From c46d8429814489df10db5b57c0be2af880fb6b85 Mon Sep 17 00:00:00 2001 From: Dexter Lee Date: Sun, 18 Apr 2021 11:07:19 -0700 Subject: [PATCH] fix(k8s): Add credentials to kafka-setup job and clean up (#2415) --- contrib/kubernetes/datahub/README.md | 8 ++-- .../templates/deployment.yaml | 16 ++++---- .../datahub-gms/templates/deployment.yaml | 24 ++++++------ .../templates/deployment.yaml | 24 ++++++------ .../templates/deployment.yaml | 20 +++++----- .../templates/elasticsearch-setup-job.yml | 8 ++++ .../datahub/templates/kafka-setup-job.yml | 33 ++++++++++++++++ .../datahub/templates/mysql-setup-job.yml | 8 ++++ contrib/kubernetes/datahub/values.yaml | 38 +++++++++---------- 9 files changed, 115 insertions(+), 64 deletions(-) diff --git a/contrib/kubernetes/datahub/README.md b/contrib/kubernetes/datahub/README.md index 4c9ef7ebf3e63b..98e2a19de42465 100644 --- a/contrib/kubernetes/datahub/README.md +++ b/contrib/kubernetes/datahub/README.md @@ -57,7 +57,9 @@ Current chart version is `0.1.2` #### Optional Chart Values -| global.credentialsAndCertsSecretPath | string | `"/mnt/certs"` | | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.credentialsAndCertsSecrets.path | string | `"/mnt/certs"` | | | global.credentialsAndCertsSecrets.name | string | `""` | | -| global.credentialsAndCertsSecrets.secureEnv | string | `""` | | -| global.springKafkaConfigurationOverrides | string | `""` | | +| global.credentialsAndCertsSecrets.secureEnv | map | `{}` | | +| global.springKafkaConfigurationOverrides | map | `{}` | | diff --git a/contrib/kubernetes/datahub/charts/datahub-frontend/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-frontend/templates/deployment.yaml index 60516244f27a74..f91cfe3064ab38 100644 --- a/contrib/kubernetes/datahub/charts/datahub-frontend/templates/deployment.yaml +++ b/contrib/kubernetes/datahub/charts/datahub-frontend/templates/deployment.yaml @@ -26,8 +26,8 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - {{- if .Values.extraVolumes }} - {{ toYaml .Values.extraVolumes | nindent 8 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.exporters.jmx.enabled }} - name: config-jmx-exporter @@ -35,8 +35,8 @@ spec: name: {{ include "datahub-frontend.fullname" . }}-config-jmx-exporter {{- end }} initContainers: - {{- if .Values.extraInitContainers }} - {{- .Values.extraInitContainers | toYaml | nindent 6 }} + {{- with .Values.extraInitContainers }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -82,12 +82,12 @@ spec: value: "{{ .Values.global.datahub.appVersion }}" - name: DATAHUB_PLAY_MEM_BUFFER_SIZE value: "{{ .Values.datahub.play.mem.buffer.size }}" - {{- if .Values.extraEnvs }} - {{ toYaml .Values.extraEnvs | nindent 12 }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.extraVolumeMounts }} - {{ toYaml .Values.extraVolumeMounts | nindent 10 }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml index d8aeb1cf18a86b..9d2b43cc5ea988 100644 --- a/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml +++ b/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml @@ -30,23 +30,23 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - {{- if .Values.global.credentialsAndCertsSecrets }} + {{- with .Values.global.credentialsAndCertsSecrets }} - name: datahub-certs-dir secret: defaultMode: 256 - secretName: {{ .Values.global.credentialsAndCertsSecrets.name }} + secretName: {{ .name }} {{- end }} {{- if .Values.exporters.jmx.enabled }} - name: config-jmx-exporter configMap: name: {{ include "datahub-gms.fullname" . }}-config-jmx-exporter {{- end }} - {{- if .Values.extraVolumes }} - {{ toYaml .Values.extraVolumes | nindent 8 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} {{- end }} initContainers: - {{- if .Values.extraInitContainers }} - {{- .Values.extraInitContainers | toYaml | nindent 6 }} + {{- with .Values.extraInitContainers }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -120,16 +120,16 @@ spec: key: {{ $envVarValue }} {{- end }} {{- end }} - {{- if .Values.extraEnvs }} - {{ toYaml .Values.extraEnvs | nindent 12 }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.global.credentialsAndCertsSecrets }} + {{- with .Values.global.credentialsAndCertsSecrets }} - name: datahub-certs-dir - mountPath: {{ .Values.global.credentialsAndCertsSecretPath | default "/mnt/certs" }} + mountPath: {{ .path | default "/mnt/certs" }} {{- end }} - {{- if .Values.extraVolumeMounts }} - {{ toYaml .Values.extraVolumeMounts | nindent 10 }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml index 8a77eed94e0fd1..07311efd07df09 100644 --- a/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml +++ b/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml @@ -30,23 +30,23 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - {{- if .Values.global.credentialsAndCertsSecrets }} + {{- with .Values.global.credentialsAndCertsSecrets }} - name: datahub-certs-dir secret: defaultMode: 256 - secretName: {{ .Values.global.credentialsAndCertsSecrets.name }} + secretName: {{ .name }} {{- end }} {{- if .Values.exporters.jmx.enabled }} - name: config-jmx-exporter configMap: name: {{ include "datahub-mae-consumer.fullname" . }}-config-jmx-exporter {{- end }} - {{- if .Values.extraVolumes }} - {{ toYaml .Values.extraVolumes | nindent 8 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} {{- end }} initContainers: - {{- if .Values.extraInitContainers }} - {{- .Values.extraInitContainers | toYaml | nindent 6 }} + {{- with .Values.extraInitContainers }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -103,16 +103,16 @@ spec: key: {{ $envVarValue }} {{- end }} {{- end }} - {{- if .Values.extraEnvs }} - {{ toYaml .Values.extraEnvs | nindent 12 }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.global.credentialsAndCertsSecrets }} + {{- with .Values.global.credentialsAndCertsSecrets }} - name: datahub-certs-dir - mountPath: {{ .Values.global.credentialsAndCertsSecretPath | default "/mnt/certs" }} + mountPath: {{ .path | default "/mnt/certs" }} {{- end }} - {{- if .Values.extraVolumeMounts }} - {{ toYaml .Values.extraVolumeMounts | nindent 10 }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml index 8165f5ccfe0e96..04bef30dbcc629 100644 --- a/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml +++ b/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml @@ -41,12 +41,12 @@ spec: configMap: name: {{ include "datahub-mce-consumer.fullname" . }}-config-jmx-exporter {{- end }} - {{- if .Values.extraVolumes }} - {{ toYaml .Values.extraVolumes | nindent 8 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} {{- end }} initContainers: - {{- if .Values.extraInitContainers }} - {{- .Values.extraInitContainers | toYaml | nindent 6 }} + {{- with .Values.extraInitContainers }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -92,16 +92,16 @@ spec: key: {{ $envVarValue }} {{- end }} {{- end }} - {{- if .Values.extraEnvs }} - {{ toYaml .Values.extraEnvs | nindent 12 }} + {{- with .Values.extraEnvs }} + {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.global.credentialsAndCertsSecrets }} + {{- with .Values.global.credentialsAndCertsSecrets }} - name: datahub-certs-dir - mountPath: {{ .Values.global.credentialsAndCertsSecretPath | default "/mnt/certs" }} + mountPath: {{ .path | default "/mnt/certs" }} {{- end }} - {{- if .Values.extraVolumeMounts }} - {{ toYaml .Values.extraVolumeMounts | nindent 10 }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/contrib/kubernetes/datahub/templates/elasticsearch-setup-job.yml b/contrib/kubernetes/datahub/templates/elasticsearch-setup-job.yml index ff1de457bb895a..ad637c265bbbb5 100644 --- a/contrib/kubernetes/datahub/templates/elasticsearch-setup-job.yml +++ b/contrib/kubernetes/datahub/templates/elasticsearch-setup-job.yml @@ -24,6 +24,10 @@ spec: {{- with .Values.elasticsearchSetupJob.serviceAccount }} serviceAccountName: {{ . }} {{- end }} + volumes: + {{- with .Values.elasticsearchSetupJob.extraVolumes }} + {{- toYaml . | nindent 8}} + {{- end }} restartPolicy: Never securityContext: runAsUser: 1000 @@ -39,6 +43,10 @@ spec: {{- with .Values.elasticsearchSetupJob.extraEnvs }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- with .Values.elasticsearchSetupJob.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: limits: cpu: 500m diff --git a/contrib/kubernetes/datahub/templates/kafka-setup-job.yml b/contrib/kubernetes/datahub/templates/kafka-setup-job.yml index 971f74c47ff889..d2b48b69dc32c4 100644 --- a/contrib/kubernetes/datahub/templates/kafka-setup-job.yml +++ b/contrib/kubernetes/datahub/templates/kafka-setup-job.yml @@ -28,6 +28,16 @@ spec: securityContext: runAsUser: 1000 fsGroup: 1000 + volumes: + {{- with .Values.global.credentialsAndCertsSecrets }} + - name: datahub-certs-dir + secret: + defaultMode: 256 + secretName: {{ .name }} + {{- end }} + {{- with .Values.kafkaSetupJob.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: kafka-setup-job image: "{{ .Values.kafkaSetupJob.image.repository }}:{{ .Values.kafkaSetupJob.image.tag }}" @@ -36,9 +46,32 @@ spec: value: {{ .Values.global.kafka.zookeeper.server | quote }} - name: KAFKA_BOOTSTRAP_SERVER value: {{ .Values.global.kafka.bootstrap.server | quote }} + {{- if .Values.global.springKafkaConfigurationOverrides }} + {{- range $configName, $configValue := .Values.global.springKafkaConfigurationOverrides }} + - name: KAFKA_PROPERTIES_{{ $configName | replace "." "_" | upper }} + value: {{ $configValue }} + {{- end }} + {{- end }} + {{- if .Values.global.credentialsAndCertsSecrets }} + {{- range $envVarName, $envVarValue := .Values.global.credentialsAndCertsSecrets.secureEnv }} + - name: KAFKA_PROPERTIES_{{ $envVarName | replace "." "_" | upper }} + valueFrom: + secretKeyRef: + name: {{ $.Values.global.credentialsAndCertsSecrets.name }} + key: {{ $envVarValue }} + {{- end }} + {{- end }} {{- with .Values.kafkaSetupJob.extraEnvs }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.global.credentialsAndCertsSecrets }} + - name: datahub-certs-dir + mountPath: {{ .Values.global.credentialsAndCertsSecretPath | default "/mnt/certs" }} + {{- end }} + {{- with .Values.kafkaSetupJob.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: limits: cpu: 500m diff --git a/contrib/kubernetes/datahub/templates/mysql-setup-job.yml b/contrib/kubernetes/datahub/templates/mysql-setup-job.yml index 0776d61abb390c..97b8ac9ef655a1 100644 --- a/contrib/kubernetes/datahub/templates/mysql-setup-job.yml +++ b/contrib/kubernetes/datahub/templates/mysql-setup-job.yml @@ -24,6 +24,10 @@ spec: {{- with .Values.mysqlSetupJob.serviceAccount }} serviceAccountName: {{ . }} {{- end }} + volumes: + {{- with .Values.mysqlSetupJob.extraVolumes }} + {{- toYaml . | nindent 8}} + {{- end }} restartPolicy: Never securityContext: runAsUser: 1000 @@ -46,6 +50,10 @@ spec: {{- with .Values.mysqlSetupJob.extraEnvs }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- with .Values.mysqlSetupJob.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: limits: cpu: 500m diff --git a/contrib/kubernetes/datahub/values.yaml b/contrib/kubernetes/datahub/values.yaml index 939be0f12cbc30..f7185dcadc1199 100644 --- a/contrib/kubernetes/datahub/values.yaml +++ b/contrib/kubernetes/datahub/values.yaml @@ -92,22 +92,22 @@ global: - "elasticsearch" - "neo4j" - # credentialsAndCertsSecretPath: /mnt/datahub/certs - # credentialsAndCertsSecrets: - # name: datahub-certs - # secureEnv: - # ssl.key.password: datahub.linkedin.com.KeyPass - # ssl.keystore.password: datahub.linkedin.com.KeyStorePass - # ssl.truststore.password: datahub.linkedin.com.TrustStorePass - # kafkastore.ssl.truststore.password: datahub.linkedin.com.TrustStorePass - - # springKafkaConfigurationOverrides: - # ssl.keystore.location: /mnt/datahub/certs/datahub.linkedin.com.keystore.jks - # ssl.truststore.location: /mnt/datahub/certs/datahub.linkedin.com.truststore.jks - # kafkastore.ssl.truststore.location: /mnt/datahub/certs/datahub.linkedin.com.truststore.jks - # security.protocol: SSL - # kafkastore.security.protocol: SSL - # ssl.keystore.type: JKS - # ssl.truststore.type: JKS - # ssl.protocol: TLS - # ssl.endpoint.identification.algorithm: +# credentialsAndCertsSecrets: +# name: datahub-certs +# path: /mnt/datahub/certs +# secureEnv: +# ssl.key.password: datahub.linkedin.com.KeyPass +# ssl.keystore.password: datahub.linkedin.com.KeyStorePass +# ssl.truststore.password: datahub.linkedin.com.TrustStorePass +# kafkastore.ssl.truststore.password: datahub.linkedin.com.TrustStorePass +# +# springKafkaConfigurationOverrides: +# ssl.keystore.location: /mnt/datahub/certs/datahub.linkedin.com.keystore.jks +# ssl.truststore.location: /mnt/datahub/certs/datahub.linkedin.com.truststore.jks +# kafkastore.ssl.truststore.location: /mnt/datahub/certs/datahub.linkedin.com.truststore.jks +# security.protocol: SSL +# kafkastore.security.protocol: SSL +# ssl.keystore.type: JKS +# ssl.truststore.type: JKS +# ssl.protocol: TLS +# ssl.endpoint.identification.algorithm: