Xellendor opened a new issue #102:
URL: https://github.com/apache/pulsar-helm-chart/issues/102
**Describe the bug**
functionAuthProviderClassName:org.apache.pulsar.functions.auth.KubernetesSecretsTokenAuthProvider
expects that the tlsTrustCertsFilePath: /pulsar/certs/ca/ca.crt is mapped in
the functions_worker.yaml. => By adding PF_tlsTrustCertsFilePath:
/pulsar/certs/ca/ca.crt in the helm for broker config map (in case TLS is
turned on) issue is fixed.
**To Reproduce**
1.) Deploy with tls.enabled: true in values.yaml
2.) Create some python function with pulsar-admin functions create ...
3.) TLS Handshake not possible because ca.crt and tls-config is not ingested
into the function pod.
**Expected behavior**
If TLS is enabled on broker, python functions should run out of the box
without the need to manually adapt helm chart.
**Screenshots**
"Downloaded successfully"
shardId=0
[2021-01-25 08:43:11 +0000] [INFO] python_instance_main.py: Starting Python
instance with Namespace(client_auth_params=None, client_auth_plugin=None,
cluster_name='neuron-dev01', dependency_repository=None,
expected_healthcheck_interval=-1, extra_dependency_repository=None,
function_details='{"tenant":"31000","namespace":"jwt","name":"f_dummy","className":"f_dummy.DummyFunction","logTopic":"31000/jwt/log_partition","runtime":"PYTHON","autoAck":true,"parallelism":1,"source":{"inputSpecs":{"31000/jwt/inputtopic":{}},"cleanupSubscription":true},"sink":{"topic":"31000/jwt/output","forwardSourceMessageProperty":true},"resources":{"cpu":1.0,"ram":"1073741824","disk":"10737418240"},"componentType":"FUNCTION"}',
function_id='e0e084c9-62ef-4236-9d12-f79bf13633cd',
function_version='e393f52d-3adb-4fd7-97a0-dc7aeae80c3f',
hostname_verification_enabled=None, install_usercode_dependencies=True,
instance_id='0',
logging_config_file='/pulsar/conf/functions-logging/console_logging_config.ini',
lo
gging_directory='logs/func...
[2021-01-25 08:43:11 +0000] [INFO] log.py: Setting up producer for log topic
31000/jwt/log_partition
2021-01-25 08:43:11.555 INFO [139914923747136] ConnectionPool:85 | Created
connection for pulsar+ssl://pulsar-broker:6651/
2021-01-25 08:43:11.558 INFO [139914856883968] ClientConnection:353 |
[10.129.2.96:35334 -> 10.129.2.94:6651] Connected to broker
2021-01-25 08:43:11.564 ERROR [139914856883968] ClientConnection:411 |
[10.129.2.96:35334 -> 10.129.2.94:6651] Handshake failed: certificate verify
failed
2021-01-25 08:43:11.564 INFO [139914856883968] ClientConnection:1425 |
[10.129.2.96:35334 -> 10.129.2.94:6651] Connection closed
2021-01-25 08:43:11.564 ERROR [139914856883968] ClientImpl:181 | Error
Checking/Getting Partition Metadata while creating producer on
persistent://31000/jwt/log_partition -- ConnectError
2021-01-25 08:43:11.564 INFO [139914856883968] ClientConnection:242 |
[10.129.2.96:35334 -> 10.129.2.94:6651] Destroyed connection
**Desktop (please complete the following information):**
- OKD 4.6
**Additional context**
Suggested solution in pulsar/templates/broker-configmap.yaml:
...
{{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
brokerServicePortTls: "{{ .Values.broker.ports.pulsarssl }}"
webServicePortTls: "{{ .Values.broker.ports.https }}"
# TLS Settings
tlsCertificateFilePath: "/pulsar/certs/broker/tls.crt"
tlsKeyFilePath: "/pulsar/certs/broker/tls.key"
tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
**_# For functions pods to also run TLS enabled
PF_tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"_**
{{- end }}
...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
