You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ab...@apache.org on 2023/02/23 06:12:12 UTC
[druid] branch master updated: helm: Add serviceAccounts, rbac, and small fixes (#13747)
This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new f7a5fcf30f helm: Add serviceAccounts, rbac, and small fixes (#13747)
f7a5fcf30f is described below
commit f7a5fcf30fffb0ecce52130e6bf617aa20f67a4d
Author: Jason Witkowski <jw...@gmail.com>
AuthorDate: Thu Feb 23 01:12:03 2023 -0500
helm: Add serviceAccounts, rbac, and small fixes (#13747)
Update suggested segment-cache path, Allow for per-service serviceAccounts in druid helm chart and finer-grained RBAC, and add a default annotation to historical statefulset.
---
helm/druid/Chart.yaml | 2 +-
helm/druid/README.md | 31 +++++++++
helm/druid/templates/_helpers.tpl | 66 ++++++++++++++++++
helm/druid/templates/broker/deployment.yaml | 20 +++---
helm/druid/templates/broker/role.yaml | 40 +++++++++++
helm/druid/templates/broker/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/broker/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/coordinator/deployment.yaml | 20 +++---
helm/druid/templates/coordinator/role.yaml | 40 +++++++++++
helm/druid/templates/coordinator/roleBinding.yaml | 39 +++++++++++
.../templates/coordinator/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/historical/role.yaml | 40 +++++++++++
helm/druid/templates/historical/roleBinding.yaml | 39 +++++++++++
.../druid/templates/historical/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/historical/statefulset.yaml | 20 +++---
helm/druid/templates/middleManager/role.yaml | 40 +++++++++++
.../druid/templates/middleManager/roleBinding.yaml | 39 +++++++++++
.../templates/middleManager/serviceAccount.yaml | 39 +++++++++++
.../druid/templates/middleManager/statefulset.yaml | 22 +++---
helm/druid/templates/overlord/deployment.yaml | 20 +++---
helm/druid/templates/overlord/role.yaml | 46 +++++++++++++
helm/druid/templates/overlord/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/overlord/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/router/deployment.yaml | 20 +++---
helm/druid/templates/router/role.yaml | 40 +++++++++++
helm/druid/templates/router/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/router/serviceAccount.yaml | 39 +++++++++++
helm/druid/values.yaml | 78 +++++++++++++++++++++-
28 files changed, 962 insertions(+), 51 deletions(-)
diff --git a/helm/druid/Chart.yaml b/helm/druid/Chart.yaml
index cc4083be29..aeb629d9fc 100644
--- a/helm/druid/Chart.yaml
+++ b/helm/druid/Chart.yaml
@@ -30,7 +30,7 @@ dependencies:
version: 8.6.4
repository: https://charts.helm.sh/stable
condition: postgresql.enabled
-version: 0.3.4
+version: 0.3.5
home: https://druid.apache.org/
icon: https://druid.apache.org/img/favicon.png
sources:
diff --git a/helm/druid/README.md b/helm/druid/README.md
index 64274a71d7..85c72ef2a8 100644
--- a/helm/druid/README.md
+++ b/helm/druid/README.md
@@ -96,10 +96,16 @@ The following table lists the configurable parameters of the Druid chart and the
| `configVars` | druid configuration variables for all components | `` |
| `gCloudStorage.enabled` | look for secret to set google cloud credentials | `false` |
| `gCloudStorage.secretName` | secretName to be mounted as google cloud credentials | `false` |
+| `rbac.create` | Create roles and roleBindings for service Accounts | `true` |
| `broker.enabled` | enable broker | `true` |
| `broker.name` | broker component name | `broker` |
| `broker.replicaCount` | broker node replicas (deployment) | `1` |
| `broker.port` | port of broker component | `8082` |
+| `broker.serviceAccount.create` | Create a service account for broker service | `true` |
+| `broker.serviceAccount.name` | Service account name | Derived from the name of service |
+| `broker.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `broker.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `broker.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `broker.serviceType` | service type for service | `ClusterIP` |
| `broker.resources` | broker node resources requests & limits | `{}` |
| `broker.podAnnotations` | broker deployment annotations | `{}` |
@@ -117,6 +123,11 @@ The following table lists the configurable parameters of the Druid chart and the
| `coordinator.replicaCount` | coordinator node replicas (deployment) | `1` |
| `coordinator.port` | port of coordinator component | `8081` |
| `coordinator.serviceType` | service type for service | `ClusterIP` |
+| `coordinator.serviceAccount.create` | Create a service account for coordinator service | `true` |
+| `coordinator.serviceAccount.name` | Service account name | Derived from the name of service |
+| `coordinator.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `coordinator.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `coordinator.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `coordinator.resources` | coordinator node resources requests & limits | `{}` |
| `coordinator.podAnnotations` | coordinator Deployment annotations | `{}` |
| `coordinator.nodeSelector` | node labels for coordinator pod assignment | `{}` |
@@ -133,6 +144,11 @@ The following table lists the configurable parameters of the Druid chart and the
