From cd958959da2d2c18ec6c03cb17e6b714ab4da0dc Mon Sep 17 00:00:00 2001 From: Yi Chen Date: Mon, 14 Apr 2025 14:49:13 +0800 Subject: [PATCH 1/3] Refactor Helm chart Signed-off-by: Yi Chen --- helm/flink-kubernetes-operator/Chart.yaml | 9 +- .../templates/_helpers.tpl | 141 +------ .../templates/certmanager/_helpers.tpl | 17 + .../templates/certmanager/certificate.yaml | 45 +++ .../templates/certmanager/issuer.yaml | 25 ++ .../templates/controller/_helpers.tpl | 17 + .../templates/controller/configmap.yaml | 56 +++ .../templates/controller/deployment.yaml | 279 ++++++++++++++ .../templates/flink-operator.yaml | 302 --------------- .../templates/flink/_helpers.tpl | 50 +++ .../templates/flink/role.yaml | 36 ++ .../templates/flink/role_binding.yaml | 43 +++ .../templates/rbac.yaml | 351 ------------------ .../templates/rbac/_helpers.tpl | 202 ++++++++++ .../templates/rbac/cluster_role.yaml | 28 ++ .../templates/rbac/cluster_role_binding.yaml | 35 ++ .../templates/rbac/role.yaml | 60 +++ .../templates/rbac/role_binding.yaml | 61 +++ .../service_account.yaml} | 34 +- .../templates/webhook.yaml | 157 -------- .../templates/webhook/_helpers.tpl | 57 +++ .../mutating_webhook_configuration.yaml | 56 +++ .../templates/webhook/secret.yaml | 28 ++ .../templates/webhook/service.yaml | 35 ++ .../validating_webhook_configuration.yaml | 57 +++ helm/flink-kubernetes-operator/values.yaml | 69 ++-- 26 files changed, 1271 insertions(+), 979 deletions(-) create mode 100644 helm/flink-kubernetes-operator/templates/certmanager/_helpers.tpl create mode 100644 helm/flink-kubernetes-operator/templates/certmanager/certificate.yaml create mode 100644 helm/flink-kubernetes-operator/templates/certmanager/issuer.yaml create mode 100644 helm/flink-kubernetes-operator/templates/controller/_helpers.tpl create mode 100644 helm/flink-kubernetes-operator/templates/controller/configmap.yaml create mode 100644 helm/flink-kubernetes-operator/templates/controller/deployment.yaml delete mode 100644 helm/flink-kubernetes-operator/templates/flink-operator.yaml create mode 100644 helm/flink-kubernetes-operator/templates/flink/_helpers.tpl create mode 100644 helm/flink-kubernetes-operator/templates/flink/role.yaml create mode 100644 helm/flink-kubernetes-operator/templates/flink/role_binding.yaml delete mode 100644 helm/flink-kubernetes-operator/templates/rbac.yaml create mode 100644 helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl create mode 100644 helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml create mode 100644 helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml create mode 100644 helm/flink-kubernetes-operator/templates/rbac/role.yaml create mode 100644 helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml rename helm/flink-kubernetes-operator/templates/{serviceaccount.yaml => rbac/service_account.yaml} (59%) delete mode 100644 helm/flink-kubernetes-operator/templates/webhook.yaml create mode 100644 helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl create mode 100644 helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml create mode 100644 helm/flink-kubernetes-operator/templates/webhook/secret.yaml create mode 100644 helm/flink-kubernetes-operator/templates/webhook/service.yaml create mode 100644 helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml diff --git a/helm/flink-kubernetes-operator/Chart.yaml b/helm/flink-kubernetes-operator/Chart.yaml index 6b0edda808..260aab8eb6 100644 --- a/helm/flink-kubernetes-operator/Chart.yaml +++ b/helm/flink-kubernetes-operator/Chart.yaml @@ -16,11 +16,18 @@ # limitations under the License. ################################################################################ ---- apiVersion: v2 + name: flink-kubernetes-operator + description: A Helm chart for the Apache Flink Kubernetes Operator + type: application + version: 1.12-SNAPSHOT + appVersion: 1.12-SNAPSHOT + +home: https://github.com/apache/flink-kubernetes-operator + icon: https://flink.apache.org/img/logo/png/50/color_50.png diff --git a/helm/flink-kubernetes-operator/templates/_helpers.tpl b/helm/flink-kubernetes-operator/templates/_helpers.tpl index 3456ab46cc..c3b7db63f2 100644 --- a/helm/flink-kubernetes-operator/templates/_helpers.tpl +++ b/helm/flink-kubernetes-operator/templates/_helpers.tpl @@ -1,20 +1,20 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} {{/* Expand the name of the chart. @@ -78,73 +78,6 @@ Create the path of the operator image to use {{- end }} {{- end }} -{{/* -Create the name of the operator role to use -*/}} -{{- define "flink-operator.roleName" -}} -{{- if .Values.rbac.operatorRole.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }} -{{- else }} -{{- default "default" .Values.rbac.operatorRole.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the operator role binding to use -*/}} -{{- define "flink-operator.roleBindingName" -}} -{{- if .Values.rbac.operatorRoleBinding.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }} -{{- else }} -{{- default "default" .Values.rbac.operatorRoleBinding.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job role to use -*/}} -{{- define "flink-operator.jobRoleName" -}} -{{- if .Values.rbac.jobRoleBinding.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }} -{{- else }} -{{- default "default" .Values.rbac.jobRole.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job role to use -*/}} -{{- define "flink-operator.jobRoleBindingName" -}} -{{- if .Values.rbac.jobRole.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }} -{{- else }} -{{- default "default" .Values.rbac.jobRoleBinding.name }} -{{- end }} -{{- end }} - - -{{/* -Create the name of the operator service account to use -*/}} -{{- define "flink-operator.serviceAccountName" -}} -{{- if .Values.operatorServiceAccount.create }} -{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }} -{{- else }} -{{- default "default" .Values.operatorServiceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job service account to use -*/}} -{{- define "flink-operator.jobServiceAccountName" -}} -{{- if .Values.jobServiceAccount.create }} -{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }} -{{- else }} -{{- default "default" .Values.jobServiceAccount.name }} -{{- end }} -{{- end }} - {{/* Determine role scope based on name */}} @@ -155,43 +88,3 @@ Determine role scope based on name {{- printf "Role" }} {{- end }} {{- end }} - -{{- define "flink-operator.validating-webhook-enabled" -}} -{{- if hasKey .Values.webhook "validator" }} -{{- if .Values.webhook.validator.create }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- else }} -{{- if or (.Values.webhook.create) }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "flink-operator.mutating-webhook-enabled" -}} -{{- if hasKey .Values.webhook "mutator" }} -{{- if .Values.webhook.mutator.create }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- else }} -{{- if or (.Values.webhook.create) }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "flink-operator.webhook-enabled" -}} -{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/certmanager/_helpers.tpl b/helm/flink-kubernetes-operator/templates/certmanager/_helpers.tpl new file mode 100644 index 0000000000..e33d079f30 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/certmanager/_helpers.tpl @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} diff --git a/helm/flink-kubernetes-operator/templates/certmanager/certificate.yaml b/helm/flink-kubernetes-operator/templates/certmanager/certificate.yaml new file mode 100644 index 0000000000..9bc0a8ab20 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/certmanager/certificate.yaml @@ -0,0 +1,45 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: flink-operator-serving-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - flink-operator-webhook-service.