程序包 org.apache.pulsar.functions.auth

类 KubernetesServiceAccountTokenAuthProvider

java.lang.Object

org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider

所有已实现的接口:

FunctionAuthProvider, KubernetesFunctionAuthProvider

public class KubernetesServiceAccountTokenAuthProvider
extends Object
implements KubernetesFunctionAuthProvider

Kubernetes Function Authentication Provider that adds Service Account Token Projection to a function pod's container definition. This token can be used to authenticate the function instance with the broker and the function worker via OpenId Connect when each server is configured to trust the kubernetes issuer. See docs for additional details. Relevant settings:

brokerClientTrustCertsSecretName: The Kubernetes secret containing the broker's trust certs. If it is not set, the function will not use a custom trust store. The secret must already exist in each function's target namespace. The secret must contain a key named `ca.crt` with the trust certs. Only the ca.crt will be mounted.

serviceAccountTokenExpirationSeconds: The expiration for the token created by the KubernetesServiceAccountTokenAuthProvider. The default value is 3600 seconds.

serviceAccountTokenAudience: The audience for the token created by the KubernetesServiceAccountTokenAuthProvider.

Note: the pod inherits the namespace's default service account.

构造器概要

构造器

构造器	说明
KubernetesServiceAccountTokenAuthProvider()

方法概要

修饰符和类型	方法	说明
Optional<FunctionAuthData>	cacheAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, AuthenticationDataSource authenticationDataSource)	No need to cache anything.
void	cleanUpAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> functionAuthData)	No need to clean up anything.
void	configureAuthDataStatefulSet(io.kubernetes.client.openapi.models.V1StatefulSet statefulSet, Optional<FunctionAuthData> functionAuthData)	Configure function statefulset spec based on function auth data.
void	configureAuthenticationConfig(AuthenticationConfig authConfig, Optional<FunctionAuthData> functionAuthData)	Set authentication configs for function instance based on the data in FunctionAuthenticationSpec.
void	initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient)
void	initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient, byte[] caBytes, Function<org.apache.pulsar.functions.proto.Function.FunctionDetails,String> namespaceCustomizerFunc, Map<String,Object> config)
Optional<FunctionAuthData>	updateAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> existingFunctionAuthData, AuthenticationDataSource authenticationDataSource)	No need to update anything.

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

从接口继承的方法 org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider

initialize, setCaBytes, setNamespaceProviderFunc

构造器详细资料

KubernetesServiceAccountTokenAuthProvider

public KubernetesServiceAccountTokenAuthProvider()

方法详细资料

initialize

public void initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient,
 byte[] caBytes,
 Function<org.apache.pulsar.functions.proto.Function.FunctionDetails,String> namespaceCustomizerFunc,
 Map<String,Object> config)

指定者:

initialize 在接口中 KubernetesFunctionAuthProvider

configureAuthenticationConfig

public void configureAuthenticationConfig(AuthenticationConfig authConfig,
 Optional<FunctionAuthData> functionAuthData)

从接口复制的说明: FunctionAuthProvider

Set authentication configs for function instance based on the data in FunctionAuthenticationSpec.

指定者:

configureAuthenticationConfig 在接口中 FunctionAuthProvider

参数:

authConfig - authentication configs passed to the function instance

functionAuthData - function authentication data that is provider specific

cacheAuthData

public Optional<FunctionAuthData> cacheAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails,
 AuthenticationDataSource authenticationDataSource)
                                         throws Exception

No need to cache anything. Kubernetes generates the token used for authentication.

指定者:

cacheAuthData 在接口中 FunctionAuthProvider

参数:

funcDetails - the function details

authenticationDataSource - auth data

返回:

抛出:

Exception

updateAuthData

public Optional<FunctionAuthData> updateAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails,
 Optional<FunctionAuthData> existingFunctionAuthData,
 AuthenticationDataSource authenticationDataSource)
                                          throws Exception

No need to update anything. Kubernetes updates the token used for authentication.

指定者:

updateAuthData 在接口中 FunctionAuthProvider

抛出:

Exception

cleanUpAuthData

public void cleanUpAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails,
 Optional<FunctionAuthData> functionAuthData)
                     throws Exception

No need to clean up anything. Kubernetes cleans up the secret when the pod is deleted.

指定者:

cleanUpAuthData 在接口中 FunctionAuthProvider

参数:

funcDetails - the function details

functionAuthData - function auth data

抛出:

Exception

initialize

public void initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient)

指定者:

initialize 在接口中 KubernetesFunctionAuthProvider

configureAuthDataStatefulSet

public void configureAuthDataStatefulSet(io.kubernetes.client.openapi.models.V1StatefulSet statefulSet,
 Optional<FunctionAuthData> functionAuthData)

从接口复制的说明: KubernetesFunctionAuthProvider

Configure function statefulset spec based on function auth data.

指定者:

configureAuthDataStatefulSet 在接口中 KubernetesFunctionAuthProvider

参数:

statefulSet - statefulset spec for function

functionAuthData - function auth data