lhotari commented on PR #25872: URL: https://github.com/apache/pulsar/pull/25872#issuecomment-4616680019
@iantowey Thanks for the contribution. This has been merged. Some questions about the context of this PR: What higher level goal are you planning to achieve with this PR? Regarding the use case "This change solves the problem by allowing users to customize the domain suffix, enabling external Function Workers to route traffic to function instances via an external Gateway or Ingress.". Just wondering what other parts of configuration are needed to achieve this. The default Pulsar Functions KubernetesRuntime doesn't directly expose ways to configure the Function Worker's Kubernetes Client authentication. How would you configure the Function Worker to create the function instances in another Kubernetes cluster? It's possible to set `k8Uri` in the config, but that's not helpful without having the ability to configure authentication. There seems to be a way to workaround it by using `KUBECONFIG` env variable so that the configuration of the target k8s cluster for the functions could be configured, at least in theory. One notable detail of the GRPC connection from the Function Worker to the Function Instances is that it doesn't use authentication or TLS (it uses plaintext GRPC). The same applies to the exposed Prometheus metrics. Regarding security of Pulsar Functions, the provided solution in Apache Pulsar and Apache Pulsar Helm chart assume that the deployed solution is used by trusted users running trusted code, isolated with network perimeter security. Some notes of this [were recently added to SECURITY.md](https://github.com/apache/pulsar/blob/master/SECURITY.md#security-model-and-scope). There are hooks to harden the security, but this is not covered currently. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
