[functions] Default functionAuthProvider when running in k8s (apache#…

…6203)

In 2.4.x, when running with the KubernetesRuntime, it default to always
using the KubernetesSecretAuthProvider class. With the change in 2.5 to
making this behavior pluggable, there is currently a bug in that it
doesn't keep this behavior and requires a new configuration option to be
passed.

This commit changes the config so that it defaults to the correct class
when we are running with a kubernetes runtime. This restores the
behavior match that of earlier versions

This also moves the WorkerConfig test to the same package where the
workerConfig resides after the refactor and re-arranges the resources
files and copied via a maven task

Co-authored-by: Addison Higham <[email protected]>

pulsar-functions/runtime/pom.xml

@@ -81,4 +81,33 @@
 
   </dependencies>
 
+  <build>
+    <plugins>
+      <!-- this task will copy config files to resources for the test to work -->
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <executions>
+          <execution>
+            <phase>compile</phase>
+            <goals>
+              <goal>run</goal>
+            </goals>
+            <configuration>
+              <tasks>
+                <echo>copy test config files</echo>
+                <mkdir dir="${basedir}/src/test/resources"/>
+                <copy todir="${basedir}/src/test/resources/">
+                  <fileset dir="${basedir}/../src/test/resources/">
+                    <include name="*.yml"/>
+                  </fileset>
+                </copy>
+              </tasks>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
 </project>

pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java

@@ -35,6 +35,8 @@
 import java.util.Properties;
 import java.util.Set;
 
+import lombok.AccessLevel;
+import lombok.Getter;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider;
 import org.apache.pulsar.common.configuration.Category;
@@ -44,6 +46,8 @@
 
 import lombok.Data;
 import lombok.experimental.Accessors;
+import org.apache.pulsar.functions.auth.KubernetesSecretsTokenAuthProvider;
+import org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactory;
 import org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactoryConfig;
 import org.apache.pulsar.functions.runtime.process.ProcessRuntimeFactoryConfig;
 import org.apache.pulsar.functions.runtime.thread.ThreadRuntimeFactory;
@@ -363,7 +367,20 @@ public boolean getTlsEnabled() {
                     "  The Function Authentication Provider is responsible to distributing the necessary" +
                     " authentication information to individual functions e.g. user tokens"
     )
-    private String functionAuthProviderClassName;
+    @Getter(AccessLevel.NONE) private String functionAuthProviderClassName;
+
+    public String getFunctionAuthProviderClassName() {
+        // if we haven't set a value and are running kubernetes, we default to the SecretsTokenAuthProvider
+        // as that matches behavior before this property could be overridden
+        if (!StringUtils.isEmpty(functionAuthProviderClassName)) {
+            return functionAuthProviderClassName;
+        } else {
+            if (StringUtils.equals(this.getFunctionRuntimeFactoryClassName(), KubernetesRuntimeFactory.class.getName()) || getKubernetesContainerFactory() != null) {
+                return KubernetesSecretsTokenAuthProvider.class.getName();
+            }
+            return null;
+        }
+    }
 
     @FieldContext(
             doc = "The full class-name of an instance of RuntimeCustomizer." +

pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerApiV2ResourceConfigTest.java → pulsar-functions/runtime/src/test/java/org/apache/pulsar/functions/worker/WorkerApiV2ResourceConfigTest.java

@@ -19,8 +19,13 @@
 package org.apache.pulsar.functions.worker;
 
 import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNull;
 
 import java.net.URL;
+
+import org.apache.pulsar.functions.auth.KubernetesSecretsTokenAuthProvider;
+import org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactory;
+import org.apache.pulsar.functions.worker.WorkerConfig;
 import org.testng.annotations.Test;
 
 /**
@@ -60,4 +65,28 @@ public void testLoadWorkerConfig() throws Exception {
         assertEquals(new Integer(7654), wc.getWorkerPort());
     }
 
+    @Test
+    public void testFunctionAuthProviderDefaults() throws Exception {
+        URL emptyUrl = getClass().getClassLoader().getResource("test_worker_config.yml");
+        WorkerConfig emptyWc = WorkerConfig.load(emptyUrl.toURI().getPath());
+        assertNull(emptyWc.getFunctionAuthProviderClassName());
+
+        URL newK8SUrl = getClass().getClassLoader().getResource("test_worker_k8s_config.yml");
+        WorkerConfig newK8SWc = WorkerConfig.load(newK8SUrl.toURI().getPath());
+        assertEquals(newK8SWc.getFunctionRuntimeFactoryClassName(), KubernetesRuntimeFactory.class.getName());
+        assertEquals(newK8SWc.getFunctionAuthProviderClassName(), KubernetesSecretsTokenAuthProvider.class.getName());
+
+        URL legacyK8SUrl = getClass().getClassLoader().getResource("test_worker_k8s_legacy_config.yml");
+        WorkerConfig legacyK8SWc = WorkerConfig.load(legacyK8SUrl.toURI().getPath());
+        assertEquals(legacyK8SWc.getFunctionAuthProviderClassName(), KubernetesSecretsTokenAuthProvider.class.getName());
+
+        URL overrideK8SUrl = getClass().getClassLoader().getResource("test_worker_k8s_auth_override_config.yml");
+        WorkerConfig overrideK8SWc = WorkerConfig.load(overrideK8SUrl.toURI().getPath());
+        assertEquals(overrideK8SWc.getFunctionAuthProviderClassName(), "org.apache.my.overridden.auth");
+
+        URL emptyOverrideUrl = getClass().getClassLoader().getResource("test_worker_auth_override_config.yml");
+        WorkerConfig emptyOverrideWc = WorkerConfig.load(emptyOverrideUrl.toURI().getPath());
+        assertEquals(emptyOverrideWc.getFunctionAuthProviderClassName(),"org.apache.my.overridden.auth");
+    }
+
 }

pulsar-functions/src/test/resources/test_worker_auth_override_config.yml

@@ -0,0 +1,26 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+workerId: test-worker
+workerPort: 7654
+pulsarServiceUrl: pulsar://localhost:6650
+functionMetadataTopicName: test-function-metadata-topic
+numFunctionPackageReplicas: 3
+functionAuthProviderClassName: "org.apache.my.overridden.auth"
+

pulsar-functions/src/test/resources/test_worker_k8s_auth_override_config.yml

@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+workerId: test-worker
+workerPort: 7654
+pulsarServiceUrl: pulsar://localhost:6650
+functionMetadataTopicName: test-function-metadata-topic
+numFunctionPackageReplicas: 3
+functionRuntimeFactoryClassName: "org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactory"
+functionAuthProviderClassName: "org.apache.my.overridden.auth"
+

pulsar-functions/src/test/resources/test_worker_k8s_config.yml

@@ -0,0 +1,26 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+workerId: test-worker
+workerPort: 7654
+pulsarServiceUrl: pulsar://localhost:6650
+functionMetadataTopicName: test-function-metadata-topic
+numFunctionPackageReplicas: 3
+functionRuntimeFactoryClassName: "org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactory"
+

pulsar-functions/src/test/resources/test_worker_k8s_legacy_config.yml

@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+workerId: test-worker
+workerPort: 7654
+pulsarServiceUrl: pulsar://localhost:6650
+functionMetadataTopicName: test-function-metadata-topic
+numFunctionPackageReplicas: 3
+kubernetesContainerFactory:
+  k8Uri: "http://test"
+
+

pulsar-functions/worker/pom.xml

@@ -149,7 +149,7 @@
 
   <build>
     <plugins>
-      <!-- this task will copy nar files to resources for the test to work -->
+      <!-- this task will copy nar files and config files to resources for the test to work -->
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-antrun-plugin</artifactId>
@@ -167,6 +167,13 @@
                 <echo>copy test source package</echo>
                 <mkdir dir="${basedir}/src/test/resources"/>
                 <copy file="${basedir}/../../pulsar-io/twitter/target/pulsar-io-twitter-${project.version}.nar" tofile="${basedir}/src/test/resources/pulsar-io-twitter.nar"/>
+                <echo>copy test config files</echo>
+                <mkdir dir="${basedir}/src/test/resources"/>
+                <copy todir="${basedir}/src/test/resources/">
+                  <fileset dir="${basedir}/../src/test/resources/">
+                    <include name="*.yml"/>
+                  </fileset>
+                </copy>
               </tasks>
             </configuration>
           </execution>