulsar/go-func ")
+	assert.Equal(t, innerCommands[6], " exec /pulsar/go-func -instance-conf ${goFunctionConfigs}")
 }
 
 const TestClusterName string = "test-pulsar"