You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by gy...@apache.org on 2022/03/08 08:43:41 UTC
[flink-kubernetes-operator] branch main updated (b75c058 -> e1c9bb8)
This is an automated email from the ASF dual-hosted git repository.
gyfora pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git.
from b75c058 [FLINK-26508] Webhook should only validate on /validate endpoint end log errors for others
new 8abb9f7 [FLINK-26308][FLINK-26471] Separate Flink job role from operator role
new e1c9bb8 [FLINK-26308] Fix webhook behavior when working with multiple namespaces
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
e2e-tests/data/cr.yaml | 2 +-
examples/basic-checkpoint-ha.yaml | 2 +-
examples/basic-ingress.yaml | 2 +-
examples/basic-session.yaml | 2 +-
examples/basic.yaml | 2 +-
examples/custom-logging.yaml | 2 +-
examples/pod-template.yaml | 2 +-
helm/flink-operator/templates/_helpers.tpl | 17 ++++-
helm/flink-operator/templates/rbac.yaml | 84 +++++++++++++++++++++--
helm/flink-operator/templates/serviceaccount.yaml | 33 +++++++--
helm/flink-operator/templates/webhook.yaml | 2 +-
helm/flink-operator/values.yaml | 8 ++-
12 files changed, 136 insertions(+), 22 deletions(-)
[flink-kubernetes-operator] 01/02: [FLINK-26308][FLINK-26471] Separate Flink job role from operator role
Posted by gy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gyfora pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
commit 8abb9f7af486e6e2cc729b24645d0ed36e8482fc
Author: Marton Balassi <ma...@apple.com>
AuthorDate: Fri Mar 4 16:19:30 2022 +0100
[FLINK-26308][FLINK-26471] Separate Flink job role from operator role
---
e2e-tests/data/cr.yaml | 2 +-
examples/basic-checkpoint-ha.yaml | 2 +-
examples/basic-ingress.yaml | 2 +-
examples/basic-session.yaml | 2 +-
examples/basic.yaml | 2 +-
examples/custom-logging.yaml | 2 +-
examples/pod-template.yaml | 2 +-
helm/flink-operator/templates/_helpers.tpl | 17 ++++-
helm/flink-operator/templates/rbac.yaml | 84 +++++++++++++++++++++--
helm/flink-operator/templates/serviceaccount.yaml | 33 +++++++--
helm/flink-operator/values.yaml | 8 ++-
11 files changed, 135 insertions(+), 21 deletions(-)
diff --git a/e2e-tests/data/cr.yaml b/e2e-tests/data/cr.yaml
index 90069f9..3919e48 100644
--- a/e2e-tests/data/cr.yaml
+++ b/e2e-tests/data/cr.yaml
@@ -30,7 +30,7 @@ spec:
high-availability.storageDir: file:///opt/flink/volume/flink-ha
state.checkpoints.dir: file:///opt/flink/volume/flink-cp
state.savepoints.dir: file:///opt/flink/volume/flink-sp
- serviceAccount: flink-operator
+ serviceAccount: flink
podTemplate:
apiVersion: v1
kind: Pod
diff --git a/examples/basic-checkpoint-ha.yaml b/examples/basic-checkpoint-ha.yaml
index 42c137a..1796bfb 100644
--- a/examples/basic-checkpoint-ha.yaml
+++ b/examples/basic-checkpoint-ha.yaml
@@ -40,7 +40,7 @@ spec:
cpu: 1
podTemplate:
spec:
- serviceAccount: flink-operator
+ serviceAccount: flink
containers:
- name: flink-main-container
volumeMounts:
diff --git a/examples/basic-ingress.yaml b/examples/basic-ingress.yaml
index 5be18cd..ad9b1ef 100644
--- a/examples/basic-ingress.yaml
+++ b/examples/basic-ingress.yaml
@@ -29,7 +29,7 @@ spec:
# rest.address: basic-example.flink.k8s.io
# rest.port: "80"
taskmanager.numberOfTaskSlots: "2"
- serviceAccount: flink-operator
+ serviceAccount: flink
jobManager:
replicas: 1
resource:
diff --git a/examples/basic-session.yaml b/examples/basic-session.yaml
index 613b411..c78d030 100644
--- a/examples/basic-session.yaml
+++ b/examples/basic-session.yaml
@@ -26,7 +26,7 @@ spec:
flinkVersion: 1.14.3
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
- serviceAccount: flink-operator
+ serviceAccount: flink
jobManager:
replicas: 1
resource:
diff --git a/examples/basic.yaml b/examples/basic.yaml
index 3e6c0e3..8844a35 100644
--- a/examples/basic.yaml
+++ b/examples/basic.yaml
@@ -26,7 +26,7 @@ spec:
flinkVersion: 1.14.3
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
