You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/01/27 07:14:06 UTC
[GitHub] [pulsar-helm-chart] Xellendor opened a new issue #102: Pulsar python function not working with TLS enabled
Xellendor opened a new issue #102:
URL: https://github.com/apache/pulsar-helm-chart/issues/102
**Describe the bug**
functionAuthProviderClassName:org.apache.pulsar.functions.auth.KubernetesSecretsTokenAuthProvider expects that the tlsTrustCertsFilePath: /pulsar/certs/ca/ca.crt is mapped in the functions_worker.yaml. => By adding PF_tlsTrustCertsFilePath: /pulsar/certs/ca/ca.crt in the helm for broker config map (in case TLS is turned on) issue is fixed.
**To Reproduce**
1.) Deploy with tls.enabled: true in values.yaml
2.) Create some python function with pulsar-admin functions create ...
3.) TLS Handshake not possible because ca.crt and tls-config is not ingested into the function pod.
**Expected behavior**
If TLS is enabled on broker, python functions should run out of the box without the need to manually adapt helm chart.
**Screenshots**
"Downloaded successfully"
shardId=0
[2021-01-25 08:43:11 +0000] [INFO] python_instance_main.py: Starting Python instance with Namespace(client_auth_params=None, client_auth_plugin=None, cluster_name='neuron-dev01', dependency_repository=None, expected_healthcheck_interval=-1, extra_dependency_repository=None, function_details='{"tenant":"31000","namespace":"jwt","name":"f_dummy","className":"f_dummy.DummyFunction","logTopic":"31000/jwt/log_partition","runtime":"PYTHON","autoAck":true,"parallelism":1,"source":{"inputSpecs":{"31000/jwt/inputtopic":{}},"cleanupSubscription":true},"sink":{"topic":"31000/jwt/output","forwardSourceMessageProperty":true},"resources":{"cpu":1.0,"ram":"1073741824","disk":"10737418240"},"componentType":"FUNCTION"}', function_id='e0e084c9-62ef-4236-9d12-f79bf13633cd', function_version='e393f52d-3adb-4fd7-97a0-dc7aeae80c3f', hostname_verification_enabled=None, install_usercode_dependencies=True, instance_id='0', logging_config_file='/pulsar/conf/functions-logging/console_logging_config.ini', lo
gging_directory='logs/func...
[2021-01-25 08:43:11 +0000] [INFO] log.py: Setting up producer for log topic 31000/jwt/log_partition
2021-01-25 08:43:11.555 INFO [139914923747136] ConnectionPool:85 | Created connection for pulsar+ssl://pulsar-broker:6651/
2021-01-25 08:43:11.558 INFO [139914856883968] ClientConnection:353 | [10.129.2.96:35334 -> 10.129.2.94:6651] Connected to broker
2021-01-25 08:43:11.564 ERROR [139914856883968] ClientConnection:411 | [10.129.2.96:35334 -> 10.129.2.94:6651] Handshake failed: certificate verify failed
2021-01-25 08:43:11.564 INFO [139914856883968] ClientConnection:1425 | [10.129.2.96:35334 -> 10.129.2.94:6651] Connection closed
2021-01-25 08:43:11.564 ERROR [139914856883968] ClientImpl:181 | Error Checking/Getting Partition Metadata while creating producer on persistent://31000/jwt/log_partition -- ConnectError
2021-01-25 08:43:11.564 INFO [139914856883968] ClientConnection:242 | [10.129.2.96:35334 -> 10.129.2.94:6651] Destroyed connection
**Desktop (please complete the following information):**
- OKD 4.6
**Additional context**
Suggested solution in pulsar/templates/broker-configmap.yaml:
...
{{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
brokerServicePortTls: "{{ .Values.broker.ports.pulsarssl }}"
webServicePortTls: "{{ .Values.broker.ports.https }}"
# TLS Settings
tlsCertificateFilePath: "/pulsar/certs/broker/tls.crt"
tlsKeyFilePath: "/pulsar/certs/broker/tls.key"
tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
**_# For functions pods to also run TLS enabled
PF_tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"_**
{{- end }}
...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org