diff --git a/helm/flink-kubernetes-operator/templates/_helpers.tpl b/helm/flink-kubernetes-operator/templates/_helpers.tpl index 3456ab46cc..f4673d1e5b 100644 --- a/helm/flink-kubernetes-operator/templates/_helpers.tpl +++ b/helm/flink-kubernetes-operator/templates/_helpers.tpl @@ -1,20 +1,20 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} {{/* Expand the name of the chart. @@ -77,121 +77,3 @@ Create the path of the operator image to use {{- .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }} {{- end }} {{- end }} - -{{/* -Create the name of the operator role to use -*/}} -{{- define "flink-operator.roleName" -}} -{{- if .Values.rbac.operatorRole.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }} -{{- else }} -{{- default "default" .Values.rbac.operatorRole.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the operator role binding to use -*/}} -{{- define "flink-operator.roleBindingName" -}} -{{- if .Values.rbac.operatorRoleBinding.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }} -{{- else }} -{{- default "default" .Values.rbac.operatorRoleBinding.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job role to use -*/}} -{{- define "flink-operator.jobRoleName" -}} -{{- if .Values.rbac.jobRoleBinding.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }} -{{- else }} -{{- default "default" .Values.rbac.jobRole.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job role to use -*/}} -{{- define "flink-operator.jobRoleBindingName" -}} -{{- if .Values.rbac.jobRole.create }} -{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }} -{{- else }} -{{- default "default" .Values.rbac.jobRoleBinding.name }} -{{- end }} -{{- end }} - - -{{/* -Create the name of the operator service account to use -*/}} -{{- define "flink-operator.serviceAccountName" -}} -{{- if .Values.operatorServiceAccount.create }} -{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }} -{{- else }} -{{- default "default" .Values.operatorServiceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Create the name of the job service account to use -*/}} -{{- define "flink-operator.jobServiceAccountName" -}} -{{- if .Values.jobServiceAccount.create }} -{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }} -{{- else }} -{{- default "default" .Values.jobServiceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Determine role scope based on name -*/}} -{{- define "flink-operator.roleScope" -}} -{{- if contains ":" .role }} -{{- printf "ClusterRole" }} -{{- else }} -{{- printf "Role" }} -{{- end }} -{{- end }} - -{{- define "flink-operator.validating-webhook-enabled" -}} -{{- if hasKey .Values.webhook "validator" }} -{{- if .Values.webhook.validator.create }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- else }} -{{- if or (.Values.webhook.create) }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "flink-operator.mutating-webhook-enabled" -}} -{{- if hasKey .Values.webhook "mutator" }} -{{- if .Values.webhook.mutator.create }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- else }} -{{- if or (.Values.webhook.create) }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "flink-operator.webhook-enabled" -}} -{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }} -{{- printf "true" }} -{{- else }} -{{- printf "false" }} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml new file mode 100644 index 0000000000..a6acc43cb2 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml @@ -0,0 +1,46 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: flink-operator-serving-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - flink-operator-webhook-service.{{ .Release.Namespace }}.svc + - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + keystores: + pkcs12: + create: true + passwordSecretRef: + {{- if .Values.webhook.keystore.useDefaultPassword }} + name: flink-operator-webhook-secret + key: password + {{- else }} + {{- with .Values.webhook.keystore.passwordSecretRef }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + issuerRef: + kind: Issuer + name: flink-operator-selfsigned-issuer + commonName: FlinkDeployment Validator + secretName: webhook-server-cert +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml b/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml new file mode 100644 index 0000000000..d2d9ecdd3b --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml @@ -0,0 +1,27 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: flink-operator-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/controller/configmap.yaml b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml new file mode 100644 index 0000000000..d8695481c5 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml @@ -0,0 +1,68 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.defaultConfiguration.create }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: flink-operator-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +data: + config.yaml: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} +{{- end }} +{{- if hasKey (.Values.defaultConfiguration) "config.yaml" }} + {{- index (.Values.defaultConfiguration) "config.yaml" | nindent 4 -}} +{{- end }} +{{- if .Values.watchNamespaces }} + kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} +{{- end }} +{{- if index .Values "operatorHealth" }} + kubernetes.operator.health.probe.enabled: true + kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} +{{- end }} + flink-conf.yaml: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} +{{- end }} +{{- if hasKey (.Values.defaultConfiguration) "flink-conf.yaml" }} + {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}} +{{- end }} +{{- if .Values.watchNamespaces }} + kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} +{{- end }} +{{- if index .Values "operatorHealth" }} + kubernetes.operator.health.probe.enabled: true + kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} +{{- end }} + log4j-operator.properties: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}} +{{- end }} +{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }} + {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}} +{{- end }} + log4j-console.properties: |+ +{{- if .Values.defaultConfiguration.append }} + {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}} +{{- end }} +{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }} + {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink-operator.yaml b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml similarity index 76% rename from helm/flink-kubernetes-operator/templates/flink-operator.yaml rename to helm/flink-kubernetes-operator/templates/controller/deployment.yaml index 4fa0c6698b..85e6a465f1 100644 --- a/helm/flink-kubernetes-operator/templates/flink-operator.yaml +++ b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml @@ -1,21 +1,19 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ ---- +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + apiVersion: apps/v1 kind: Deployment metadata: @@ -273,56 +271,3 @@ spec: secretName: {{ .Values.tls.secretName }} optional: true {{- end }} ---- -{{- if .Values.defaultConfiguration.create }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: flink-operator-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -data: - config.yaml: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} -{{- end }} -{{- if hasKey (.Values.defaultConfiguration) "config.yaml" }} - {{- index (.Values.defaultConfiguration) "config.yaml" | nindent 4 -}} -{{- end }} -{{- if .Values.watchNamespaces }} - kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} -{{- end }} -{{- if index .Values "operatorHealth" }} - kubernetes.operator.health.probe.enabled: true - kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} -{{- end }} - flink-conf.yaml: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}} -{{- end }} -{{- if hasKey (.Values.defaultConfiguration) "flink-conf.yaml" }} - {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}} -{{- end }} -{{- if .Values.watchNamespaces }} - kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }} -{{- end }} -{{- if index .Values "operatorHealth" }} - kubernetes.operator.health.probe.enabled: true - kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }} -{{- end }} - log4j-operator.properties: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}} -{{- end }} -{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }} - {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}} -{{- end }} - log4j-console.properties: |+ -{{- if .Values.defaultConfiguration.append }} - {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}} -{{- end }} -{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }} - {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl new file mode 100644 index 0000000000..386d26d253 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl @@ -0,0 +1,50 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{/* +Create the name of the job service account to use +*/}} +{{- define "flink-operator.jobServiceAccountName" -}} +{{- if .Values.jobServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }} +{{- else }} +{{- default "default" .Values.jobServiceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the job role to use +*/}} +{{- define "flink-operator.jobRoleName" -}} +{{- if .Values.rbac.jobRoleBinding.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }} +{{- else }} +{{- default "default" .Values.rbac.jobRole.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the job role to use +*/}} +{{- define "flink-operator.jobRoleBindingName" -}} +{{- if .Values.rbac.jobRole.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }} +{{- else }} +{{- default "default" .Values.rbac.jobRoleBinding.name }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/role.yaml b/helm/flink-kubernetes-operator/templates/flink/role.yaml new file mode 100644 index 0000000000..acdfd8826a --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/role.yaml @@ -0,0 +1,46 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.jobRole.create }} +{{- if .Values.watchNamespaces }} +{{- range .Values.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.jobRoleName" $ }} + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +{{- template "flink-operator.jobRbacRules" $ }} +{{- end }} +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.jobRoleName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +{{- template "flink-operator.jobRbacRules" $ }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml new file mode 100644 index 0000000000..56f84271f3 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml @@ -0,0 +1,60 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.jobRoleBinding.create }} +{{- if .Values.watchNamespaces }} +{{- range .Values.