- serviceAccount: flink-operator
+ serviceAccount: flink
jobManager:
replicas: 1
resource:
diff --git a/examples/custom-logging.yaml b/examples/custom-logging.yaml
index 27450a1..4376a81 100644
--- a/examples/custom-logging.yaml
+++ b/examples/custom-logging.yaml
@@ -26,7 +26,7 @@ spec:
flinkVersion: 1.14.3
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
- serviceAccount: flink-operator
+ serviceAccount: flink
jobManager:
replicas: 1
resource:
diff --git a/examples/pod-template.yaml b/examples/pod-template.yaml
index 3e40413..c81dc2b 100644
--- a/examples/pod-template.yaml
+++ b/examples/pod-template.yaml
@@ -32,7 +32,7 @@ spec:
metadata:
name: pod-template
spec:
- serviceAccount: flink-operator
+ serviceAccount: flink
containers:
# Do not change the main container name
- name: flink-main-container
diff --git a/helm/flink-operator/templates/_helpers.tpl b/helm/flink-operator/templates/_helpers.tpl
index ab9e968..5e7bb9c 100644
--- a/helm/flink-operator/templates/_helpers.tpl
+++ b/helm/flink-operator/templates/_helpers.tpl
@@ -68,12 +68,23 @@ app.kubernetes.io/name: {{ include "flink-operator.name" . }}
{{- end }}
{{/*
-Create the name of the service account to use
+Create the name of the operator service account to use
*/}}
{{- define "flink-operator.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "flink-operator.fullname" .) .Values.serviceAccount.name }}
+{{- if .Values.operatorServiceAccount.create }}
+{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Create the name of the job service account to use
+*/}}
+{{- define "flink-operator.jobServiceAccountName" -}}
+{{- if .Values.jobServiceAccount.create }}
+{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }}
+{{- else }}
+{{- default "default" .Values.jobServiceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-operator/templates/rbac.yaml b/helm/flink-operator/templates/rbac.yaml
index b9c4418..ee3887d 100644
--- a/helm/flink-operator/templates/rbac.yaml
+++ b/helm/flink-operator/templates/rbac.yaml
@@ -17,7 +17,7 @@
################################################################################
{{/*
-RBAC rules used to create the (cluster)role based on the operator scope
+RBAC rules used to create the operator (cluster)role based on the scope
*/}}
{{- define "flink-operator.rbacRules" }}
rules:
@@ -68,6 +68,27 @@ rules:
verbs:
- "*"
{{- end }}
+
+{{/*
+RBAC rules used to create the job (cluster)role based on the scope
+*/}}
+{{- define "flink-operator.jobRbacRules" }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - '*'
+{{- end }}
+
---
{{- if .Values.rbac.create }}
---
@@ -86,6 +107,17 @@ metadata:
{{- template "flink-operator.rbacRules" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: flink
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+{{- template "flink-operator.jobRbacRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: flink-operator-role-binding
@@ -98,10 +130,25 @@ roleRef:
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
- name: {{ template "flink-operator.serviceAccountName" $ }}
+ name: {{ include "flink-operator.serviceAccountName" $ }}
namespace: {{ $.Values.operatorNamespace.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: flink-role-binding
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+roleRef:
+ kind: Role
+ name: flink
+ apiGroup: rbac.authorization.k8s.io
+subjects:
- kind: ServiceAccount
- name: {{ template "flink-operator.serviceAccountName" $ }}
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
namespace: {{ . }}
---
{{- end }}
@@ -120,6 +167,17 @@ metadata:
{{- template "flink-operator.rbacRules" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: flink
+ namespace: {{ .Values.operatorNamespace.name }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+{{- template "flink-operator.jobRbacRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: flink-operator-cluster-role-binding
@@ -132,7 +190,25 @@ roleRef:
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
- name: {{ template "flink-operator.serviceAccountName" . }}
+ name: {{ include "flink-operator.serviceAccountName" . }}
+ namespace: {{ .Values.operatorNamespace.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: flink-role-binding
+ namespace: {{ .Values.operatorNamespace.name }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+roleRef:
+ kind: Role
+ name: flink
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.jobServiceAccountName" . }}
namespace: {{ .Values.operatorNamespace.name }}
{{- end }}
{{- end }}
diff --git a/helm/flink-operator/templates/serviceaccount.yaml b/helm/flink-operator/templates/serviceaccount.yaml
index b802b2a..6602e57 100644
--- a/helm/flink-operator/templates/serviceaccount.yaml
+++ b/helm/flink-operator/templates/serviceaccount.yaml
@@ -17,7 +17,7 @@
################################################################################
---
-{{- if .Values.serviceAccount.create -}}
+{{- if .Values.operatorServiceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -25,25 +25,46 @@ metadata:
namespace: {{ .Values.operatorNamespace.name }}
labels:
{{- include "flink-operator.labels" . | nindent 4 }}
- {{- with .Values.serviceAccount.annotations }}
+ {{- with .Values.operatorServiceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
+{{- end }}
---
+{{- if .Values.jobServiceAccount.create -}}
+{{/*
+Create job service accounts for all watched namespaces.
+*/}}
{{- if .Values.watchNamespaces}}
{{- range .Values.watchNamespaces }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ include "flink-operator.serviceAccountName" $ }}
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
namespace: {{ . }}
labels:
{{- include "flink-operator.labels" $ | nindent 4 }}
- {{- with $.Values.serviceAccount.annotations }}
+ {{- with $.Values.jobServiceAccount.annotations }}
annotations:
- {{- toYaml $ | nindent 4 }}
+ {{- toYaml . | nindent 4 }}
{{- end }}
---
{{- end }}
+{{/*
+Create the job servife account for the operator namespace, it is to be added for other namespaces manually
+(or via specifying them in watchNamespaces).
+*/}}
+{{- else}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
+ namespace: {{ .Values.operatorNamespace.name }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ {{- with .Values.jobServiceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
{{- end }}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/helm/flink-operator/values.yaml b/helm/flink-operator/values.yaml
index 854a36f..534ce59 100644
--- a/helm/flink-operator/values.yaml
+++ b/helm/flink-operator/values.yaml
@@ -36,11 +36,17 @@ rbac:
ingress:
create: false
-serviceAccount:
+operatorServiceAccount:
create: true
annotations: {}
name: "flink-operator"
+jobServiceAccount:
+ create: true
+ annotations:
+ "helm.sh/resource-policy": keep
+ name: "flink"
+
webhook:
create: true
keystore:
[flink-kubernetes-operator] 02/02: [FLINK-26308] Fix webhook behavior when working with multiple namespaces
Posted by gy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gyfora pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
commit e1c9bb8d7e1e297958ea68d4b6664a08a9140f09
Author: Marton Balassi <ma...@apple.com>
AuthorDate: Mon Mar 7 15:41:32 2022 +0100
[FLINK-26308] Fix webhook behavior when working with multiple namespaces
---
helm/flink-operator/templates/webhook.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/helm/flink-operator/templates/webhook.yaml b/helm/flink-operator/templates/webhook.yaml
index 66df08f..664ae77 100644
--- a/helm/flink-operator/templates/webhook.yaml
+++ b/helm/flink-operator/templates/webhook.yaml
@@ -106,6 +106,6 @@ webhooks:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
- values: {{ .Values.watchNamespaces }}
+ values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
{{- end }}
{{- end }}