{{ .Release.Namespace }}.svc + - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + keystores: + pkcs12: + create: true + passwordSecretRef: + {{- if .Values.webhook.keystore.useDefaultPassword }} + name: flink-operator-webhook-secret + key: password + {{- else }} + {{- with .Values.webhook.keystore.passwordSecretRef }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + issuerRef: + group: cert-manager.io + kind: Issuer + name: flink-operator-selfsigned-issuer + commonName: FlinkDeployment Validator + secretName: webhook-server-cert diff --git a/helm/flink-kubernetes-operator/templates/certmanager/issuer.yaml b/helm/flink-kubernetes-operator/templates/certmanager/issuer.yaml new file mode 100644 index 0000000000..b282045080 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/certmanager/issuer.yaml @@ -0,0 +1,25 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: flink-operator-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} diff --git a/helm/flink-kubernetes-operator/templates/controller/_helpers.tpl b/helm/flink-kubernetes-operator/templates/controller/_helpers.tpl new file mode 100644 index 0000000000..e33d079f30 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/controller/_helpers.tpl @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} diff --git a/helm/flink-kubernetes-operator/templates/controller/configmap.yaml b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml new file mode 100644 index 0000000000..50b7fc10e7 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml @@ -0,0 +1,56 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.defaultConfiguration.create }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: flink-operator-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +data: + flink-conf.yaml: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} +{{- end }} +{{- if index (.Values.defaultConfiguration) "flink-conf.yaml" }} + {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}} +{{- end }} +{{- if .Values.watchNamespaces }} + kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} +{{- end }} +{{- if index .Values "operatorHealth" }} + kubernetes.operator.health.probe.enabled: true + kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} +{{- end }} + log4j-operator.properties: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}} +{{- end }} +{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }} + {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}} +{{- end }} + log4j-console.properties: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}} +{{- end }} +{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }} + {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/controller/deployment.yaml b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml new file mode 100644 index 0000000000..0bf83892fb --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml @@ -0,0 +1,279 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "flink-operator.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + {{- with .Values.operatorPod.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "flink-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "flink-operator.selectorLabels" . | nindent 8 }} + {{- with .Values.operatorPod.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} + {{- with .Values.operatorPod.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: {{ .Chart.Name }} + image: {{ include "flink-operator.imagePath" . }} + {{- with .Values.image.pullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + command: + - /docker-entrypoint.sh + - operator + ports: + {{- if .Values.metrics.port }} + - containerPort: {{ .Values.metrics.port }} + name: metrics + protocol: TCP + {{- end }} + {{- if .Values.operatorHealth }} + - containerPort: {{ .Values.operatorHealth.port }} + name: health-port + protocol: TCP + {{- end }} + env: + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{ include "flink-operator.name" . }} + - name: FLINK_CONF_DIR + value: /opt/flink/conf + - name: FLINK_PLUGINS_DIR + value: /opt/flink/plugins + - name: LOG_CONFIG + value: -Dlog4j.configurationFile=/opt/flink/conf/log4j-operator.properties + - name: JVM_ARGS + value: {{ .Values.jvmArgs.operator }} + {{- if .Values.tls.create }} + - name: OPERATOR_KEYSTORE_PATH + value: /opt/flink/tls-cert/keystore.jks + - name: OPERATOR_TRUSTSTORE_PATH + value: /opt/flink/tls-cert/truststore.jks + - name: OPERATOR_KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + {{- toYaml .Values.tls.secretKeyRef | nindent 14 }} + optional: true + {{- end }} + {{- with .Values.operatorPod.env }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.envFrom }} + envFrom: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.operatorSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: flink-operator-config-volume + mountPath: /opt/flink/conf + {{- if .Values.operatorVolumeMounts.create }} + {{- toYaml .Values.operatorVolumeMounts.data | nindent 8 }} + {{- else }} + - name: flink-artifacts-volume + mountPath: /opt/flink/artifacts + {{- end }} + {{- if .Values.tls.create }} + - name: flink-operator-cert-secret + mountPath: /opt/flink/tls-cert + {{- end }} + {{- with .Values.operatorHealth.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 10 }} + httpGet: + path: / + port: health-port + {{- end }} + {{- with .Values.operatorHealth.startupProbe }} + startupProbe: + {{- toYaml . | nindent 10 }} + httpGet: + path: / + port: health-port + {{- end }} + {{- with .Values.postStart }} + lifecycle: + postStart: + {{- toYaml . | nindent 14 }} + {{- end }} + {{- if eq (include "flink-operator.webhook-enabled" .) "true" }} + - name: flink-webhook + image: {{ include "flink-operator.imagePath" . }} + {{- with .Values.image.pullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + command: + - /docker-entrypoint.sh + - webhook + env: + - name: WEBHOOK_KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.webhook.keystore.useDefaultPassword }} + name: flink-operator-webhook-secret + key: password + {{- else }} + {{- with .Values.webhook.keystore.passwordSecretRef }} + {{- toYaml . | nindent 14 }} + {{- end }} + {{- end }} + - name: WEBHOOK_KEYSTORE_FILE + value: "/certs/keystore.p12" + - name: WEBHOOK_KEYSTORE_TYPE + value: "pkcs12" + - name: WEBHOOK_SERVER_PORT + value: "9443" + - name: LOG_CONFIG + value: -Dlog4j.configurationFile=/opt/flink/conf/log4j-operator.properties + - name: JVM_ARGS + value: {{ .Values.jvmArgs.webhook }} + - name: FLINK_CONF_DIR + value: /opt/flink/conf + - name: FLINK_PLUGINS_DIR + value: /opt/flink/plugins + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.operatorPod.webhook.container.env }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.webhook.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.webhookSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: keystore + mountPath: /certs + readOnly: true + - name: flink-operator-config-volume + mountPath: /opt/flink/conf + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: flink-operator-config-volume + configMap: + name: flink-operator-config + items: + - key: flink-conf.yaml + path: flink-conf.yaml + - key: log4j-operator.properties + path: log4j-operator.properties + - key: log4j-console.properties + path: log4j-console.properties + {{- if .Values.operatorVolumes.create }} + {{- toYaml .Values.operatorVolumes.data | nindent 6 }} + {{- else }} + - name: flink-artifacts-volume + emptyDir: {} + {{- end }} + {{- if eq (include "flink-operator.webhook-enabled" .) "true" }} + - name: keystore + secret: + secretName: webhook-server-cert + items: + - key: keystore.p12 + path: keystore.p12 + {{- end }} + {{- if .Values.tls.create }} + - name: flink-operator-cert-secret + secret: + secretName: {{ .Values.tls.secretName }} + optional: true + {{- end }} + {{- with .Values.operatorPod.dnsPolicy }} + dnsPolicy: {{ . | quote }} + {{- end }} + {{- with .Values.operatorPod.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operatorPod.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.operatorPod.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "flink-operator.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + diff --git a/helm/flink-kubernetes-operator/templates/flink-operator.yaml b/helm/flink-kubernetes-operator/templates/flink-operator.yaml deleted file mode 100644 index 9621f8f0bd..0000000000 --- a/helm/flink-kubernetes-operator/templates/flink-operator.yaml +++ /dev/null @@ -1,302 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "flink-operator.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - {{- if index (.Values.operatorPod) "labels" }} - {{- with .Values.operatorPod.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} -spec: - replicas: {{ .Values.replicas }} - strategy: - {{- toYaml .Values.strategy | nindent 4 }} - selector: - matchLabels: - {{- include "flink-operator.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "flink-operator.selectorLabels" . | nindent 8 }} - {{- if index (.Values.operatorPod) "labels" }} - {{- with .Values.operatorPod.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - annotations: - kubectl.kubernetes.io/default-container: {{ .Chart.Name }} - {{- if index (.Values.operatorPod) "annotations" }} - {{- with .Values.operatorPod.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- with .Values.operatorPod.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.operatorPod.nodeSelector }} - nodeSelector: {{ toYaml .Values.operatorPod.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.operatorPod.affinity }} - affinity: {{ toYaml .Values.operatorPod.affinity | nindent 8 }} - {{- end }} - {{- with .Values.operatorPod.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "flink-operator.serviceAccountName" . }} - {{- if .Values.operatorPod.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.operatorPod.topologySpreadConstraints | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ include "flink-operator.imagePath" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/docker-entrypoint.sh", "operator"] - ports: - {{- if .Values.metrics.port }} - - containerPort: {{ .Values.metrics.port }} - name: metrics - protocol: TCP - {{- end }} - {{- if index .Values "operatorHealth" }} - - containerPort: {{ .Values.operatorHealth.port }} - name: health-port - protocol: TCP - {{- end }} - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{ include "flink-operator.name" . }} - - name: FLINK_CONF_DIR - value: /opt/flink/conf - - name: FLINK_PLUGINS_DIR - value: /opt/flink/plugins - - name: LOG_CONFIG - value: -Dlog4j.configurationFile=/opt/flink/conf/log4j-operator.properties - - name: JVM_ARGS - value: {{ .Values.jvmArgs.operator }} - {{- if .Values.tls.create }} - - name: OPERATOR_KEYSTORE_PATH - value: /opt/flink/tls-cert/keystore.jks - - name: OPERATOR_TRUSTSTORE_PATH - value: /opt/flink/tls-cert/truststore.jks - - name: OPERATOR_KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - {{- toYaml .Values.tls.secretKeyRef | nindent 18 }} - optional: true - {{- end }} - {{- with .Values.operatorPod.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.operatorPod.envFrom }} - envFrom: - {{- toYaml . | nindent 12 }} - {{- end }} - resources: - {{- toYaml .Values.operatorPod.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.operatorSecurityContext | nindent 12 }} - volumeMounts: - - name: flink-operator-config-volume - mountPath: /opt/flink/conf - {{- if .Values.operatorVolumeMounts.create }} - {{- toYaml .Values.operatorVolumeMounts.data | nindent 12 }} - {{- else }} - - name: flink-artifacts-volume - mountPath: /opt/flink/artifacts - {{- end }} - {{- if .Values.tls.create }} - - name: flink-operator-cert-secret - mountPath: /opt/flink/tls-cert - {{- end }} - {{- if and (index .Values "operatorHealth") (index .Values.operatorHealth "livenessProbe") }} - livenessProbe: - {{- toYaml .Values.operatorHealth.livenessProbe | nindent 12 }} - httpGet: - path: / - port: health-port - {{- end }} - {{- if and (index .Values "operatorHealth") (index .Values.operatorHealth "startupProbe") }} - startupProbe: - {{- toYaml .Values.operatorHealth.startupProbe | nindent 12 }} - httpGet: - path: / - port: health-port - {{- end }} - {{- if .Values.postStart }} - lifecycle: - postStart: - {{- toYaml .Values.postStart | nindent 14 }} - {{- end }} - {{- if eq (include "flink-operator.webhook-enabled" .) "true" }} - - name: flink-webhook - image: {{ include "flink-operator.imagePath" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/docker-entrypoint.sh", "webhook"] - env: - - name: WEBHOOK_KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - {{- if .Values.webhook.keystore.useDefaultPassword }} - name: flink-operator-webhook-secret - key: password - {{- else }} - {{- with .Values.webhook.keystore.passwordSecretRef }} - {{- toYaml . | nindent 18 }} - {{- end }} - {{- end }} - - name: WEBHOOK_KEYSTORE_FILE - value: "/certs/keystore.p12" - - name: WEBHOOK_KEYSTORE_TYPE - value: "pkcs12" - - name: WEBHOOK_SERVER_PORT - value: "9443" - - name: LOG_CONFIG - value: -Dlog4j.configurationFile=/opt/flink/conf/log4j-operator.properties - - name: JVM_ARGS - value: {{ .Values.jvmArgs.webhook }} - - name: FLINK_CONF_DIR - value: /opt/flink/conf - - name: FLINK_PLUGINS_DIR - value: /opt/flink/plugins - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.operatorPod.webhook.container.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - resources: - {{- toYaml .Values.operatorPod.webhook.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.webhookSecurityContext | nindent 12 }} - volumeMounts: - - name: keystore - mountPath: "/certs" - readOnly: true - - name: flink-operator-config-volume - mountPath: /opt/flink/conf - {{- end }} - {{- if index (.Values.operatorPod) "dnsPolicy" }} - dnsPolicy: {{ .Values.operatorPod.dnsPolicy | quote }} - {{- end }} - {{- if index (.Values.operatorPod) "dnsConfig" }} - dnsConfig: - {{- with .Values.operatorPod.dnsConfig }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - volumes: - - name: flink-operator-config-volume - configMap: - name: flink-operator-config - items: - - key: flink-conf.yaml - path: flink-conf.yaml - - key: log4j-operator.properties - path: log4j-operator.properties - - key: log4j-console.properties - path: log4j-console.properties - {{- if .Values.operatorVolumes.create }} - {{- toYaml .Values.operatorVolumes.data | nindent 8 }} - {{- else }} - - name: flink-artifacts-volume - emptyDir: {} - {{- end }} - {{- if eq (include "flink-operator.webhook-enabled" .) "true" }} - - name: keystore - secret: - secretName: webhook-server-cert - items: - - key: keystore.p12 - path: keystore.p12 - {{- end }} - {{- if .Values.tls.create }} - - name: flink-operator-cert-secret - secret: - secretName: {{ .Values.tls.secretName }} - optional: true - {{- end }} ---- -{{- if .Values.defaultConfiguration.create }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: flink-operator-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -data: - flink-conf.yaml: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} -{{- end }} -{{- if index (.Values.defaultConfiguration) "flink-conf.yaml" }} - {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}} -{{- end }} -{{- if .Values.watchNamespaces }} - kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} -{{- end }} -{{- if index .Values "operatorHealth" }} - kubernetes.operator.health.probe.enabled: true - kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} -{{- end }} - log4j-operator.properties: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}} -{{- end }} -{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }} - {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}} -{{- end }} - log4j-console.properties: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}} -{{- end }} -{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }} - {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl new file mode 100644 index 0000000000..eb33ecc2e0 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl @@ -0,0 +1,50 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{/* +Create the name of the job role to use +*/}} +{{- define "flink-operator.jobRoleName" -}} +{{- if .Values.rbac.jobRoleBinding.