JWT authentication
Authentication in KAAP Operator is controlled with JWT tokens for cluster access, and with TLS for communication between applications within the cluster.
To enable JWT Authentication, set authentication to true:
global:
auth:
enabled: true
Since the only supported authentication mechanism by the operator is JWT, it’s not required to specify JWT related options. If you want to use a different authentication mechanism, disable authentication and manually configure the authentication options in the config section.
When setting up authentication, the operator will automatically generate the secret containing a private and public key.
If you wish to use your own key pairs, disable the secret generation by setting initialize to false:
global:
auth:
enabled: true
token:
initialize: false
|
The operator expects secrets with the same name to be already present in the namespace. Secrets must be named Symmetric secret keys are not supported. |
apiVersion: v1
kind: Secret
metadata:
name: token-private-key
type: Opaque
data:
my-private.key: BASE64_ENCODED_PRIVATE_KEY
apiVersion: v1
kind: Secret
metadata:
name: token-public-key
type: Opaque
data:
my-public.key: BASE64_ENCODED_PUBLIC_KEY
The operator also generates tokens for super user roles.
By default, the super users are superuser, admin, websocket and proxy.
If you wish to use another set of super users, specify them in the superUserRoles option, along with the proxyRoles:
global:
auth:
enabled: true
token:
superUserRoles:
- superuser
- admin
- websocket
- proxy
- my-custom-user
- my-custom-proxy-user
proxyRoles:
- proxy
- my-custom-proxy-user
To generate a token for a given subject, login to the bastion pod (the bastion pod already mounts the super user token):
PULSAR_TOKEN=$(kubectl exec deployment/pulsar-bastion -- bin/pulsar tokens create --private-key token-private-key/my-private.key --subject myuser)
echo $PULSAR_TOKEN
kubectl exec deployment/pulsar-bastion -- bin/pulsar-shell -e 'admin namespaces grant-permission --role myuser --actions produce,consume public/default'
kubectl exec deployment/pulsar-bastion -- bin/pulsar-shell -e "client --auth-params \"token:$PULSAR_TOKEN\" produce -m hello public/default/topic"