Add Pulsar Admin Console chart (#7)

datastax · Apr 4, 2023 · 4b9f6e8 · 4b9f6e8
1 parent 5770c11
commit 4b9f6e8
Show file tree

Hide file tree

Showing 21 changed files with 1,170 additions and 44 deletions.
diff --git a/.github/workflows/charts-ci.yaml b/.github/workflows/charts-ci.yaml
@@ -0,0 +1,61 @@
+name: Charts CI
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Fetch history
+        run: git fetch --prune --unshallow
+
+      - name: Create Kubeconfig directories
+        run: |
+          mkdir ~/.kube
+          touch ~/.kube/config
+
+      - name: Run chart-testing (lint)
+        id: lint
+        uses: helm/chart-testing-action@v1.0.0
+        with:
+          command: lint
+          config: ct-master.yaml
+
+      - name: actions-k3s
+        uses: debianmaster/actions-k3s@v1.0.1
+        id: k3s
+        with:
+          version: v1.18.2-k3s1
+
+  integration-tests:
+    name: integration-tests
+    runs-on: ubuntu-20.04
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - chart: pulsar-admin-console
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v1
+        with:
+          fetch-depth: 1
+      - uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          filters: |
+            ${{ matrix.chart }}:
+              - 'charts/${{ matrix.chart }}/**'
+     
+      - name: Run ${{ matrix.chart }} tests
+        if: steps.changes.outputs.${{ matrix.chart }} == 'true'
+        run: |
+          ./charts/tests/run-tests.sh ${{ matrix.chart }}
diff --git a/.github/workflows/non-master.yaml b/.github/workflows/non-master.yaml
diff --git a/README.md b/README.md
@@ -12,3 +12,8 @@ helm install datastax/cass-operator
 # Helm 3
 helm install cass-operator datastax/cass-operator
 ```
+
+
+## Pulsar Admin Console
+
+See [pulsar-admin-console](charts/pulsar-admin-console/README.md)
diff --git a/charts/pulsar-admin-console/Chart.yaml b/charts/pulsar-admin-console/Chart.yaml
@@ -0,0 +1,24 @@
+#
+#
+# Copyright DataStax, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v2
+name: pulsar-admin-console
+description: Helm chart for Datastax Pulsar Admin Console
+type: application
+version: 0.0.1
+appVersion: "2.1.6"
+home: https://github.com/datastax/pulsar-admin-console
diff --git a/charts/pulsar-admin-console/README.md b/charts/pulsar-admin-console/README.md
@@ -0,0 +1,149 @@
+# Admin Console for Apache Pulsar
+
+This is the chart for the [Datastax Pulsar Admin Console](https://github.com/datastax/pulsar-admin-console/).
+
+## Managing Pulsar using Admin Console
+
+```
+helm repo add datastax https://datastax.github.io/charts
+helm repo update
+helm install pulsar-admin-console datastax/pulsar-admin-console
+```
+
+### Connect to the Pulsar cluster
+
+The console needs the Apache Pulsar cluster coordinates:
+
+```
+config:
+  server_config:
+    pulsar_url: "http://pulsar-broker:8080"    
+    websocket_url: "ws://pulsar-proxy-ws:8000"
+    function_worker_url: "http://pulsar-function:6750"
+```
+
+If the cluster is protected by authentication, you'll need to provide the Pulsar admin token to use. (only jwt supported).
+The recommended way is to mount a super user token in the console container.
+```
+additionalVolumes:
+    - name: token-superuser
+        secret:
+            secretName: token-superuser
+
+additionalVolumeMounts:
+    - name: token-superuser
+      mountPath: /pulsar-token
+
+config:
+    server_config:
+        token_path: /pulsar-token
+```
+
+Alternatively, you can specify the token in the values via the `config.server_config.admin_token` (not recommended for production environment).
+
+Note that the client will receive the token after being authenticated in the admin console.
+
+
+### Admin Console authentication
+
+By default, the admin console has authentication disabled. 
+There are multiple ways to setup authentication. The configuration follows the `config.auth_mode` value.
+See more [here](https://github.com/datastax/pulsar-admin-console/#auth-modes).
+
+#### User/Password
+You can set a fixed user credentials directly in the values file.
+
+```
+config:
+  auth_mode: "user"
+  server_config:
+    user_auth:
+      username: "admin"
+      password: "mypass"
+```
+
+#### Kubernetes secret
+
+You can instruct the console to looking for user credentials in the Kubernetes secrets.
+
+```
+config:
+    auth_mode: "k8s"
+```
+
+
+When `k8s` authentication mode is enabled, the admin console gets the users from Kubernetes secrets that start with `dashboard-user-` in the same namespace where it is deployed. The text that follows the prefix is the username. For example, for a user `admin` you need to have a secret `dashboard-user-admin`. The secret data must have a key named `password` with the base-64 encoded password. The following command will create a secret for a user `admin` with a password of `password`:
+
+```
+kubectl create secret generic dashboard-user-admin --from-literal=password=password
+```
+
+You can create multiple users for the admin console by creating multiple secrets. To change the password for a user, delete the secret then recreate it with a new password:
+
+```
+kubectl delete secret dashboard-user-admin
+kubectl create secret generic dashboard-user-admin --from-literal=password=newpassword
+```
+
+For convenience, the chart is able to create an initial user for the admin console with the following settings:
+
+```
+createUserSecret:
+  enabled: true
+  user: admin
+  password: mypassword
+```
+
+
+#### KeyCloak (OpenID Connect)
+
+When using the openidconnect auth mode, the auth call needs to go to the Provider's server `identity_provider_url`.
+The following example assumes that:
+- the KeyCloak instance is reachable at `http://keycloak-service:80`
+- the realm is `pulsar`
+- there's a client id configured called `pulsar-admin-console`
+
+```
+config:
+    auth_mode: "openidconnect"
+    # The client id used when authenticating with keycloak
+    oauth_client_id: "pulsar-admin-console"
+    oauth2:
+        identity_provider_url: "http://keycloak-service:80"
+        token_endpoint: "/realms/pulsar/protocol/openid-connect/token"
+```
+
+
+### Accessing Admin Console on your local machine
+To access the Pulsar admin console on your local machine on port 8080:
+
+```
+kubectl port-forward $(kubectl get pods -l app.kubernetes.io/name=pulsar-admin-console -o jsonpath='{.items[0].metadata.name}') 8080:8080
+```
+
+### Accessing Admin Console from cloud provider
+To access Pulsar admin console from a cloud provider, the chart supports [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). Your Kubernetes cluster must have a running Ingress controller (ex Nginx, Traefik, etc.).
+
+Set these values to configure the Ingress for the admin console:
+
+```
+ingress:
+    enabled: true
+    hosts:
+    - pulsar-ui.example.com
+```
+
+### Secure the admin console with TLS
+To setup https you'll need to enable the `config.ssl` section.
+
+```
+config:
+    server_config:
+        ssl:
+            enabled: true
+```
+
+Automatically the service port will switch from 8080 to 8443.
+
+### Advanced configuration
+For a more detailed explanation, you can look at the [Configuration Reference](https://github.com/datastax/pulsar-admin-console/#configuration-reference).
diff --git a/charts/pulsar-admin-console/templates/_helpers.tpl b/charts/pulsar-admin-console/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pulsar-admin-console.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "pulsar-admin-console.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pulsar-admin-console.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "pulsar-admin-console.labels" -}}
+helm.sh/chart: {{ include "pulsar-admin-console.chart" . }}
+{{ include "pulsar-admin-console.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "pulsar-admin-console.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "pulsar-admin-console.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "pulsar-admin-console.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "pulsar-admin-console.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}