| `overlord.replicaCount` | overlord node replicas (deployment) | `1` |
| `overlord.port` | port of overlord component | `8081` |
| `overlord.serviceType` | service type for service | `ClusterIP` |
+| `overlord.serviceAccount.create` | Create a service account for overlord service | `true` |
+| `overlord.serviceAccount.name` | Service account name | Derived from the name of service |
+| `overlord.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `overlord.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `overlord.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `overlord.resources` | overlord node resources requests & limits | `{}` |
| `overlord.podAnnotations` | overlord Deployment annotations | `{}` |
| `overlord.nodeSelector` | node labels for overlord pod assignment | `{}` |
@@ -149,6 +165,11 @@ The following table lists the configurable parameters of the Druid chart and the
| `historical.replicaCount` | historical node replicas (statefulset) | `1` |
| `historical.port` | port of historical component | `8083` |
| `historical.serviceType` | service type for service | `ClusterIP` |
+| `historical.serviceAccount.create` | Create a service account for historical service | `true` |
+| `historical.serviceAccount.name` | Service account name | Derived from the name of service |
+| `historical.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `historical.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `historical.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `historical.resources` | historical node resources requests & limits | `{}` |
| `historical.livenessProbeInitialDelaySeconds` | historical node liveness probe initial delay in seconds | `60` |
| `historical.readinessProbeInitialDelaySeconds` | historical node readiness probe initial delay in seconds | `60` |
@@ -173,6 +194,11 @@ The following table lists the configurable parameters of the Druid chart and the
| `middleManager.replicaCount` | middleManager node replicas (statefulset) | `1` |
| `middleManager.port` | port of middleManager component | `8091` |
| `middleManager.serviceType` | service type for service | `ClusterIP` |
+| `middleManager.serviceAccount.create` | Create a service account for middleManager service | `true` |
+| `middleManager.serviceAccount.name` | Service account name | `` |
+| `middleManager.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `middleManager.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `middleManager.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `middleManager.resources` | middleManager node resources requests & limits | `{}` |
| `middleManager.podAnnotations` | middleManager Deployment annotations | `{}` |
| `middleManager.nodeSelector` | Node labels for middleManager pod assignment | `{}` |
@@ -199,6 +225,11 @@ The following table lists the configurable parameters of the Druid chart and the
| `router.replicaCount` | router node replicas (deployment) | `1` |
| `router.port` | port of router component | `8888` |
| `router.serviceType` | service type for service | `ClusterIP` |
+| `router.serviceAccount.create` | Create a service account for router service | `true` |
+| `router.serviceAccount.name` | Service account name | Derived from the name of service |
+| `router.serviceAccount.annotations` | Annotations applied to created service account | `{}` |
+| `router.serviceAccount.labels` | Labels applied to created service account | `{}` |
+| `router.serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `router.resources` | router node resources requests & limits | `{}` |
| `router.podAnnotations` | router Deployment annotations | `{}` |
| `router.nodeSelector` | node labels for router pod assignment | `{}` |
diff --git a/helm/druid/templates/_helpers.tpl b/helm/druid/templates/_helpers.tpl
index bb4714953e..a4ca3c9a0e 100644
--- a/helm/druid/templates/_helpers.tpl
+++ b/helm/druid/templates/_helpers.tpl
@@ -98,3 +98,69 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- define "druid.router.fullname" -}}
{{ template "druid.fullname" . }}-{{ .Values.router.name }}
{{- end -}}
+
+{{/*
+Create the name of the broker service account
+*/}}
+{{- define "druid.broker.serviceAccountName" -}}
+ {{- if .Values.broker.serviceAccount.create }}
+ {{- default (include "druid.broker.fullname" .) .Values.broker.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.broker.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the historical service account
+*/}}
+{{- define "druid.historical.serviceAccountName" -}}
+ {{- if .Values.historical.serviceAccount.create }}
+ {{- default (include "druid.historical.fullname" .) .Values.historical.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.historical.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the middleManager service account
+*/}}
+{{- define "druid.middleManager.serviceAccountName" -}}
+ {{- if .Values.middleManager.serviceAccount.create }}
+ {{- default (include "druid.middleManager.fullname" .) .Values.middleManager.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.middleManager.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the coordinator service account
+*/}}
+{{- define "druid.coordinator.serviceAccountName" -}}
+ {{- if .Values.coordinator.serviceAccount.create }}
+ {{- default (include "druid.coordinator.fullname" .) .Values.coordinator.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.coordinator.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the overlord service account
+*/}}
+{{- define "druid.overlord.serviceAccountName" -}}
+ {{- if .Values.overlord.serviceAccount.create }}
+ {{- default (include "druid.overlord.fullname" .) .Values.overlord.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.overlord.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the router service account
+*/}}
+{{- define "druid.router.serviceAccountName" -}}
+ {{- if .Values.router.serviceAccount.create }}
+ {{- default (include "druid.router.fullname" .) .Values.router.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.router.serviceAccount.name }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/broker/deployment.yaml b/helm/druid/templates/broker/deployment.yaml
index fa87515e90..80251de1ec 100644
--- a/helm/druid/templates/broker/deployment.yaml
+++ b/helm/druid/templates/broker/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.broker.name }}
annotations:
- {{- with .Values.broker.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.broker.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.broker.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.broker.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/broker/role.yaml b/helm/druid/templates/broker/role.yaml
new file mode 100644
index 0000000000..f6ff22d8b5
--- /dev/null
+++ b/helm/druid/templates/broker/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.broker.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.broker.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/broker/roleBinding.yaml b/helm/druid/templates/broker/roleBinding.yaml
new file mode 100644
index 0000000000..0667c282cf
--- /dev/null
+++ b/helm/druid/templates/broker/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.broker.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.broker.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.broker.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.broker.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/broker/serviceAccount.yaml b/helm/druid/templates/broker/serviceAccount.yaml
new file mode 100644
index 0000000000..644aa7dad8
--- /dev/null
+++ b/helm/druid/templates/broker/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.broker.serviceAccount.create) (.Values.broker.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.broker.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.broker.serviceAccountName" . }}
+ {{- with .Values.broker.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.broker.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/coordinator/deployment.yaml b/helm/druid/templates/coordinator/deployment.yaml
index affc0ff522..66456a5112 100644
--- a/helm/druid/templates/coordinator/deployment.yaml
+++ b/helm/druid/templates/coordinator/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.coordinator.name }}
annotations:
- {{- with .Values.coordinator.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.coordinator.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.coordinator.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.coordinator.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/coordinator/role.yaml b/helm/druid/templates/coordinator/role.yaml
new file mode 100644
index 0000000000..c4dc3ba136
--- /dev/null
+++ b/helm/druid/templates/coordinator/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.coordinator.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.coordinator.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/coordinator/roleBinding.yaml b/helm/druid/templates/coordinator/roleBinding.yaml
new file mode 100644
index 0000000000..fd60eb5d06
--- /dev/null
+++ b/helm/druid/templates/coordinator/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.coordinator.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.coordinator.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.coordinator.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.coordinator.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/coordinator/serviceAccount.yaml b/helm/druid/templates/coordinator/serviceAccount.yaml
new file mode 100644
index 0000000000..b7778322c7
--- /dev/null
+++ b/helm/druid/templates/coordinator/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.coordinator.serviceAccount.create) (.Values.coordinator.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.coordinator.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.coordinator.serviceAccountName" . }}
+ {{- with .Values.coordinator.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.coordinator.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/historical/role.yaml b/helm/druid/templates/historical/role.yaml
new file mode 100644
index 0000000000..b4be8cc42f
--- /dev/null
+++ b/helm/druid/templates/historical/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.historical.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.historical.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/historical/roleBinding.yaml b/helm/druid/templates/historical/roleBinding.yaml
new file mode 100644
index 0000000000..aa9e9fbeb3
--- /dev/null
+++ b/helm/druid/templates/historical/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.historical.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.historical.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.historical.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.historical.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/historical/serviceAccount.yaml b/helm/druid/templates/historical/serviceAccount.yaml
new file mode 100644
index 0000000000..2524503c89
--- /dev/null
+++ b/helm/druid/templates/historical/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.historical.serviceAccount.create) (.Values.historical.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.historical.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.historical.serviceAccountName" . }}
+ {{- with .Values.historical.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.historical.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/historical/statefulset.yaml b/helm/druid/templates/historical/statefulset.yaml
index 8f56f9039e..0e12c6508c 100644
--- a/helm/druid/templates/historical/statefulset.yaml
+++ b/helm/druid/templates/historical/statefulset.yaml
@@ -43,14 +43,15 @@ spec:
component: {{ .Values.historical.name }}
release: {{ .Release.Name }}
annotations:
- {{- with .Values.historical.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.historical.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
{{- if or .Values.historical.antiAffinity .Values.historical.nodeAffinity }}
affinity:
@@ -96,6 +97,9 @@ spec:
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
+ {{- if .Values.historical.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.historical.serviceAccountName" . }}
+ {{- end }}
containers:
- name: druid
args: [ "historical" ]
diff --git a/helm/druid/templates/middleManager/role.yaml b/helm/druid/templates/middleManager/role.yaml
new file mode 100644
index 0000000000..22e0622f2c
--- /dev/null
+++ b/helm/druid/templates/middleManager/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.middleManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.middleManager.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/middleManager/roleBinding.yaml b/helm/druid/templates/middleManager/roleBinding.yaml
new file mode 100644
index 0000000000..fbca099428
--- /dev/null
+++ b/helm/druid/templates/middleManager/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.middleManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.middleManager.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.middleManager.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.middleManager.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/middleManager/serviceAccount.yaml b/helm/druid/templates/middleManager/serviceAccount.yaml
new file mode 100644
index 0000000000..00dc83cb1f
--- /dev/null
+++ b/helm/druid/templates/middleManager/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.middleManager.serviceAccount.create) (.Values.middleManager.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.middleManager.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.middleManager.serviceAccountName" . }}
+ {{- with .Values.middleManager.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.middleManager.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/middleManager/statefulset.yaml b/helm/druid/templates/middleManager/statefulset.yaml
index 87da92995e..b91824e2c5 100644
--- a/helm/druid/templates/middleManager/statefulset.yaml
+++ b/helm/druid/templates/middleManager/statefulset.yaml
@@ -43,14 +43,15 @@ spec:
component: {{ .Values.middleManager.name }}
release: {{ .Release.Name }}
annotations:
- {{- with .Values.middleManager.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.middleManager.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
{{- if or .Values.middleManager.antiAffinity .Values.middleManager.nodeAffinity }}
affinity:
@@ -96,6 +97,9 @@ spec:
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
+ {{- if .Values.middleManager.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.middleManager.serviceAccountName" . }}
+ {{- end }}
containers:
- name: druid
args: [ "middleManager" ]
@@ -170,4 +174,4 @@ spec:
requests:
storage: "{{ .Values.middleManager.persistence.size }}"
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/druid/templates/overlord/deployment.yaml b/helm/druid/templates/overlord/deployment.yaml
index 20b096bb6c..f347228859 100644
--- a/helm/druid/templates/overlord/deployment.yaml
+++ b/helm/druid/templates/overlord/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.overlord.name }}
annotations:
- {{- with .Values.overlord.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.overlord.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.overlord.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.overlord.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/overlord/role.yaml b/helm/druid/templates/overlord/role.yaml
new file mode 100644
index 0000000000..37ffbd8918
--- /dev/null
+++ b/helm/druid/templates/overlord/role.yaml
@@ -0,0 +1,46 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.overlord.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.overlord.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+ - apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/overlord/roleBinding.yaml b/helm/druid/templates/overlord/roleBinding.yaml
new file mode 100644
index 0000000000..2a5284e606
--- /dev/null
+++ b/helm/druid/templates/overlord/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.overlord.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.overlord.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.overlord.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.overlord.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/overlord/serviceAccount.yaml b/helm/druid/templates/overlord/serviceAccount.yaml
new file mode 100644
index 0000000000..b27ea8b4b3
--- /dev/null
+++ b/helm/druid/templates/overlord/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.overlord.serviceAccount.create) (.Values.overlord.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.overlord.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.overlord.serviceAccountName" . }}
+ {{- with .Values.overlord.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.overlord.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/router/deployment.yaml b/helm/druid/templates/router/deployment.yaml
index d2f9e7d8ed..79960fe13b 100644
--- a/helm/druid/templates/router/deployment.yaml
+++ b/helm/druid/templates/router/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.router.name }}
annotations:
- {{- with .Values.router.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.router.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.router.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.router.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/router/role.yaml b/helm/druid/templates/router/role.yaml
new file mode 100644
index 0000000000..52afc0a685
--- /dev/null
+++ b/helm/druid/templates/router/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.router.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.router.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/router/roleBinding.yaml b/helm/druid/templates/router/roleBinding.yaml
new file mode 100644
index 0000000000..1b9e129305
--- /dev/null
+++ b/helm/druid/templates/router/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.router.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.router.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.router.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.router.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/router/serviceAccount.yaml b/helm/druid/templates/router/serviceAccount.yaml
new file mode 100644
index 0000000000..d357b2bd0c
--- /dev/null
+++ b/helm/druid/templates/router/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.router.serviceAccount.create) (.Values.router.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.router.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.router.serviceAccountName" . }}
+ {{- with .Values.router.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.router.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/values.yaml b/helm/druid/values.yaml
index f7dc218bd4..dab6a49b80 100644
--- a/helm/druid/values.yaml
+++ b/helm/druid/values.yaml
@@ -26,6 +26,10 @@ configMap:
##
enabled: true
+# Required if using kubernetes extensions which modify resources like 'druid-kubernetes-extensions' or 'druid-kubernetes-overlord-extensions'
+rbac:
+ create: true
+
## Define the key value pairs in the configmap
configVars:
## DRUID env vars. ref: https://github.com/apache/druid/blob/master/distribution/docker/druid.sh#L29
@@ -91,6 +95,18 @@ broker:
# cpu: 250m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the broker
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -134,6 +150,18 @@ coordinator:
# cpu: 250m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the coordinator
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -168,6 +196,18 @@ overlord:
resources: {}
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -193,7 +233,7 @@ historical:
druid_processing_numMergeBuffers: 2
druid_processing_numThreads: 1
# druid_monitoring_monitors: '["org.apache.druid.client.cache.CacheMonitor", "org.apache.druid.server.metrics.HistoricalMetricsMonitor", "org.apache.druid.server.metrics.QueryCountStatsMonitor"]'
- # druid_segmentCache_locations: '[{"path":"/var/druid/segment-cache","maxSize":300000000000}]'
+ # druid_segmentCache_locations: '[{"path":"/opt/druid/var/druid/segment-cache","maxSize":300000000000}]'
ingress:
enabled: false
@@ -233,6 +273,18 @@ historical:
# cpu: 500m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
livenessProbeInitialDelaySeconds: 60
readinessProbeInitialDelaySeconds: 60
@@ -318,6 +370,18 @@ middleManager:
# cpu: 250m
# memory: 256Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
## (dict) If specified, apply these annotations to each master Pod
podAnnotations: {}
@@ -364,6 +428,18 @@ router:
# cpu: 100m
# memory: 128Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org