Skip to content

Commit

Permalink
#403 pipeline-invocation-service java17 upgrade
Browse files Browse the repository at this point in the history
  • Loading branch information
@csun-cpointe
csun-cpointe committed Oct 16, 2024
1 parent f8378e3 commit be7abcb
Show file tree
Hide file tree
Showing 25 changed files with 216 additions and 4,514 deletions.
17 changes: 17 additions & 0 deletions DRAFT_RELEASE_NOTES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,25 @@ To start your aiSSEMBLE upgrade, update your project's pom.xml to use the 1.10.0
</parent>
```

### Split Data Records for the Spark Pipeline
If your spark pipeline is using `aissemble-data-records-separate-module` profile for your data records, you must add the `<version>` tag for
the `jackson-mapper-asl` dependency artifact in the root pom.xml file to enable the build.
```xml
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
+ <version>${version.jackson.mapper.asl}</version>
</dependency>
```


## Conditional Steps

### Spark Operator Chart
The service account for pipeline invocation service is separated from spark operator. It's now configured solely for the pipeline invocation chart.
If you have custom configuration for the `spark-operator`, you will need to migrate the related changes to the `pipeline-invocation-service`.
Refer to Pipeline Invocation Helm Chart [README](https://github.com/boozallen/aissemble/blob/dev/extensions/extensions-helm/extensions-helm-pipeline-invocation/aissemble-pipeline-invocation-app-chart/README.md) for detail.

## Final Steps - Required for All Projects
### Finalizing the Upgrade
1. Run `./mvnw org.technologybrewery.baton:baton-maven-plugin:baton-migrate` to apply the automatic migrations
Expand Down
1 change: 1 addition & 0 deletions build-parent/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@
<version.awaitility>4.0.3</version.awaitility>
<version.plexus.util>3.5.1</version.plexus.util>
<version.jackson.mapper.asl>1.9.3</version.jackson.mapper.asl>
<version.exec.maven.plugin>3.4.1</version.exec.maven.plugin>

<!-- Java EE Dependencies -->
<version.jakarta.cdi>4.0.1</version.jakarta.cdi>
Expand Down
2 changes: 1 addition & 1 deletion ...ions/extensions-docker/aissemble-pipeline-invocation/src/main/resources/docker/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.access.redhat.com/ubi9/openjdk-11-runtime:1.20 AS builder
FROM registry.access.redhat.com/ubi9/openjdk-17-runtime:1.20 AS builder
USER root
RUN microdnf install -y openssl gzip && \
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Expand Down
4,427 changes: 0 additions & 4,427 deletions ...s-helm/aissemble-spark-application-chart/crds/sparkoperator.k8s.io_sparkapplications.yaml
View file

This file was deleted.

14 changes: 0 additions & 14 deletions extensions/extensions-helm/aissemble-spark-operator-chart/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,6 @@ aissemble-spark-operator-chart:
| serviceAccounts.sparkoperator.name | Name for the spark service account | No | sparkoperator |
| podSecurityContext | Pod security context | No | runAsUser: 185<br/>runAsGroup: 1000<br/>fsGroup: 1000<br/>fsGroupChangePolicy: "OnRootMismatch" |

## Migrated Properties
The following properties have been migrated from the `spark-operator` subchart to the `aissemble-spark-operator-chart` chart.
Any required overrides should be cognisant of the alternate path. For example:

```yaml
aissemble-spark-operator-chart:
rbac:
createClusterRole: false
```

| Property | Description | Default |
|------------------------|-------------------------------------------------------------------------------|---------|
| rbac.createClusterRole | Create and use RBAC `ClusterRole` resources. Migrated to use modified rules. | true |

# Shared Ivy Cache

Spark uses [Ivy](https://ant.apache.org/ivy/) to resolve and download dependencies for Spark applications. By default,
Expand Down
12 changes: 1 addition & 11 deletions extensions/extensions-helm/aissemble-spark-operator-chart/values.template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,6 @@ spark-operator:
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"

rbac:
# -- Create and use RBAC `ClusterRole` resources
# -- Set to false in order to enable overriding with our own RBAC template
createClusterRole: false

# volumes - Operator volumes
volumes:
- name: spark-logging
Expand All @@ -61,8 +55,4 @@ spark-operator:

sparkoperator:
# -- Optional name for the operator service account
name: "sparkoperator"

rbac:
# -- Set to True in order to enable overriding with our own RBAC template
createClusterRole: True
name: "sparkoperator"
34 changes: 24 additions & 10 deletions ...ions-helm-pipeline-invocation/aissemble-pipeline-invocation-app-chart/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,18 @@ helm install pipeline-invocation-service oci://ghcr.io/boozallen/aissemble-pipel
**Note**: *the version should match the aiSSEMBLE project version.*

# Properties
| Property | Description | Required Override | Default |
|------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------|
| ingress.apiVersion | k8s API version to use | No | networking.k8s.io/v1 |
| ingress.enabled | k8s Whether to enable ingress | No | false |
| ingress.kind | Type of kubernetes entity | No | Ingress |
| ingress.metadata.name | Name of the ingress | No | pipeline-invocation-service-web |
| ingress.metadata.annotations.kubernetes.io/ingress.class | Ingress class name | No | nginx |
| ingress.metadata.annotations.ingress.metadata.annotations.nginx.ingress.kubernetes.io/server-snippet | Custom configurations for the nginx ingress class | No | gunzip on; gzip on; gzip_proxied any; gzip_types *; |
| ingress.spec.rules.hosts | A list of hosts for ingress to support, each with their own path definition | No | |
| ingress.status | Load balancer IP if required | No | None |
| Property | Description | Required Override | Default |
|------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------|
| ingress.apiVersion | k8s API version to use | No | networking.k8s.io/v1 |
| ingress.enabled | k8s Whether to enable ingress | No | false |
| ingress.kind | Type of kubernetes entity | No | Ingress |
| ingress.metadata.name | Name of the ingress | No | pipeline-invocation-service-web |
| ingress.metadata.annotations.kubernetes.io/ingress.class | Ingress class name | No | nginx |
| ingress.metadata.annotations.ingress.metadata.annotations.nginx.ingress.kubernetes.io/server-snippet | Custom configurations for the nginx ingress class | No | gunzip on; gzip on; gzip_proxied any; gzip_types *; |
| ingress.spec.rules.hosts | A list of hosts for ingress to support, each with their own path definition | No | |
| ingress.status | Load balancer IP if required | No | None |
| rbac.createClusterRole | Create and use RBAC `ClusterRole` resources. | No | true |
| rbac.serviceAccountName | The service account name used for the RBAC. This value must be the same as the `deployment.serviceAccountName` | No | pipeline-ivocation-service |

# Quarkus Configuration

Expand All @@ -30,3 +32,15 @@ The following configuration of the service is provided. Additional configuratio
|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| kafka.bootstrap.servers | Specifies the kafka bootstrap server when using kafka for messaging | Any valid URI |
| mp.messaging.incoming.pipeline-invocation.* | Specifies and configures the smallrye connector to use. Supported connectors are `smallrye-amqp`, `smallrye-kafka`, `smallrye-mqtt`, and `smallrye-rabbitmq` | See xref:messaging-details.adoc[the Messaging documentation] for more details |


## Migrated Properties
The service account for pipeline invocation service is separated from spark operator. It's now configured solely for the pipeline invocation chart.

The following properties have been migrated from the `aissemble-spark-operator-chart` chart to the `aissemble-pipeline-invocation-app-chart` chart.
| Property | Description | Default |
|-------------------------|-------------------------------------------------------------------------------|----------------------------|
| rbac.createClusterRole | Create and use RBAC `ClusterRole` resources. | true |



Empty file removed ...sions-helm-pipeline-invocation/aissemble-pipeline-invocation-app-chart/templates/.gitkeep
View file
Empty file.
28 changes: 14 additions & 14 deletions ...-spark-operator-chart/templates/rbac.yaml → ...-invocation-app-chart/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,28 @@
{{- /*
aiSSEMBLE Custom rbac.yaml

Required custom rbac.yaml file that grants the sparkoperator service account
Required custom rbac.yaml file that grants the pipeline-invocation-service service account
create, delete, and update access to the apigroup apiextensions.k8s.io.

This is necessary for the pipeline-invocation-service to create instances of the
SparkApplication CRD to submit pipelines to the Spark Operator for execution.
*/}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.rbac.serviceAccountName | default "pipeline-invocation-service" }}

---

{{- if or .Values.rbac.create .Values.rbac.createClusterRole }}
{{ if .Values.rbac.createClusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
name: {{ .Values.rbac.serviceAccountName | default "pipeline-invocation-service" }}-clusterrole
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-delete-policy": hook-failed, before-hook-creation
"helm.sh/hook-weight": "-10"
labels:
{{- include "spark-operator.labels" (index .Subcharts "spark-operator") | nindent 4 }}
rules:
- apiGroups:
- ""
Expand All @@ -34,6 +38,7 @@ rules:
- configmaps
- secrets
verbs:
- list
- create
- get
- delete
Expand Down Expand Up @@ -75,6 +80,7 @@ rules:
resources:
- customresourcedefinitions
verbs:
- create
- get
- apiGroups:
- admissionregistration.k8s.io
Expand All @@ -97,7 +103,6 @@ rules:
- scheduledsparkapplications/finalizers
verbs:
- "*"
{{- if .Values.batchScheduler.enable }}
# required for the `volcano` batch scheduler
- apiGroups:
- scheduling.incubator.k8s.io
Expand All @@ -107,34 +112,29 @@ rules:
- podgroups
verbs:
- "*"
{{- end }}
{{ if .Values.webhook.enable }}
- apiGroups:
- batch
resources:
- jobs
verbs:
- delete
{{- end }}

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
name: {{ .Values.rbac.serviceAccountName | default "pipeline-invocation-service" }}-clusterrole-binding
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-delete-policy": hook-failed, before-hook-creation
"helm.sh/hook-weight": "-10"
labels:
{{- include "spark-operator.labels" (index .Subcharts "spark-operator") | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "spark-operator.serviceAccountName" (index .Subcharts "spark-operator") }}
name: {{ .Values.rbac.serviceAccountName | default "pipeline-invocation-service" }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
name: {{ .Values.rbac.serviceAccountName | default "pipeline-invocation-service" }}-clusterrole
apiGroup: rbac.authorization.k8s.io
{{- end }}
97 changes: 97 additions & 0 deletions ...ons-helm-pipeline-invocation/aissemble-pipeline-invocation-app-chart/tests/rbac_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
suite: Pipeline Invocation Service RBAC
templates:
- rbac.yaml
tests:
- it: Should contain ServiceAccount document
documentIndex: 0
asserts:
- containsDocument:
kind: ServiceAccount
apiVersion: v1
- it: Should contain ClusterRole document
documentIndex: 1
asserts:
- containsDocument:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
- it: Should contain ClusterRoleBinding document
documentIndex: 2
asserts:
- containsDocument:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
- it: Should be 3 documents in total
asserts:
- hasDocuments:
count: 3
- it: Still contains service account if options are disabled
set:
rbac:
createClusterRole: false
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
- it: ServiceAccount should include appropriate default values
documentIndex: 0
asserts:
- equal:
path: metadata.name
value: pipeline-invocation-service
- it: ClusterRole should include appropriate default values
documentIndex: 1
asserts:
- equal:
path: metadata.name
value: pipeline-invocation-service-clusterrole
- it: ClusterRoleBinding should include appropriate default values
documentIndex: 2
release:
namespace: default
asserts:
- equal:
path: metadata.name
value: pipeline-invocation-service-clusterrole-binding
- contains:
path: subjects
content:
kind: ServiceAccount
name: pipeline-invocation-service
namespace: default
- equal:
path: roleRef.kind
value: ClusterRole
- equal:
path: roleRef.name
value: pipeline-invocation-service-clusterrole
- equal:
path: roleRef.apiGroup
value: rbac.authorization.k8s.io
- it: Should set values appropriately for the service account
set:
rbac:
serviceAccountName: test
documentIndex: 0
asserts:
- equal:
path: metadata.name
value: test
- it: Should set values appropriately for the cluster role binding
set:
rbac:
serviceAccountName: test
release:
namespace: default
documentIndex: 2
asserts:
- contains:
path: subjects
content:
kind: ServiceAccount
name: test
namespace: default
- equal:
path: metadata.name
value: test-clusterrole-binding
7 changes: 6 additions & 1 deletion ...m/extensions-helm-pipeline-invocation/aissemble-pipeline-invocation-app-chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ aissemble-quarkus-chart:
containerPort: 9000
protocol: TCP
restartPolicy: Always
serviceAccountName: sparkoperator
serviceAccountName: pipeline-invocation-service
automountServiceAccountToken: true

supplementalVolumeMounts:
Expand Down Expand Up @@ -60,3 +60,8 @@ aissemble-quarkus-chart:
name: pipeline-invocation-service
port:
number: 8080
rbac:
createClusterRole: true
# Note: the if the rbac.serviceAccountName is changed, the aissemble-quarkus-chart.deployment.serviceAccountName
# needs to be changed to match the value
serviceAccountName: pipeline-invocation-service
2 changes: 1 addition & 1 deletion ...-helm/extensions-helm-pipeline-invocation/extensions-helm-pipeline-invocation-lib/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.1.0</version>
<version>${version.exec.maven.plugin}</version>
<executions>
<execution>
<id>run tests</id>
Expand Down
3 changes: 1 addition & 2 deletions extensions/extensions-helm/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.1.0</version>
<version>${version.exec.maven.plugin}</version>
<executions>
<execution>
<id>run tests</id>
Expand Down Expand Up @@ -250,7 +250,6 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>run tests</id>
Expand Down
Loading

0 comments on commit be7abcb

Please sign in to comment.