There are a few issues at play here:
- The
certconverter routine requires openssl which isn't installed in upstream images
certconverter also expects to write to /pulsar which is not writable by the pulsar (uid 10000) user on the upstream images- The TLS configuration for Zookeeper disables support for
TLSv1.3 which is the default client cipher suite on the upstream images. This causes the pulsar-zookeeper-metadata job to fail to bootstrap the cluster.
These can be worked around by crafting a custom image with a Dockerfile like so:
FROM apachepulsar/pulsar:3.3.1
USER 0
RUN apk add --no-cache openssl
RUN chown pulsar:root -R /pulsar
USER 10000
And then setting these keys on the Zookeeper config:
zookeeper:
config:
ssl.protocol: TLSv1.3
ssl.quorum.protocol: TLSv1.3
ssl.enabledProtocols: TLSv1.3,TLSv1.2
To fix these issues I propose doing the cert conversion in an initContainer using a minimal Java + OpenSSL image that will decouple the TLS support from the choice of Pulsar image. I don't know what the best course of action is for the Zookeeper TLS settings is.
There are a few issues at play here:
certconverterroutine requiresopensslwhich isn't installed in upstream imagescertconverteralso expects to write to/pulsarwhich is not writable by thepulsar(uid10000) user on the upstream imagesTLSv1.3which is the default client cipher suite on the upstream images. This causes thepulsar-zookeeper-metadatajob to fail to bootstrap the cluster.These can be worked around by crafting a custom image with a Dockerfile like so:
And then setting these keys on the Zookeeper config:
To fix these issues I propose doing the cert conversion in an
initContainerusing a minimal Java + OpenSSL image that will decouple the TLS support from the choice of Pulsar image. I don't know what the best course of action is for the Zookeeper TLS settings is.