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }} +{{- else }} +{{- default "default" .Values.rbac.jobRole.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the job role to use +*/}} +{{- define "flink-operator.jobRoleBindingName" -}} +{{- if .Values.rbac.jobRole.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }} +{{- else }} +{{- default "default" .Values.rbac.jobRoleBinding.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the job service account to use +*/}} +{{- define "flink-operator.jobServiceAccountName" -}} +{{- if .Values.jobServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }} +{{- else }} +{{- default "default" .Values.jobServiceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/role.yaml b/helm/flink-kubernetes-operator/templates/flink/role.yaml new file mode 100644 index 0000000000..4d33aca2b8 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/role.yaml @@ -0,0 +1,36 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.create }} +{{- if .Values.rbac.jobRole.create }} +{{- range $namespace := .Values.watchNamespaces }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.jobRoleName" $ }} + namespace: {{ $namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + helm.sh/resource-policy: keep +{{- include "flink-operator.jobRbacRules" $ | nindent 0 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml new file mode 100644 index 0000000000..498ab5301a --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml @@ -0,0 +1,43 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.create }} +{{- if .Values.rbac.jobRoleBinding.create }} +{{- range $namespace := .Values.watchNamespaces }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.jobRoleBindingName" $ }} + namespace: {{ $namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + helm.sh/resource-policy: keep +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} + name: {{ include "flink-operator.jobRoleName" $ }} +subjects: +- kind: ServiceAccount + name: {{ include "flink-operator.jobServiceAccountName" $ }} + namespace: {{ . }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/flink-kubernetes-operator/templates/rbac.yaml b/helm/flink-kubernetes-operator/templates/rbac.yaml deleted file mode 100644 index ecc4c21a2d..0000000000 --- a/helm/flink-kubernetes-operator/templates/rbac.yaml +++ /dev/null @@ -1,351 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -{{/* -RBAC rules used to create the operator (cluster)role based on the scope -*/}} -{{- define "flink-operator.rbacRules" }} -rules: - - apiGroups: - - "" - resources: - - pods - - services - - events - - configmaps - - secrets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - deletecollection -{{- if .Values.rbac.nodesRule.create }} - - apiGroups: - - "" - resources: - - nodes - verbs: - - list -{{- end }} - - apiGroups: - - apps - resources: - - deployments - - deployments/finalizers - - replicasets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - apps - resources: - - deployments/scale - verbs: - - get - - update - - patch - - apiGroups: - - extensions - resources: - - deployments - - ingresses - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - flink.apache.org - resources: - - flinkdeployments - - flinkdeployments/finalizers - - flinksessionjobs - - flinksessionjobs/finalizers - - flinkstatesnapshots - - flinkstatesnapshots/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - flink.apache.org - resources: - - flinkdeployments/status - - flinksessionjobs/status - - flinkstatesnapshots/status - verbs: - - get - - update - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} - -{{/* -RBAC rules used to create the job (cluster)role based on the scope -*/}} -{{- define "flink-operator.jobRbacRules" }} -rules: - - apiGroups: - - "" - resources: - - pods - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - apps - resources: - - deployments - - deployments/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} - ---- -{{- if .Values.rbac.create }} ---- -{{/* -Namespaced scoped RBAC. -*/}} -{{- if .Values.watchNamespaces }} -{{- range .Values.watchNamespaces }} -{{- if $.Values.rbac.operatorRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -{{- template "flink-operator.rbacRules" $ }} -{{- end }} ---- -{{- if $.Values.rbac.jobRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.jobRoleName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -{{- template "flink-operator.jobRbacRules" $ }} -{{- end }} ---- -{{- if $.Values.rbac.operatorRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -roleRef: - kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" $ }} - namespace: {{ $.Release.Namespace }} -{{- end }} ---- -{{- if $.Values.rbac.jobRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.jobRoleBindingName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -roleRef: - kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} - name: {{ include "flink-operator.jobRoleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.jobServiceAccountName" $ }} - namespace: {{ . }} -{{- end }} ---- -{{- end }} -{{/* -Give operator the ability to operate on leases in the release namespace -*/}} -{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} ---- -{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -roleRef: - kind: Role - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{ else }} -{{/* -Cluster scoped RBAC. -*/}} ---- -{{- if .Values.rbac.operatorRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -{{- template "flink-operator.rbacRules" $ }} -{{- end }} ---- -{{- if .Values.rbac.jobRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.jobRoleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -{{- template "flink-operator.jobRbacRules" $ }} -{{- end }} ---- -{{- if .Values.rbac.operatorRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- if .Values.rbac.jobRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.jobRoleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -roleRef: - kind: Role - name: {{ include "flink-operator.jobRoleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.jobServiceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl new file mode 100644 index 0000000000..e7d2033ce3 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl @@ -0,0 +1,202 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + + +{{/* +Create the name of the operator service account to use +*/}} +{{- define "flink-operator.serviceAccountName" -}} +{{- if .Values.operatorServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }} +{{- else }} +{{- default "default" .Values.operatorServiceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the operator role to use +*/}} +{{- define "flink-operator.roleName" -}} +{{- if .Values.rbac.operatorRole.