The certconverter routine requires openssl which isn't installed in upstream images
certconverter also expects to write to /pulsar which is not writable by the pulsar (uid 10000) user on the upstream images
The TLS configuration for Zookeeper disables support for TLSv1.3 which is the default client cipher suite on the upstream images. This causes the pulsar-zookeeper-metadata job to fail to bootstrap the cluster.
These can be worked around by crafting a custom image with a Dockerfile like so:
FROM apachepulsar/pulsar:3.3.1
USER 0
RUN apk add --no-cache openssl
RUN chown pulsar:root -R /pulsar
USER 10000
And then setting these keys on the Zookeeper config:
To fix these issues I propose doing the cert conversion in an initContainer using a minimal Java + OpenSSL image that will decouple the TLS support from the choice of Pulsar image. I don't know what the best course of action is for the Zookeeper TLS settings is.
There are a few issues at play here:
certconverterroutine requiresopensslwhich isn't installed in upstream imagescertconverteralso expects to write to/pulsarwhich is not writable by thepulsar(uid10000) user on the upstream imagesTLSv1.3which is the default client cipher suite on the upstream images. This causes thepulsar-zookeeper-metadatajob to fail to bootstrap the cluster.These can be worked around by crafting a custom image with a Dockerfile like so:
And then setting these keys on the Zookeeper config:
To fix these issues I propose doing the cert conversion in an
initContainerusing a minimal Java + OpenSSL image that will decouple the TLS support from the choice of Pulsar image. I don't know what the best course of action is for the Zookeeper TLS settings is.