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.jobRoleBindingName" $ }} + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +roleRef: + kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} + name: {{ include "flink-operator.jobRoleName" $ }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.jobServiceAccountName" $ }} + namespace: {{ . }} +{{- end }} +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.jobRoleBindingName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +roleRef: + kind: Role + name: {{ include "flink-operator.jobRoleName" $ }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.jobServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/flink/service_account.yaml b/helm/flink-kubernetes-operator/templates/flink/service_account.yaml new file mode 100644 index 0000000000..f5dd54a80c --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/flink/service_account.yaml @@ -0,0 +1,53 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.jobServiceAccount.create -}} +{{- /* Create job service accounts for all watched namespaces. */ -}} +{{- if .Values.watchNamespaces }} +{{- range .Values.watchNamespaces }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flink-operator.jobServiceAccountName" $ }} + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + {{- with $.Values.jobServiceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- /* +Create the job service account for the operator namespace, it is to be added for other namespaces manually +(or via specifying them in watchNamespaces). +*/ -}} +{{- else }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flink-operator.jobServiceAccountName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + {{- with .Values.jobServiceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac.yaml b/helm/flink-kubernetes-operator/templates/rbac.yaml deleted file mode 100644 index ecc4c21a2d..0000000000 --- a/helm/flink-kubernetes-operator/templates/rbac.yaml +++ /dev/null @@ -1,351 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -{{/* -RBAC rules used to create the operator (cluster)role based on the scope -*/}} -{{- define "flink-operator.rbacRules" }} -rules: - - apiGroups: - - "" - resources: - - pods - - services - - events - - configmaps - - secrets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - deletecollection -{{- if .Values.rbac.nodesRule.create }} - - apiGroups: - - "" - resources: - - nodes - verbs: - - list -{{- end }} - - apiGroups: - - apps - resources: - - deployments - - deployments/finalizers - - replicasets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - apps - resources: - - deployments/scale - verbs: - - get - - update - - patch - - apiGroups: - - extensions - resources: - - deployments - - ingresses - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - flink.apache.org - resources: - - flinkdeployments - - flinkdeployments/finalizers - - flinksessionjobs - - flinksessionjobs/finalizers - - flinkstatesnapshots - - flinkstatesnapshots/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - flink.apache.org - resources: - - flinkdeployments/status - - flinksessionjobs/status - - flinkstatesnapshots/status - verbs: - - get - - update - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} - -{{/* -RBAC rules used to create the job (cluster)role based on the scope -*/}} -{{- define "flink-operator.jobRbacRules" }} -rules: - - apiGroups: - - "" - resources: - - pods - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - apps - resources: - - deployments - - deployments/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} - ---- -{{- if .Values.rbac.create }} ---- -{{/* -Namespaced scoped RBAC. -*/}} -{{- if .Values.watchNamespaces }} -{{- range .Values.watchNamespaces }} -{{- if $.Values.rbac.operatorRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -{{- template "flink-operator.rbacRules" $ }} -{{- end }} ---- -{{- if $.Values.rbac.jobRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.jobRoleName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -{{- template "flink-operator.jobRbacRules" $ }} -{{- end }} ---- -{{- if $.Values.rbac.operatorRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -roleRef: - kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" $ }} - namespace: {{ $.Release.Namespace }} -{{- end }} ---- -{{- if $.Values.rbac.jobRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.jobRoleBindingName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -roleRef: - kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} - name: {{ include "flink-operator.jobRoleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.jobServiceAccountName" $ }} - namespace: {{ . }} -{{- end }} ---- -{{- end }} -{{/* -Give operator the ability to operate on leases in the release namespace -*/}} -{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} ---- -{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} -roleRef: - kind: Role - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{ else }} -{{/* -Cluster scoped RBAC. -*/}} ---- -{{- if .Values.rbac.operatorRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "flink-operator.roleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -{{- template "flink-operator.rbacRules" $ }} -{{- end }} ---- -{{- if .Values.rbac.jobRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "flink-operator.jobRoleName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -{{- template "flink-operator.jobRbacRules" $ }} -{{- end }} ---- -{{- if .Values.rbac.operatorRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "flink-operator.roleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "flink-operator.roleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- if .Values.rbac.jobRoleBinding.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "flink-operator.jobRoleBindingName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - annotations: - "helm.sh/resource-policy": keep -roleRef: - kind: Role - name: {{ include "flink-operator.jobRoleName" $ }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "flink-operator.jobServiceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl new file mode 100644 index 0000000000..44d1d7ef3a --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl @@ -0,0 +1,212 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{/* +Create the name of the operator service account to use +*/}} +{{- define "flink-operator.serviceAccountName" -}} +{{- if .Values.operatorServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }} +{{- else }} +{{- default "default" .Values.operatorServiceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Determine role scope based on name +*/}} +{{- define "flink-operator.roleScope" -}} +{{- if contains ":" .role }} +{{- printf "ClusterRole" }} +{{- else }} +{{- printf "Role" }} +{{- end }} +{{- end }} + +{{/* +Create the name of the operator role to use +*/}} +{{- define "flink-operator.roleName" -}} +{{- if .Values.rbac.operatorRole.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }} +{{- else }} +{{- default "default" .Values.rbac.operatorRole.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the operator role binding to use +*/}} +{{- define "flink-operator.roleBindingName" -}} +{{- if .Values.rbac.operatorRoleBinding.create }} +{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }} +{{- else }} +{{- default "default" .Values.rbac.operatorRoleBinding.name }} +{{- end }} +{{- end }} + +{{/* +RBAC rules used to create the operator (cluster)role based on the scope +*/}} +{{- define "flink-operator.rbacRules" }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - events + - configmaps + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - deletecollection +{{- if .Values.rbac.nodesRule.create }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - list +{{- end }} + - apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + - replicasets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - apps + resources: + - deployments/scale + verbs: + - get + - update + - patch + - apiGroups: + - extensions + resources: + - deployments + - ingresses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - flink.apache.org + resources: + - flinkdeployments + - flinkdeployments/finalizers + - flinksessionjobs + - flinksessionjobs/finalizers + - flinkstatesnapshots + - flinkstatesnapshots/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - flink.apache.org + resources: + - flinkdeployments/status + - flinksessionjobs/status + - flinkstatesnapshots/status + verbs: + - get + - update + - patch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} + +{{/* +RBAC rules used to create the job (cluster)role based on the scope +*/}} +{{- define "flink-operator.jobRbacRules" }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml new file mode 100644 index 0000000000..d101037f23 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml @@ -0,0 +1,30 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.operatorRole.create }} +{{- if not .Values.watchNamespaces }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +{{- template "flink-operator.rbacRules" $ }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml new file mode 100644 index 0000000000..d4ee1414ea --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml @@ -0,0 +1,37 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.operatorRoleBinding.create }} +{{- if not .Values.watchNamespaces }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: {{ include "flink-operator.roleName" $ }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/role.yaml b/helm/flink-kubernetes-operator/templates/rbac/role.yaml new file mode 100644 index 0000000000..e9653f52a0 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/role.yaml @@ -0,0 +1,58 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.operatorRole.create }} +{{- /* Namespaced scoped RBAC. */ -}} +{{- if .Values.watchNamespaces }} +{{- range .Values.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +{{- template "flink-operator.rbacRules" $ }} +{{- end }} +{{- /* Give operator the ability to operate on leases in the release namespace */ -}} +{{- if not (has .Release.Namespace .Values.watchNamespaces) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "flink-operator.roleName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml new file mode 100644 index 0000000000..e606c19786 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml @@ -0,0 +1,60 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if and .Values.rbac.create .Values.rbac.operatorRoleBinding.create }} +{{- /* Namespaced scoped RBAC. */ -}} +{{- if .Values.watchNamespaces }} +{{- range .Values.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" $ }} + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +roleRef: + kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} + name: {{ include "flink-operator.roleName" $ }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" $ }} + namespace: {{ $.Release.Namespace }} +{{- end }} +{{- /* Give operator the ability to operate on leases in the release namespace */ -}} +{{- if not (has .Release.Namespace .Values.watchNamespaces) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "flink-operator.roleBindingName" $ }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} +roleRef: + kind: Role + name: {{ include "flink-operator.roleName" $ }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml new file mode 100644 index 0000000000..b3a0fb872d --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml @@ -0,0 +1,29 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if .Values.operatorServiceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + {{- with .Values.operatorServiceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml b/helm/flink-kubernetes-operator/templates/serviceaccount.yaml deleted file mode 100644 index a0179ecf0d..0000000000 --- a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml +++ /dev/null @@ -1,70 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - ---- -{{- if .Values.operatorServiceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "flink-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" . | nindent 4 }} - {{- with .Values.operatorServiceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- if .Values.jobServiceAccount.create -}} -{{/* -Create job service accounts for all watched namespaces. -*/}} -{{- if .Values.watchNamespaces }} -{{- range .Values.watchNamespaces }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "flink-operator.jobServiceAccountName" $ }} - namespace: {{ . }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - {{- with $.Values.jobServiceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} ---- -{{- end }} -{{/* -Create the job service account for the operator namespace, it is to be added for other namespaces manually -(or via specifying them in watchNamespaces). -*/}} -{{- else}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "flink-operator.jobServiceAccountName" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "flink-operator.labels" $ | nindent 4 }} - {{- with .Values.jobServiceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook.yaml b/helm/flink-kubernetes-operator/templates/webhook.yaml deleted file mode 100644 index cfe64aa1a8..0000000000 --- a/helm/flink-kubernetes-operator/templates/webhook.yaml +++ /dev/null @@ -1,157 +0,0 @@ -################################################################################ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ ---- -{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - {{- if .Values.webhook.serviceLabels }} - labels: - {{- range $key, $value := .Values.webhook.serviceLabels }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/name: {{ include "flink-operator.name" . }} ---- -{{- if .Values.webhook.keystore.useDefaultPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: flink-operator-webhook-secret - namespace: {{ .Release.Namespace }} -type: Opaque -data: - password: cGFzc3dvcmQxMjM0 -{{- end }} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: flink-operator-serving-cert - namespace: {{ .Release.Namespace }} -spec: - dnsNames: - - flink-operator-webhook-service.{{ .Release.Namespace }}.svc - - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local - keystores: - pkcs12: - create: true - passwordSecretRef: - {{- if .Values.webhook.keystore.useDefaultPassword }} - name: flink-operator-webhook-secret - key: password - {{- else }} - {{- with .Values.webhook.keystore.passwordSecretRef }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - issuerRef: - kind: Issuer - name: flink-operator-selfsigned-issuer - commonName: FlinkDeployment Validator - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: flink-operator-selfsigned-issuer - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} -{{- end }} -{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert - name: flink-operator-{{ .Release.Namespace }}-webhook-configuration -webhooks: -- name: validationwebhook.flink.apache.org - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate - failurePolicy: Fail - rules: - - apiGroups: ["flink.apache.org"] - apiVersions: ["*"] - scope: "Namespaced" - operations: - - CREATE - - UPDATE - resources: - - flinkdeployments - - flinksessionjobs - - flinkstatesnapshots - sideEffects: None - {{- if .Values.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] - {{- end }} -{{- end }} -{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert - name: flink-operator-{{ .Release.Namespace }}-webhook-configuration -webhooks: - - name: mutationwebhook.flink.apache.org - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: flink-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /mutate - failurePolicy: Fail - rules: - - apiGroups: ["flink.apache.org"] - apiVersions: ["*"] - scope: "Namespaced" - operations: - - CREATE - - UPDATE - resources: - - flinksessionjobs - - flinkdeployments - sideEffects: None - {{- if .Values.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] - {{- end }} -{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl new file mode 100644 index 0000000000..d92d5d3bc4 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl @@ -0,0 +1,57 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- define "flink-operator.webhook-enabled" -}} +{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} + +{{- define "flink-operator.validating-webhook-enabled" -}} +{{- if hasKey .Values.webhook "validator" }} +{{- if .Values.webhook.validator.create }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else }} +{{- if or (.Values.webhook.create) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "flink-operator.mutating-webhook-enabled" -}} +{{- if hasKey .Values.webhook "mutator" }} +{{- if .Values.webhook.mutator.create }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else }} +{{- if or (.Values.webhook.create) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml new file mode 100644 index 0000000000..542ccc33a7 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml @@ -0,0 +1,55 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert + name: flink-operator-{{ .Release.Namespace }}-webhook-configuration +webhooks: + - name: mutationwebhook.flink.apache.org + admissionReviewVersions: ["v1"] + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate + failurePolicy: Fail + rules: + - apiGroups: ["flink.apache.org"] + apiVersions: ["*"] + scope: "Namespaced" + operations: + - CREATE + - UPDATE + resources: + - flinksessionjobs + - flinkdeployments + sideEffects: None + {{- if .Values.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/secret.yaml b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml new file mode 100644 index 0000000000..2971100311 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml @@ -0,0 +1,30 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +{{- if .Values.webhook.keystore.useDefaultPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: flink-operator-webhook-secret + namespace: {{ .Release.Namespace }} +type: Opaque +data: + password: cGFzc3dvcmQxMjM0 +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/service.yaml b/helm/flink-kubernetes-operator/templates/webhook/service.yaml new file mode 100644 index 0000000000..16b676273f --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/service.yaml @@ -0,0 +1,37 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +apiVersion: v1 +kind: Service +metadata: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + {{- if .Values.webhook.serviceLabels }} + labels: + {{- range $key, $value := .Values.webhook.serviceLabels }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/name: {{ include "flink-operator.name" . }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml new file mode 100644 index 0000000000..58a6740748 --- /dev/null +++ b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml @@ -0,0 +1,56 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ -}} + +{{- if eq (include "flink-operator.webhook-enabled" .) "true" }} +{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert + name: flink-operator-{{ .Release.Namespace }}-webhook-configuration +webhooks: +- name: validationwebhook.flink.apache.org + admissionReviewVersions: ["v1"] + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate + failurePolicy: Fail + rules: + - apiGroups: ["flink.apache.org"] + apiVersions: ["*"] + scope: "Namespaced" + operations: + - CREATE + - UPDATE + resources: + - flinkdeployments + - flinksessionjobs + - flinkstatesnapshots + sideEffects: None + {{- if .Values.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/flink-kubernetes-operator/values.yaml b/helm/flink-kubernetes-operator/values.yaml index 42843b8fe2..00fb5db2d7 100644 --- a/helm/flink-kubernetes-operator/values.yaml +++ b/helm/flink-kubernetes-operator/values.yaml @@ -20,14 +20,15 @@ # List of kubernetes namespaces to watch for FlinkDeployment changes, empty means all namespaces. # When enabled RBAC is only created for said namespaces, otherwise it is done for the cluster scope. -# watchNamespaces: ["flink"] +watchNamespaces: [] +# - flink image: repository: ghcr.io/apache/flink-kubernetes-operator pullPolicy: IfNotPresent tag: latest # If image digest is set then it takes precedence and the image tag will be ignored - # digest: "" + digest: "" imagePullSecrets: [] @@ -72,8 +73,8 @@ operatorPod: # configMapKeyRef: # name: "" # key: "" - # dnsPolicy: "" - # dnsConfig: {} + dnsPolicy: "" + dnsConfig: {} # Node labels and affinity for operator pod assignment # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ envFrom: @@ -153,9 +154,9 @@ webhook: # create: true keystore: useDefaultPassword: true - # passwordSecretRef: - # name: jks-password-secret - # key: password-key + passwordSecretRef: + # name: jks-password-secret + # key: password-key serviceLabels: {} defaultConfiguration: