Package org.apache.pulsar.functions.auth
Class KubernetesServiceAccountTokenAuthProvider
java.lang.Object
org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider
- All Implemented Interfaces:
FunctionAuthProvider,KubernetesFunctionAuthProvider
public class KubernetesServiceAccountTokenAuthProvider
extends Object
implements KubernetesFunctionAuthProvider
Kubernetes Function Authentication Provider that adds Service Account Token Projection to a function pod's container
definition. This token can be used to authenticate the function instance with the broker and the function worker via
OpenId Connect when each server is configured to trust the kubernetes issuer. See docs for additional details.
Relevant settings:
brokerClientTrustCertsSecretName: The Kubernetes secret containing the broker's trust certs. If it is not set, the function will not use a custom trust store. The secret must already exist in each function's target namespace. The secret must contain a key named `ca.crt` with the trust certs. Only the ca.crt will be mounted.
serviceAccountTokenExpirationSeconds: The expiration for the token created by the
KubernetesServiceAccountTokenAuthProvider. The default value is 3600 seconds.
serviceAccountTokenAudience: The audience for the token created by the
KubernetesServiceAccountTokenAuthProvider.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncacheAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, AuthenticationDataSource authenticationDataSource) No need to cache anything.voidcleanUpAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> functionAuthData) No need to clean up anything.voidconfigureAuthDataStatefulSet(io.kubernetes.client.openapi.models.V1StatefulSet statefulSet, Optional<FunctionAuthData> functionAuthData) Configure function statefulset spec based on function auth data.voidconfigureAuthenticationConfig(AuthenticationConfig authConfig, Optional<FunctionAuthData> functionAuthData) Set authentication configs for function instance based on the data in FunctionAuthenticationSpec.voidinitialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient) voidinitialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient, byte[] caBytes, Function<org.apache.pulsar.functions.proto.Function.FunctionDetails, String> namespaceCustomizerFunc, Map<String, Object> config) updateAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> existingFunctionAuthData, AuthenticationDataSource authenticationDataSource) No need to update anything.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
initialize, setCaBytes, setNamespaceProviderFunc
-
Constructor Details
-
KubernetesServiceAccountTokenAuthProvider
public KubernetesServiceAccountTokenAuthProvider()
-
-
Method Details
-
initialize
public void initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient, byte[] caBytes, Function<org.apache.pulsar.functions.proto.Function.FunctionDetails, String> namespaceCustomizerFunc, Map<String, Object> config) - Specified by:
initializein interfaceKubernetesFunctionAuthProvider
-
configureAuthenticationConfig
public void configureAuthenticationConfig(AuthenticationConfig authConfig, Optional<FunctionAuthData> functionAuthData) Description copied from interface:FunctionAuthProviderSet authentication configs for function instance based on the data in FunctionAuthenticationSpec.- Specified by:
configureAuthenticationConfigin interfaceFunctionAuthProvider- Parameters:
authConfig- authentication configs passed to the function instancefunctionAuthData- function authentication data that is provider specific
-
cacheAuthData
public Optional<FunctionAuthData> cacheAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, AuthenticationDataSource authenticationDataSource) throws Exception No need to cache anything. Kubernetes generates the token used for authentication.- Specified by:
cacheAuthDatain interfaceFunctionAuthProvider- Parameters:
funcDetails- the function detailsauthenticationDataSource- auth data- Returns:
- Throws:
Exception
-
updateAuthData
public Optional<FunctionAuthData> updateAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> existingFunctionAuthData, AuthenticationDataSource authenticationDataSource) throws Exception No need to update anything. Kubernetes updates the token used for authentication.- Specified by:
updateAuthDatain interfaceFunctionAuthProvider- Throws:
Exception
-
cleanUpAuthData
public void cleanUpAuthData(org.apache.pulsar.functions.proto.Function.FunctionDetails funcDetails, Optional<FunctionAuthData> functionAuthData) throws Exception No need to clean up anything. Kubernetes cleans up the secret when the pod is deleted.- Specified by:
cleanUpAuthDatain interfaceFunctionAuthProvider- Parameters:
funcDetails- the function detailsfunctionAuthData- function auth data- Throws:
Exception
-
initialize
public void initialize(io.kubernetes.client.openapi.apis.CoreV1Api coreClient) - Specified by:
initializein interfaceKubernetesFunctionAuthProvider
-
configureAuthDataStatefulSet
public void configureAuthDataStatefulSet(io.kubernetes.client.openapi.models.V1StatefulSet statefulSet, Optional<FunctionAuthData> functionAuthData) Description copied from interface:KubernetesFunctionAuthProviderConfigure function statefulset spec based on function auth data.- Specified by:
configureAuthDataStatefulSetin interfaceKubernetesFunctionAuthProvider- Parameters:
statefulSet- statefulset spec for functionfunctionAuthData- function auth data
-