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }} +{{- else }} +{{- default "default" .Values.rbac.operatorRole.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the operator role binding to use +*/}} +{{- define "flink-operator.roleBindingName" -}} +{{- if .Values.rbac.operatorRoleBinding.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }} +{{- else }} +{{- default "default" .Values.rbac.operatorRoleBinding.name }} +{{- end }} +{{- end }} + +{{/* +RBAC rules used to create the operator (cluster)role based on the scope +*/}} +{{- define "flink-operator.rbacRules" }} +rules: +- apiGroups: + - "" + resources: + - pods + - services + - events + - configmaps + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - deletecollection +{{- if .Values.rbac.nodesRule.create }} +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +{{- end }} +- apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + - replicasets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/scale + verbs: + - get + - update + - patch +- apiGroups: + - extensions + resources: + - deployments + - ingresses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - flink.apache.org + resources: + - flinkdeployments + - flinkdeployments/finalizers + - flinksessionjobs + - flinksessionjobs/finalizers + - flinkstatesnapshots + - flinkstatesnapshots/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - flink.apache.org + resources: + - flinkdeployments/status + - flinksessionjobs/status + - flinkstatesnapshots/status + verbs: + - get + - update + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} + +{{/* +RBAC rules used to create the job (cluster)role based on the scope +*/}} +{{- define "flink-operator.jobRbacRules" }} +rules: +- apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml new file mode 100644 index 0000000000..ed59e08eb8 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml @@ -0,0 +1,28 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.operatorRole.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +{{ include "flink-operator.rbacRules" $ }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml new file mode 100644 index 0000000000..5ff31afb20 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml @@ -0,0 +1,35 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.operatorRoleBinding.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "flink-operator.roleName" $ }} +subjects: +- kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/role.yaml b/helm/flink-kubernetes-operator/templates/rbac/role.yaml new file mode 100644 index 0000000000..d69f3ba435 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/role.yaml @@ -0,0 +1,60 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.create }} +{{- if .Values.rbac.operatorRole.create }} +{{- range $namespace := .Values.watchNamespaces }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ $namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +{{- include "flink-operator.rbacRules" $ | nindent 0 }} +{{- end }} +{{- end }} + +{{- /* Give operator the ability to operate on leases in the release namespace */}} +{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml new file mode 100644 index 0000000000..1f7ef3b05b --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml @@ -0,0 +1,61 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.rbac.create }} +{{- if .Values.rbac.operatorRoleBinding.create }} +{{- range $namespace := .Values.watchNamespaces }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" $ }} + namespace: {{ $namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} + name: {{ include "flink-operator.roleName" $ }} +subjects: +- kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" $ }} + namespace: {{ $.Release.Namespace }} +{{- end }} +{{- end }} + +{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "flink-operator.roleName" $ }} +subjects: +- kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml similarity index 59% rename from helm/flink-kubernetes-operator/templates/serviceaccount.yaml rename to helm/flink-kubernetes-operator/templates/rbac/service_account.yaml index a0179ecf0d..611e90582a 100644 --- a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml +++ b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml @@ -1,20 +1,20 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} --- {{- if .Values.operatorServiceAccount.create }} diff --git a/helm/flink-kubernetes-operator/templates/webhook.yaml b/helm/flink-kubernetes-operator/templates/webhook.yaml deleted file mode 100644 index cfe64aa1a8..0000000000 --- a/helm/flink-kubernetes-operator/templates/webhook.yaml +++ /dev/null @@ -1,157 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ ---- -{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - {{- if .Values.webhook.serviceLabels }} - labels: - {{- range $key, $value := .Values.webhook.serviceLabels }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/name: {{ include "flink-operator.name" . }} ---- -{{- if .Values.webhook.keystore.useDefaultPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: flink-operator-webhook-secret - namespace: {{ .Release.Namespace }} -type: Opaque -data: - password: cGFzc3dvcmQxMjM0 -{{- end }} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: flink-operator-serving-cert - namespace: {{ .Release.Namespace }} -spec: - dnsNames: - - flink-operator-webhook-service.{{ .Release.Namespace }}.svc - - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local - keystores: - pkcs12: - create: true - passwordSecretRef: - {{- if .Values.webhook.keystore.useDefaultPassword }} - name: flink-operator-webhook-secret - key: password - {{- else }} - {{- with .Values.webhook.keystore.passwordSecretRef }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - issuerRef: - kind: Issuer - name: flink-operator-selfsigned-issuer - commonName: FlinkDeployment Validator - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: flink-operator-selfsigned-issuer - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} -{{- end }} -{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert - name: flink-operator-{{ .Release.Namespace }}-webhook-configuration -webhooks: -- name: validationwebhook.flink.apache.org - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate - failurePolicy: Fail - rules: - - apiGroups: ["flink.apache.org"] - apiVersions: ["*"] - scope: "Namespaced" - operations: - - CREATE - - UPDATE - resources: - - flinkdeployments - - flinksessionjobs - - flinkstatesnapshots - sideEffects: None - {{- if .Values.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] - {{- end }} -{{- end }} -{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert - name: flink-operator-{{ .Release.Namespace }}-webhook-configuration -webhooks: - - name: mutationwebhook.flink.apache.org - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /mutate - failurePolicy: Fail - rules: - - apiGroups: ["flink.apache.org"] - apiVersions: ["*"] - scope: "Namespaced" - operations: - - CREATE - - UPDATE - resources: - - flinksessionjobs - - flinkdeployments - sideEffects: None - {{- if .Values.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] - {{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl new file mode 100644 index 0000000000..c82df36665 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl @@ -0,0 +1,57 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- define "flink-operator.validating-webhook-enabled" -}} +{{- if hasKey .Values.webhook "validator" }} +{{- if .Values.webhook.validator.create }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else }} +{{- if or (.Values.webhook.create) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "flink-operator.mutating-webhook-enabled" -}} +{{- if hasKey .Values.webhook "mutator" }} +{{- if .Values.webhook.mutator.create }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else }} +{{- if or (.Values.webhook.create) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "flink-operator.webhook-enabled" -}} +{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml new file mode 100644 index 0000000000..01e86b7ef8 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml @@ -0,0 +1,56 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: flink-operator-{{ .Release.Namespace }}-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert +webhooks: +- name: mutationwebhook.flink.apache.org + admissionReviewVersions: + - v1 + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate + failurePolicy: Fail + rules: + - apiGroups: + - flink.apache.org + apiVersions: + - "*" + scope: Namespaced + operations: + - CREATE + - UPDATE + resources: + - flinksessionjobs + - flinkdeployments + sideEffects: None + {{- if .Values.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] + {{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/secret.yaml b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml new file mode 100644 index 0000000000..0b332ee8ec --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml @@ -0,0 +1,28 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.webhook.keystore.useDefaultPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: flink-operator-webhook-secret + namespace: {{ .Release.Namespace }} +type: Opaque +data: + password: cGFzc3dvcmQxMjM0 +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/service.yaml b/helm/flink-kubernetes-operator/templates/webhook/service.yaml new file mode 100644 index 0000000000..b55465b032 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/service.yaml @@ -0,0 +1,35 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +apiVersion: v1 +kind: Service +metadata: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + {{- with .Values.webhook.serviceLabels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/name: {{ include "flink-operator.name" . }} +{{- end }} \ No newline at end of file diff --git a/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml new file mode 100644 index 0000000000..2e837a1cdb --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml @@ -0,0 +1,57 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: flink-operator-{{ .Release.Namespace }}-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert +webhooks: +- name: validationwebhook.flink.apache.org + admissionReviewVersions: + - v1 + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate + failurePolicy: Fail + rules: + - apiGroups: + - flink.apache.org + apiVersions: + - "*" + scope: Namespaced + operations: + - CREATE + - UPDATE + resources: + - flinkdeployments + - flinksessionjobs + - flinkstatesnapshots + sideEffects: None + {{- if .Values.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] + {{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/values.yaml b/helm/flink-kubernetes-operator/values.yaml index c23d742c71..82dbd66e4a 100644 --- a/helm/flink-kubernetes-operator/values.yaml +++ b/helm/flink-kubernetes-operator/values.yaml @@ -16,18 +16,20 @@ # limitations under the License. ################################################################################ ---- - # List of kubernetes namespaces to watch for FlinkDeployment changes, empty means all namespaces. # When enabled RBAC is only created for said namespaces, otherwise it is done for the cluster scope. -# watchNamespaces: ["flink"] +watchNamespaces: +# - flink image: repository: flink-kubernetes-operator - pullPolicy: IfNotPresent + tag: latest + + pullPolicy: IfNotPresent + # If image digest is set then it takes precedence and the image tag will be ignored - # digest: "" + digest: "" imagePullSecrets: [] @@ -47,21 +49,22 @@ rbac: create: false operatorRole: create: true - name: "flink-operator" + name: flink-operator operatorRoleBinding: create: true - name: "flink-operator-role-binding" + name: flink-operator-role-binding jobRole: create: true - name: "flink" + name: flink jobRoleBinding: create: true - name: "flink-role-binding" + name: flink-role-binding operatorPod: - priorityClassName: null - annotations: {} labels: {} + + annotations: {} + # The env variables only apply to the operator container in the operator pod # TODO: consider making this pod level env variables env: @@ -72,32 +75,44 @@ operatorPod: # configMapKeyRef: # name: "" # key: "" - # dnsPolicy: "" - # dnsConfig: {} + + # Node labels and affinity for operator pod assignment # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + envFrom: # - configMapRef: # name: "" + + resources: + # limits: + # cpu: 250m + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 512Mi + + dnsPolicy: "" + + dnsConfig: {} + nodeSelector: {} affinity: {} + # Node tolerations for operator pod assignment # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # Topology spread constrains # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ topologySpreadConstraints: [] - resources: {} - # resources: - # limits: - # cpu: "250m" - # memory: "512Mi" - # requests: - # cpu: "250m" - # memory: "512Mi" + + priorityClassName: "" + webhook: resources: {} + container: env: # - name: "" @@ -106,13 +121,13 @@ operatorPod: operatorServiceAccount: create: true annotations: {} - name: "flink-operator" + name: flink-operator jobServiceAccount: create: true annotations: - "helm.sh/resource-policy": keep - name: "flink" + helm.sh/resource-policy: keep + name: flink operatorVolumeMounts: create: false @@ -148,9 +163,9 @@ webhook: # create: true keystore: useDefaultPassword: true - # passwordSecretRef: - # name: jks-password-secret - # key: password-key + passwordSecretRef: + # name: jks-password-secret + # key: password-key serviceLabels: {} defaultConfiguration: From a991c8138deca24987f6782bc87e23ae21397563 Mon Sep 17 00:00:00 2001 From: Yi Chen Date: Mon, 14 Apr 2025 14:49:33 +0800 Subject: [PATCH 2/3] Add helm unit tests to chart flink-kubernetes-operator Signed-off-by: Yi Chen --- .../tests/certmanager/certificate_test.yaml | 43 +++ .../tests/certmanager/issuer_test.yaml | 34 ++ .../tests/controller/configmap_test.yaml | 38 +++ .../tests/controller/deployment_test.yaml | 305 ++++++++++++++++++ .../tests/flink/role_binding_test.yaml | 69 ++++ .../tests/flink/role_test.yaml | 69 ++++ .../tests/rbac/cluster_role_binding_test.yaml | 59 ++++ .../tests/rbac/cluster_role_test.yaml | 47 +++ .../tests/rbac/role_binding_test.yaml | 69 ++++ .../tests/rbac/role_test.yaml | 88 +++++ .../mutating_webhook_configuration_test.yaml | 75 +++++ .../tests/webhook/secret_test.yaml | 48 +++ .../tests/webhook/service_test.yaml | 68 ++++ ...alidating_webhook_configuratioin_test.yaml | 74 +++++ 14 files changed, 1086 insertions(+) create mode 100644 helm/flink-kubernetes-operator/tests/certmanager/certificate_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/certmanager/issuer_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/flink/role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/service_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml diff --git a/helm/flink-kubernetes-operator/tests/certmanager/certificate_test.yaml b/helm/flink-kubernetes-operator/tests/certmanager/certificate_test.yaml new file mode 100644 index 0000000000..4c3c8ea83e --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/certmanager/certificate_test.yaml @@ -0,0 +1,43 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Cert Manager Certificate + +templates: +- certmanager/certificate.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create certificate + asserts: + - containsDocument: + apiVersion: cert-manager.io/v1 + kind: Certificate + name: flink-operator-serving-cert + +- it: Should use self signed issuer + asserts: + - equal: + path: spec.issuerRef + value: + group: cert-manager.io + kind: Issuer + name: flink-operator-selfsigned-issuer diff --git a/helm/flink-kubernetes-operator/tests/certmanager/issuer_test.yaml b/helm/flink-kubernetes-operator/tests/certmanager/issuer_test.yaml new file mode 100644 index 0000000000..ebc7d48114 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/certmanager/issuer_test.yaml @@ -0,0 +1,34 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Cert Manager Issuer + +templates: +- certmanager/issuer.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create self signed Issuer + asserts: + - containsDocument: + apiVersion: cert-manager.io/v1 + kind: Issuer + name: flink-operator-selfsigned-issuer diff --git a/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml b/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml new file mode 100644 index 0000000000..b9dc12777a --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml @@ -0,0 +1,38 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test ConfigMap + +templates: + - controller/configmap.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: + - it: Should create a configmap with default configuration if `defaultConfiguration.create` is `true` + set: + defaultConfiguration: + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: ConfigMap + name: flink-operator-config + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml b/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml new file mode 100644 index 0000000000..8769721e93 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml @@ -0,0 +1,305 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Deployment + +templates: +- controller/deployment.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create a deployment + asserts: + - containsDocument: + apiVersion: apps/v1 + kind: Deployment + name: flink-kubernetes-operator + namespace: flink-operator + +- it: Should use the specified image if `image.repository` and `image.tag` are set + set: + image: + repository: test-repository/flink-kubernetes-operator + tag: test-tag + asserts: + - equal: + path: spec.template.spec.containers[*].image + value: test-repository/flink-kubernetes-operator:test-tag + +- it: Should use the specified image pull policy if `image.pullPolicy` is set + set: + image: + pullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[*].imagePullPolicy + value: Always + +- it: Should use the specified image pull secrets if `imagePullsecrets` is set + set: + imagePullSecrets: + - name: test-secret1 + - name: test-secret2 + asserts: + - contains: + path: spec.template.spec.imagePullSecrets + content: + name: test-secret1 + - contains: + path: spec.template.spec.imagePullSecrets + content: + name: test-secret2 + +- it: Should use the specified replicas if `replicas` is set + set: + replicas: 0 + asserts: + - equal: + path: spec.replicas + value: 0 + +- it: Should use the specified strategy if `strategy` is set + set: + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + asserts: + - equal: + path: spec.strategy + value: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + +- it: Should use the specified strategy if `strategy` is set + set: + strategy: + type: Recreate + asserts: + - equal: + path: spec.strategy + value: + type: Recreate + +- it: Should add deployment labels if `operatorPod.labels` is set + set: + operatorPod: + labels: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: metadata.labels.KEY1 + value: VALUE1 + - equal: + path: metadata.labels.KEY2 + value: VALUE2 + +- it: Should add pod template labels if `operatorPod.labels` is set + set: + operatorPod: + labels: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: spec.template.metadata.labels.KEY1 + value: VALUE1 + - equal: + path: spec.template.metadata.labels.KEY2 + value: VALUE2 + +- it: Should add pod template annotations if `operatorPod.annotations` is set + set: + operatorPod: + annotations: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: spec.template.metadata.annotations.KEY1 + value: VALUE1 + - equal: + path: spec.template.metadata.annotations.KEY2 + value: VALUE2 + +- it: Should use the specified DNS policy if `operatorPod.dnsPolicy` is set + set: + operatorPod: + dnsPolicy: ClusterFirstWithHostNet + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + +- it: Should use the specified DNS config if `operatorPod.dnsConfig` is set + set: + operatorPod: + dnsConfig: + nameservers: + - 1.1.1.1 + - 8.8.8.8 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 + asserts: + - equal: + path: spec.template.spec.dnsConfig + value: + nameservers: + - 1.1.1.1 + - 8.8.8.8 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 + +- it: Should add nodeSelector if `operatorPod.nodeSelector` is set + set: + operatorPod: + nodeSelector: + key1: value1 + key2: value2 + asserts: + - equal: + path: spec.template.spec.nodeSelector.key1 + value: value1 + - equal: + path: spec.template.spec.nodeSelector.key2 + value: value2 + +- it: Should add affinity if `operatorPod.affinity` is set + set: + operatorPod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - antarctica-east1 + - antarctica-west1 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - antarctica-east1 + - antarctica-west1 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value + +- it: Should add tolerations if `operatorPod.tolerations` is set + set: + operatorPod: + tolerations: + - key: key1 + operator: Equal + value: value1 + effect: NoSchedule + - key: key2 + operator: Exists + effect: NoSchedule + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: key1 + operator: Equal + value: value1 + effect: NoSchedule + - key: key2 + operator: Exists + effect: NoSchedule + +- it: Should use the specified priority class name if `operatorPod.priorityClassName` is set + set: + operatorPod: + priorityClassName: test-priority + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: test-priority + +- it: Should use the specified topology spread constraints if `operatorPod.topologySpreadConstraints` is set + set: + operatorPod: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + asserts: + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + +- it: Should use the specified service account name if `operatorServiceAccount.name` is set + set: + operatorServiceAccount: + name: test-service-account + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: test-service-account diff --git a/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml new file mode 100644 index 0000000000..311ec450c2 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Flink Job RoleBinding + +templates: +- flink/role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-role-binding + namespace: ns1 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-role-binding + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/flink/role_test.yaml b/helm/flink-kubernetes-operator/tests/flink/role_test.yaml new file mode 100644 index 0000000000..b07c5e6edb --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/flink/role_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Flink Job Role + +templates: +- flink/role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink + namespace: ns1 + +- it: Should create role in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml new file mode 100644 index 0000000000..ef9bfe50f8 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml @@ -0,0 +1,59 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator ClusterRoleBinding + +templates: +- rbac/cluster_role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create ClusterRoleBinding if `rbac.operatorRoleBinding.create` is `false` + set: + rbac: + operatorRoleBinding: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create ClusterRoleBinding if `rbac.operatorRoleBinding.create` is `true` + set: + rbac: + operatorRoleBinding: + create: true + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + name: flink-operator-role-binding + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flink-operator + - contains: + path: subjects + content: + kind: ServiceAccount + name: flink-operator + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml new file mode 100644 index 0000000000..6ccf831161 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml @@ -0,0 +1,47 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator ClusterRole + +templates: +- rbac/cluster_role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create ClusterRole if `rbac.operatorRole.create` is `false` + set: + rbac: + operatorRole: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create ClusterRole if `rbac.operatorRole.create` is `true` + set: + rbac: + operatorRole: + create: true + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + name: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml new file mode 100644 index 0000000000..c24aa775ce --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator RoleBinding + +templates: +- rbac/role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-operator-role-binding + namespace: ns1 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-operator-role-binding + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml new file mode 100644 index 0000000000..70c21da78f --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml @@ -0,0 +1,88 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator Role + +templates: +- rbac/role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create operator role in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: ns1 + +- it: Should create operator role in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: ns2 + +- it: Should create operator role in the release namespace if not watched + set: + rbac: + create: true + operatorRole: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 2 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml new file mode 100644 index 0000000000..96ea11ea8e --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml @@ -0,0 +1,75 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test MutatingWebhookConfiguration + +templates: +- webhook/mutating_webhook_configuration.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create mutating webhook configuration if `webhook.mutator.create` is `false` + set: + webhook: + mutator: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create mutating webhook configuration if `webhook.mutator.create` is `true` + set: + webhook: + mutator: + create: true + create: false + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should create mutating webhook configuration if `webhook.create` is `true` + set: + webhook: + create: true + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should add namespace selector if `watchNamespaces` is set + set: + webhook: + create: true + watchNamespaces: + - ns1 + - ns2 + asserts: + - contains: + path: webhooks[?(@.name=="mutationwebhook.flink.apache.org")].namespaceSelector.matchExpressions + content: + key: kubernetes.io/metadata.name + operator: In + values: + - ns1 + - ns2 diff --git a/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml new file mode 100644 index 0000000000..ab013be16a --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml @@ -0,0 +1,48 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Webhook Secret + +templates: +- webhook/secret.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create Secret if `webhook.keystore.useDefaultPassword` is `false` + set: + webhook: + keystore: + useDefaultPassword: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create Secret if `webhook.keystore.useDefaultPassword` is `true` + set: + webhook: + keystore: + useDefaultPassword: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Secret + name: flink-operator-webhook-secret + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml new file mode 100644 index 0000000000..5407beb296 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml @@ -0,0 +1,68 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Webhook Service + +templates: +- webhook/service.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create webhook service if `webhook.validator.create` is `true` + set: + webhook: + validator: + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Service + name: flink-operator-webhook-service + namespace: flink-operator + +- it: Should create webhook service if `webhook.create` is `true` + set: + webhook: + validator: + create: false + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Service + name: flink-operator-webhook-service + namespace: flink-operator + +- it: Should add labels to webhook service if `webhook.serviceLabels` is set + set: + webhook: + create: true + serviceLabels: + key1: value1 + key2: value2 + asserts: + - equal: + path: metadata.labels.key1 + value: value1 + - equal: + path: metadata.labels.key2 + value: value2 + \ No newline at end of file diff --git a/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml new file mode 100644 index 0000000000..7bab3c2ec1 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml @@ -0,0 +1,74 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test ValidatingWebhookConfiguration + +templates: +- webhook/validating_webhook_configuration.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create validating webhook configuration if `webhook.validator.create` is `false` + set: + webhook: + validator: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create validating webhook configuration if `webhook.validator.create` is `true` + set: + webhook: + validator: + create: true + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should create validating webhook configuration if `webhook.create` is `true` + set: + webhook: + create: true + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should add namespace selector if `watchNamespaces` is set + set: + webhook: + create: true + watchNamespaces: + - ns1 + - ns2 + asserts: + - contains: + path: webhooks[?(@.name=="validationwebhook.flink.apache.org")].namespaceSelector.matchExpressions + content: + key: kubernetes.io/metadata.name + operator: In + values: + - ns1 + - ns2 From f8507c62f32484bc974633f9f918015ffb1f77d6 Mon Sep 17 00:00:00 2001 From: Yi Chen Date: Mon, 14 Apr 2025 14:49:44 +0800 Subject: [PATCH 3/3] Update .helmignore Signed-off-by: Yi Chen --- helm/flink-kubernetes-operator/.helmignore | 34 +++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/helm/flink-kubernetes-operator/.helmignore b/helm/flink-kubernetes-operator/.helmignore index 0e8a0eb36f..d761947aeb 100644 --- a/helm/flink-kubernetes-operator/.helmignore +++ b/helm/flink-kubernetes-operator/.helmignore @@ -1,7 +1,34 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + # Patterns to ignore when building packages. # This supports shell glob matching, relative path matching, and # negation (prefixed with !). Only one pattern per line. -.DS_Store + +ci/ + +# helm-unittest +./tests +.debug +__snapshot__ + +# helm-docs +README.md.gotmpl + # Common VCS dirs .git/ .gitignore @@ -10,14 +37,19 @@ .hg/ .hgignore .svn/ + # Common backup files *.swp *.bak *.tmp *.orig *~ + # Various IDEs .project .idea/ *.tmproj .vscode/ + +# MacOS +.DS_Store