From 33818bf7b307076f51872a9a18151c2041edb942 Mon Sep 17 00:00:00 2001 From: Jason Witkowski Date: Fri, 3 Feb 2023 14:28:09 -0500 Subject: [PATCH] helm: Add serviceAccounts, rbac, and small fixes --- helm/druid/Chart.yaml | 2 +- helm/druid/README.md | 31 ++++++++ helm/druid/templates/broker/deployment.yaml | 8 +- helm/druid/templates/broker/role.yaml | 21 +++++ helm/druid/templates/broker/roleBinding.yaml | 20 +++++ .../templates/broker/serviceAccount.yaml | 20 +++++ .../templates/coordinator/deployment.yaml | 8 +- helm/druid/templates/coordinator/role.yaml | 21 +++++ .../templates/coordinator/roleBinding.yaml | 20 +++++ .../templates/coordinator/serviceAccount.yaml | 20 +++++ helm/druid/templates/historical/role.yaml | 21 +++++ .../templates/historical/roleBinding.yaml | 20 +++++ .../templates/historical/serviceAccount.yaml | 20 +++++ .../templates/historical/statefulset.yaml | 8 +- helm/druid/templates/middleManager/role.yaml | 21 +++++ .../templates/middleManager/roleBinding.yaml | 20 +++++ .../middleManager/serviceAccount.yaml | 20 +++++ .../templates/middleManager/statefulset.yaml | 8 +- helm/druid/templates/overlord/deployment.yaml | 8 +- helm/druid/templates/overlord/role.yaml | 27 +++++++ .../druid/templates/overlord/roleBinding.yaml | 20 +++++ .../templates/overlord/serviceAccount.yaml | 20 +++++ helm/druid/templates/router/deployment.yaml | 8 +- helm/druid/templates/router/role.yaml | 21 +++++ helm/druid/templates/router/roleBinding.yaml | 20 +++++ .../templates/router/serviceAccount.yaml | 20 +++++ helm/druid/values.yaml | 78 ++++++++++++++++++- 27 files changed, 517 insertions(+), 14 deletions(-) create mode 100644 helm/druid/templates/broker/role.yaml create mode 100644 helm/druid/templates/broker/roleBinding.yaml create mode 100644 helm/druid/templates/broker/serviceAccount.yaml create mode 100644 helm/druid/templates/coordinator/role.yaml create mode 100644 helm/druid/templates/coordinator/roleBinding.yaml create mode 100644 helm/druid/templates/coordinator/serviceAccount.yaml create mode 100644 helm/druid/templates/historical/role.yaml create mode 100644 helm/druid/templates/historical/roleBinding.yaml create mode 100644 helm/druid/templates/historical/serviceAccount.yaml create mode 100644 helm/druid/templates/middleManager/role.yaml create mode 100644 helm/druid/templates/middleManager/roleBinding.yaml create mode 100644 helm/druid/templates/middleManager/serviceAccount.yaml create mode 100644 helm/druid/templates/overlord/role.yaml create mode 100644 helm/druid/templates/overlord/roleBinding.yaml create mode 100644 helm/druid/templates/overlord/serviceAccount.yaml create mode 100644 helm/druid/templates/router/role.yaml create mode 100644 helm/druid/templates/router/roleBinding.yaml create mode 100644 helm/druid/templates/router/serviceAccount.yaml diff --git a/helm/druid/Chart.yaml b/helm/druid/Chart.yaml index b216f52be916e..e741339317df0 100644 --- a/helm/druid/Chart.yaml +++ b/helm/druid/Chart.yaml @@ -30,7 +30,7 @@ dependencies: version: 8.6.4 repository: https://charts.helm.sh/stable condition: postgresql.enabled -version: 0.3.2 +version: 0.3.4 home: https://druid.apache.org/ icon: https://druid.apache.org/img/favicon.png sources: diff --git a/helm/druid/README.md b/helm/druid/README.md index 1d985f9226474..dcde3da8f72cb 100644 --- a/helm/druid/README.md +++ b/helm/druid/README.md @@ -96,10 +96,16 @@ The following table lists the configurable parameters of the Druid chart and the | `configVars` | druid configuration variables for all components | `` | | `gCloudStorage.enabled` | look for secret to set google cloud credentials | `false` | | `gCloudStorage.secretName` | secretName to be mounted as google cloud credentials | `false` | +| `rbac.create` | Create roles and roleBindings for service Accounts | `true` | | `broker.enabled` | enable broker | `true` | | `broker.name` | broker component name | `broker` | | `broker.replicaCount` | broker node replicas (deployment) | `1` | | `broker.port` | port of broker component | `8082` | +| `broker.serviceAccount.create` | Create a service account for broker service | `true` | +| `broker.serviceAccount.name` | Service account name | `true` | +| `broker.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `broker.serviceAccount.labels` | Labels applied to created service account | `true` | +| `broker.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `broker.serviceType` | service type for service | `ClusterIP` | | `broker.resources` | broker node resources requests & limits | `{}` | | `broker.podAnnotations` | broker deployment annotations | `{}` | @@ -117,6 +123,11 @@ The following table lists the configurable parameters of the Druid chart and the | `coordinator.replicaCount` | coordinator node replicas (deployment) | `1` | | `coordinator.port` | port of coordinator component | `8081` | | `coordinator.serviceType` | service type for service | `ClusterIP` | +| `coordinator.serviceAccount.create` | Create a service account for coordinator service | `true` | +| `coordinator.serviceAccount.name` | Service account name | `true` | +| `coordinator.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `coordinator.serviceAccount.labels` | Labels applied to created service account | `true` | +| `coordinator.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `coordinator.resources` | coordinator node resources requests & limits | `{}` | | `coordinator.podAnnotations` | coordinator Deployment annotations | `{}` | | `coordinator.nodeSelector` | node labels for coordinator pod assignment | `{}` | @@ -133,6 +144,11 @@ The following table lists the configurable parameters of the Druid chart and the | `overlord.replicaCount` | overlord node replicas (deployment) | `1` | | `overlord.port` | port of overlord component | `8081` | | `overlord.serviceType` | service type for service | `ClusterIP` | +| `overlord.serviceAccount.create` | Create a service account for overlord service | `true` | +| `overlord.serviceAccount.name` | Service account name | `true` | +| `overlord.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `overlord.serviceAccount.labels` | Labels applied to created service account | `true` | +| `overlord.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `overlord.resources` | overlord node resources requests & limits | `{}` | | `overlord.podAnnotations` | overlord Deployment annotations | `{}` | | `overlord.nodeSelector` | node labels for overlord pod assignment | `{}` | @@ -149,6 +165,11 @@ The following table lists the configurable parameters of the Druid chart and the | `historical.replicaCount` | historical node replicas (statefulset) | `1` | | `historical.port` | port of historical component | `8083` | | `historical.serviceType` | service type for service | `ClusterIP` | +| `historical.serviceAccount.create` | Create a service account for historical service | `true` | +| `historical.serviceAccount.name` | Service account name | `true` | +| `historical.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `historical.serviceAccount.labels` | Labels applied to created service account | `true` | +| `historical.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `historical.resources` | historical node resources requests & limits | `{}` | | `historical.livenessProbeInitialDelaySeconds` | historical node liveness probe initial delay in seconds | `60` | | `historical.readinessProbeInitialDelaySeconds` | historical node readiness probe initial delay in seconds | `60` | @@ -173,6 +194,11 @@ The following table lists the configurable parameters of the Druid chart and the | `middleManager.replicaCount` | middleManager node replicas (statefulset) | `1` | | `middleManager.port` | port of middleManager component | `8091` | | `middleManager.serviceType` | service type for service | `ClusterIP` | +| `middleManager.serviceAccount.create` | Create a service account for middleManager service | `true` | +| `middleManager.serviceAccount.name` | Service account name | `true` | +| `middleManager.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `middleManager.serviceAccount.labels` | Labels applied to created service account | `true` | +| `middleManager.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `middleManager.resources` | middleManager node resources requests & limits | `{}` | | `middleManager.podAnnotations` | middleManager Deployment annotations | `{}` | | `middleManager.nodeSelector` | Node labels for middleManager pod assignment | `{}` | @@ -199,6 +225,11 @@ The following table lists the configurable parameters of the Druid chart and the | `router.replicaCount` | router node replicas (deployment) | `1` | | `router.port` | port of router component | `8888` | | `router.serviceType` | service type for service | `ClusterIP` | +| `router.serviceAccount.create` | Create a service account for router service | `true` | +| `router.serviceAccount.name` | Service account name | `true` | +| `router.serviceAccount.annotations` | Annotations applied to created service account | `true` | +| `router.serviceAccount.labels` | Labels applied to created service account | `true` | +| `router.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | | `router.resources` | router node resources requests & limits | `{}` | | `router.podAnnotations` | router Deployment annotations | `{}` | | `router.nodeSelector` | node labels for router pod assignment | `{}` | diff --git a/helm/druid/templates/broker/deployment.yaml b/helm/druid/templates/broker/deployment.yaml index d320cf1cbf4b8..be9ae56da34b0 100644 --- a/helm/druid/templates/broker/deployment.yaml +++ b/helm/druid/templates/broker/deployment.yaml @@ -41,11 +41,15 @@ spec: app: {{ include "druid.name" . }} release: {{ .Release.Name }} component: {{ .Values.broker.name }} - {{- with .Values.broker.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.broker.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.broker.serviceAccount.create }} + serviceAccountName: "{{ .Values.broker.serviceAccount.name }}" + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/helm/druid/templates/broker/role.yaml b/helm/druid/templates/broker/role.yaml new file mode 100644 index 0000000000000..b3d97f7641894 --- /dev/null +++ b/helm/druid/templates/broker/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.broker.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.broker.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/broker/roleBinding.yaml b/helm/druid/templates/broker/roleBinding.yaml new file mode 100644 index 0000000000000..628fbd4d62fd6 --- /dev/null +++ b/helm/druid/templates/broker/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.broker.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.broker.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.broker.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.broker.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/broker/serviceAccount.yaml b/helm/druid/templates/broker/serviceAccount.yaml new file mode 100644 index 0000000000000..d62cf39df75c8 --- /dev/null +++ b/helm/druid/templates/broker/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.broker.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.broker.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.broker.serviceAccount.name }} + {{- with .Values.broker.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.broker.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.broker.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/templates/coordinator/deployment.yaml b/helm/druid/templates/coordinator/deployment.yaml index fc26757ef22f0..a49a3eac63f53 100644 --- a/helm/druid/templates/coordinator/deployment.yaml +++ b/helm/druid/templates/coordinator/deployment.yaml @@ -41,11 +41,15 @@ spec: app: {{ include "druid.name" . }} release: {{ .Release.Name }} component: {{ .Values.coordinator.name }} - {{- with .Values.coordinator.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.coordinator.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.coordinator.serviceAccount.create }} + serviceAccountName: "{{ .Values.coordinator.serviceAccount.name }}" + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/helm/druid/templates/coordinator/role.yaml b/helm/druid/templates/coordinator/role.yaml new file mode 100644 index 0000000000000..cf759e1104452 --- /dev/null +++ b/helm/druid/templates/coordinator/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.coordinator.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.coordinator.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/coordinator/roleBinding.yaml b/helm/druid/templates/coordinator/roleBinding.yaml new file mode 100644 index 0000000000000..acf45a7532e96 --- /dev/null +++ b/helm/druid/templates/coordinator/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.coordinator.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.coordinator.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.coordinator.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.coordinator.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/coordinator/serviceAccount.yaml b/helm/druid/templates/coordinator/serviceAccount.yaml new file mode 100644 index 0000000000000..f569ff72c3e5e --- /dev/null +++ b/helm/druid/templates/coordinator/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.coordinator.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.coordinator.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.coordinator.serviceAccount.name }} + {{- with .Values.coordinator.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.coordinator.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.coordinator.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/templates/historical/role.yaml b/helm/druid/templates/historical/role.yaml new file mode 100644 index 0000000000000..b539c5ce5c9f8 --- /dev/null +++ b/helm/druid/templates/historical/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.historical.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.historical.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/historical/roleBinding.yaml b/helm/druid/templates/historical/roleBinding.yaml new file mode 100644 index 0000000000000..1bc46a52e5492 --- /dev/null +++ b/helm/druid/templates/historical/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.historical.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.historical.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.historical.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.historical.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/historical/serviceAccount.yaml b/helm/druid/templates/historical/serviceAccount.yaml new file mode 100644 index 0000000000000..4fe3f1aec462f --- /dev/null +++ b/helm/druid/templates/historical/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.historical.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.historical.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.historical.serviceAccount.name }} + {{- with .Values.historical.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.historical.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.historical.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/templates/historical/statefulset.yaml b/helm/druid/templates/historical/statefulset.yaml index 1a575ac7202da..1ac4fb2ea0bf4 100644 --- a/helm/druid/templates/historical/statefulset.yaml +++ b/helm/druid/templates/historical/statefulset.yaml @@ -42,9 +42,10 @@ spec: app: {{ template "druid.name" . }} component: {{ .Values.historical.name }} release: {{ .Release.Name }} - {{- with .Values.historical.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.historical.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} spec: {{- if or .Values.historical.antiAffinity .Values.historical.nodeAffinity }} @@ -91,6 +92,9 @@ spec: imagePullSecrets: {{ toYaml .Values.image.pullSecrets | indent 8 }} {{- end }} + {{- if .Values.historical.serviceAccount.create }} + serviceAccountName: "{{ .Values.historical.serviceAccount.name }}" + {{- end }} containers: - name: druid args: [ "historical" ] diff --git a/helm/druid/templates/middleManager/role.yaml b/helm/druid/templates/middleManager/role.yaml new file mode 100644 index 0000000000000..d5f72bc959d5c --- /dev/null +++ b/helm/druid/templates/middleManager/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.middleManager.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.middleManager.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/middleManager/roleBinding.yaml b/helm/druid/templates/middleManager/roleBinding.yaml new file mode 100644 index 0000000000000..e006e991a0a93 --- /dev/null +++ b/helm/druid/templates/middleManager/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.middleManager.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.middleManager.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.middleManager.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.middleManager.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/middleManager/serviceAccount.yaml b/helm/druid/templates/middleManager/serviceAccount.yaml new file mode 100644 index 0000000000000..b9c72902b0b3a --- /dev/null +++ b/helm/druid/templates/middleManager/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.middleManager.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.middleManager.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.middleManager.serviceAccount.name }} + {{- with .Values.middleManager.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.middleManager.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.middleManager.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/templates/middleManager/statefulset.yaml b/helm/druid/templates/middleManager/statefulset.yaml index 827ed561fe0de..3838ca58c00c1 100644 --- a/helm/druid/templates/middleManager/statefulset.yaml +++ b/helm/druid/templates/middleManager/statefulset.yaml @@ -42,9 +42,10 @@ spec: app: {{ template "druid.name" . }} component: {{ .Values.middleManager.name }} release: {{ .Release.Name }} - {{- if .Values.middleManager.podAnnotations }} annotations: -{{ toYaml .Values.middleManager.podAnnotations | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.middleManager.podAnnotations }} + {{- toYaml .Values.middleManager.podAnnotations | nindent 8 }} {{- end }} spec: {{- if or .Values.middleManager.antiAffinity .Values.middleManager.nodeAffinity }} @@ -91,6 +92,9 @@ spec: imagePullSecrets: {{ toYaml .Values.image.pullSecrets | indent 8 }} {{- end }} + {{- if .Values.middleManager.serviceAccount.create }} + serviceAccountName: "{{ .Values.middleManager.serviceAccount.name }}" + {{- end }} containers: - name: druid args: [ "middleManager" ] diff --git a/helm/druid/templates/overlord/deployment.yaml b/helm/druid/templates/overlord/deployment.yaml index 8eebbe2b3ac2a..0a957bb764482 100644 --- a/helm/druid/templates/overlord/deployment.yaml +++ b/helm/druid/templates/overlord/deployment.yaml @@ -41,11 +41,15 @@ spec: app: {{ include "druid.name" . }} release: {{ .Release.Name }} component: {{ .Values.overlord.name }} - {{- with .Values.overlord.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.overlord.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.overlord.serviceAccount.create }} + serviceAccountName: "{{ .Values.overlord.serviceAccount.name }}" + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/helm/druid/templates/overlord/role.yaml b/helm/druid/templates/overlord/role.yaml new file mode 100644 index 0000000000000..d28b45b3afba9 --- /dev/null +++ b/helm/druid/templates/overlord/role.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.overlord.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.overlord.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' + - apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/overlord/roleBinding.yaml b/helm/druid/templates/overlord/roleBinding.yaml new file mode 100644 index 0000000000000..e6cb2adba7ee8 --- /dev/null +++ b/helm/druid/templates/overlord/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.overlord.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.overlord.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.overlord.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.overlord.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/overlord/serviceAccount.yaml b/helm/druid/templates/overlord/serviceAccount.yaml new file mode 100644 index 0000000000000..e1ac047412566 --- /dev/null +++ b/helm/druid/templates/overlord/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.overlord.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.overlord.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.overlord.serviceAccount.name }} + {{- with .Values.overlord.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.overlord.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.overlord.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/templates/router/deployment.yaml b/helm/druid/templates/router/deployment.yaml index 31e2728582863..2b480d308478f 100644 --- a/helm/druid/templates/router/deployment.yaml +++ b/helm/druid/templates/router/deployment.yaml @@ -41,11 +41,15 @@ spec: app: {{ include "druid.name" . }} release: {{ .Release.Name }} component: {{ .Values.router.name }} - {{- with .Values.router.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} + druid.k8s.enablePatching: "true" + {{- with .Values.router.podAnnotations }} + {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.router.serviceAccount.create }} + serviceAccountName: "{{ .Values.router.serviceAccount.name }}" + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/helm/druid/templates/router/role.yaml b/helm/druid/templates/router/role.yaml new file mode 100644 index 0000000000000..67bf5599bd055 --- /dev/null +++ b/helm/druid/templates/router/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "druid.router.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.router.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' +{{- end }} + diff --git a/helm/druid/templates/router/roleBinding.yaml b/helm/druid/templates/router/roleBinding.yaml new file mode 100644 index 0000000000000..f0a67256e2c64 --- /dev/null +++ b/helm/druid/templates/router/roleBinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "druid.router.fullname" . }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.router.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "druid.router.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.router.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/druid/templates/router/serviceAccount.yaml b/helm/druid/templates/router/serviceAccount.yaml new file mode 100644 index 0000000000000..3cfba223be60a --- /dev/null +++ b/helm/druid/templates/router/serviceAccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.router.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.router.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ .Values.router.serviceAccount.name }} + {{- with .Values.router.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "druid.name" . }} + chart: {{ include "druid.chart" . }} + component: {{ .Values.router.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.router.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/druid/values.yaml b/helm/druid/values.yaml index 000cfbf61a585..b794d8b045da8 100644 --- a/helm/druid/values.yaml +++ b/helm/druid/values.yaml @@ -26,6 +26,10 @@ configMap: ## enabled: true +# Required if using kubernetes extensions which modify resources like 'druid-kubernetes-extensions' or 'druid-kubernetes-overlord-extensions' +rbac: + create: true + ## Define the key value pairs in the configmap configVars: ## DRUID env vars. ref: https://github.com/apache/druid/blob/master/distribution/docker/druid.sh#L29 @@ -91,6 +95,18 @@ broker: # cpu: 250m # memory: 512Mi + serviceAccount: + # -- Create a service account for the broker + create: true + # -- Service Account name + name: druid-broker + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + nodeSelector: {} tolerations: [] @@ -134,6 +150,18 @@ coordinator: # cpu: 250m # memory: 512Mi + serviceAccount: + # -- Create a service account for the coordinator + create: true + # -- Service Account name + name: druid-coordinator + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + nodeSelector: {} tolerations: [] @@ -168,6 +196,18 @@ overlord: resources: {} + serviceAccount: + # -- Create a service account for the overlord + create: true + # -- Service Account name + name: druid-overlord + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + nodeSelector: {} tolerations: [] @@ -193,7 +233,7 @@ historical: druid_processing_numMergeBuffers: 2 druid_processing_numThreads: 1 # druid_monitoring_monitors: '["org.apache.druid.client.cache.CacheMonitor", "org.apache.druid.server.metrics.HistoricalMetricsMonitor", "org.apache.druid.server.metrics.QueryCountStatsMonitor"]' - # druid_segmentCache_locations: '[{"path":"/var/druid/segment-cache","maxSize":300000000000}]' + # druid_segmentCache_locations: '[{"path":"/opt/druid/var/druid/segment-cache","maxSize":300000000000}]' ingress: enabled: false @@ -233,6 +273,18 @@ historical: # cpu: 500m # memory: 512Mi + serviceAccount: + # -- Create a service account for the overlord + create: true + # -- Service Account name + name: druid-historical + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + livenessProbeInitialDelaySeconds: 60 readinessProbeInitialDelaySeconds: 60 @@ -318,6 +370,18 @@ middleManager: # cpu: 250m # memory: 256Mi + serviceAccount: + # -- Create a service account for the overlord + create: true + # -- Service Account name + name: druid-middlemanager + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + ## (dict) If specified, apply these annotations to each master Pod podAnnotations: {} @@ -364,6 +428,18 @@ router: # cpu: 100m # memory: 128Mi + serviceAccount: + # -- Create a service account for the overlord + create: true + # -- Service Account name + name: druid-router + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the service account + automountServiceAccountToken: true + nodeSelector: {} tolerations: []