-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Pod's Kubernetes ServiceAccount for authenticating to the pulsar cluster #125
Comments
2 tasks
I'll take a shot at implementing this and create a PR. It would be best to extend the PulsarConnection CRD to also accept a ServiceAccount, then use the TokenRequest API of kubernetes to obtain a short-lived token and use that token to connect to pulsar. It would then be the users responsibility to ensure that the resources-operator has the proper RBAC rules in place. |
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
when the pulsar is installed on the Kubernetes cluster, it can use Kubernetes service account for authenticating.
ServiceAccount can be created by injecting and Secret, and they're different from each other.
this is decoded ServiceAccount jwt token that is created using Secret. As you see, there's a missing
aud
claim, andiss
claim is different unlike ServiceAccount injected to pod. (the other have publically accessable issuer URL)missing
aud
claim makes401 authentication error
, and since there's no way to make kubernetes to addaud
claim to jwt, nor passaud
claim check on apache pulsar.so for a workaround, I suggest pulsar resource operator use its ServiceAccount token for authenticating.
The text was updated successfully, but these errors were encountered: