apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decouple Service account creation from PodSecurityPolicy (#387)

Browse Source 
* Proposal: service accounts creation should be decoupled from PodSecurityPolicy.

* Rename *-rbac.yaml to *-psp.yaml and move service account to *-service-account.yaml

* Test with psp enabled

Co-authored-by: Lari Hotari <lhotari@apache.org>
This commit is contained in:
Frank Kelly 2023-12-21 07:40:54 -05:00 committed by GitHub
parent 7bdce5b02c
commit 0b2d9b4d5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 400 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
.ci/clusters/values-psp.yaml Normal file
View File

@ -0,0 +1,87 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
kube-prometheus-stack:
enabled: false
prometheusOperator:
enabled: false
grafana:
enabled: false
alertmanager:
enabled: false
prometheus:
enabled: false
# disabled AntiAffinity
affinity:
anti_affinity: false
# disable auto recovery and pulsar manager
components:
autorecovery: false
pulsar_manager: false
zookeeper:
replicaCount: 1
# Disable pod monitor since we're disabling CRD installation
podMonitor:
enabled: false
bookkeeper:
replicaCount: 2
# Disable pod monitor since we're disabling CRD installation
podMonitor:
enabled: false
configData:
diskUsageThreshold: "0.999"
diskUsageWarnThreshold: "0.999"
PULSAR_PREFIX_diskUsageThreshold: "0.999"
PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
broker:
replicaCount: 1
# Disable pod monitor since we're disabling CRD installation
podMonitor:
enabled: false
configData:
## Enable `autoSkipNonRecoverableData` since bookkeeper is running
## without persistence
autoSkipNonRecoverableData: "true"
# storage settings
managedLedgerDefaultEnsembleSize: "1"
managedLedgerDefaultWriteQuorum: "1"
managedLedgerDefaultAckQuorum: "1"
autorecovery:
# Disable pod monitor since we're disabling CRD installation
podMonitor:
enabled: false
proxy:
replicaCount: 1
# Disable pod monitor since we're disabling CRD installation
podMonitor:
enabled: false
toolset:
useProxy: false
rbac:
enabled: true
psp: true

3
.github/workflows/pulsar-helm-chart-ci.yaml vendored
View File

@ -186,6 +186,9 @@ jobs:
- name: ZK & BK TLS Only - name: ZK & BK TLS Only
values_file: .ci/clusters/values-zkbk-tls.yaml values_file: .ci/clusters/values-zkbk-tls.yaml
shortname: zkbk-tls shortname: zkbk-tls
- name: PSP
values_file: .ci/clusters/values-psp.yaml
shortname: psp
env: env:
k8sVersion: ${{ matrix.k8sVersion.kind_image_tag }} k8sVersion: ${{ matrix.k8sVersion.kind_image_tag }}
KUBECTL_VERSION: ${{ matrix.k8sVersion.version }} KUBECTL_VERSION: ${{ matrix.k8sVersion.version }}

9
charts/pulsar/templates/autorecovery-rbac.yaml → charts/pulsar/templates/autorecovery-psp.yaml
View File

@ -17,7 +17,7 @@
# under the License. # under the License.
# #
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -34,13 +34,6 @@ rules:
- use - use
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

33
charts/pulsar/templates/autorecovery-service-account.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.autorecovery.component }}
annotations:
{{- with .Values.autorecovery.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}

4
charts/pulsar/templates/autorecovery-statefulset.yaml
View File

@ -104,9 +104,7 @@ spec:
{{ end }} {{ end }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }} terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
{{- end}}
initContainers: initContainers:
# This initContainer will wait for bookkeeper initnewcluster to complete # This initContainer will wait for bookkeeper initnewcluster to complete
# before deploying the bookies # before deploying the bookies
@ -130,7 +128,7 @@ spec:
resources: resources:
{{ toYaml .Values.autorecovery.resources | indent 10 }} {{ toYaml .Values.autorecovery.resources | indent 10 }}
{{- end }} {{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end}} {{- end}}

4
charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
View File

@ -34,9 +34,7 @@ spec:
{{- end }} {{- end }}
template: template:
spec: spec:
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
{{- end }}
nodeSelector: nodeSelector:
{{- if .Values.pulsar_metadata.nodeSelector }} {{- if .Values.pulsar_metadata.nodeSelector }}
{{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }} {{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }}
@ -83,7 +81,7 @@ spec:
{{- if .Values.extraInitCommand }} {{- if .Values.extraInitCommand }}
{{ .Values.extraInitCommand }} {{ .Values.extraInitCommand }}
{{- end }} {{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}

9
charts/pulsar/templates/bookkeeper-rbac.yaml → charts/pulsar/templates/bookkeeper-psp.yaml
View File

@ -17,7 +17,7 @@
# under the License. # under the License.
# #
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -34,13 +34,6 @@ rules:
- use - use
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

33
charts/pulsar/templates/bookkeeper-service-account.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if .Values.components.bookkeeper }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.bookkeeper.component }}
annotations:
{{- with .Values.bookkeeper.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}

6
charts/pulsar/templates/bookkeeper-statefulset.yaml
View File

@ -101,9 +101,7 @@ spec:
{{ end }} {{ end }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.bookkeeper.gracePeriod }} terminationGracePeriodSeconds: {{ .Values.bookkeeper.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
{{- end}}
{{- if .Values.bookkeeper.securityContext }} {{- if .Values.bookkeeper.securityContext }}
securityContext: securityContext:
{{ toYaml .Values.bookkeeper.securityContext | indent 8 }} {{ toYaml .Values.bookkeeper.securityContext | indent 8 }}
@ -122,7 +120,7 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end}} {{- end}}
@ -175,7 +173,7 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf; bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }}
OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie; OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie;
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end}} {{- end}}

85
charts/pulsar/templates/broker-psp.yaml Normal file
View File

@ -0,0 +1,85 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
subjects:
- kind: ServiceAccount
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
{{- if .Values.rbac.limit_to_namespace }}
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}"
{{- else}}
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
{{- end}}
spec:
readOnlyRootFilesystem: false
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: 'RunAsAny'
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
{{- end}}

77
charts/pulsar/templates/broker-rbac.yaml
View File

@ -44,13 +44,6 @@ rules:
- '*' - '*'
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.functions.rbac.limit_to_namespace }} {{- if .Values.functions.rbac.limit_to_namespace }}
kind: RoleBinding kind: RoleBinding
@ -75,73 +68,3 @@ subjects:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
namespace: {{ template "pulsar.namespace" . }} namespace: {{ template "pulsar.namespace" . }}
{{- end }} {{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
subjects:
- kind: ServiceAccount
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
{{- if .Values.rbac.limit_to_namespace }}
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}"
{{- else}}
name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
{{- end}}
spec:
readOnlyRootFilesystem: false
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: 'RunAsAny'
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
{{- end}}

17
charts/pulsar/templates/broker-service-account.yaml
View File

@ -30,4 +30,21 @@ metadata:
{{- with .Values.broker.service_account.annotations }} {{- with .Values.broker.service_account.annotations }}
{{ toYaml . | indent 4 }} {{ toYaml . | indent 4 }}
{{- end }} {{- end }}
---
{{- end }}
{{- if or .Values.components.functions .Values.extra.functionsAsPods }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.functions.component }}
annotations:
{{- with .Values.functions.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
---
{{- end }} {{- end }}

6
charts/pulsar/templates/broker-statefulset.yaml
View File

@ -123,7 +123,7 @@ spec:
{{- end }} {{- end }}
echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3; echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3;
done; done;
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}
@ -155,7 +155,7 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}
@ -253,7 +253,7 @@ spec:
{{ toYaml .Values.broker.extraVolumeMounts | indent 10 }} {{ toYaml .Values.broker.extraVolumeMounts | indent 10 }}
{{- end }} {{- end }}
{{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}

9
charts/pulsar/templates/proxy-rbac.yaml → charts/pulsar/templates/proxy-psp.yaml
View File

@ -17,7 +17,7 @@
# under the License. # under the License.
# #
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -34,13 +34,6 @@ rules:
- use - use
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

33
charts/pulsar/templates/proxy-service-account.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if .Values.components.proxy }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.proxy.component }}
annotations:
{{- with .Values.proxy.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}

4
charts/pulsar/templates/proxy-statefulset.yaml
View File

@ -103,9 +103,7 @@ spec:
{{ end }} {{ end }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }} terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- end}}
initContainers: initContainers:
# This init container will wait for zookeeper to be ready before # This init container will wait for zookeeper to be ready before
# deploying the bookies # deploying the bookies
@ -201,7 +199,7 @@ spec:
- name: "sts-{{ .Values.tlsPrefix }}pulsarssl" - name: "sts-{{ .Values.tlsPrefix }}pulsarssl"
containerPort: {{ .Values.proxy.ports.pulsarssl }} containerPort: {{ .Values.proxy.ports.pulsarssl }}
{{- end }} {{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}

9
charts/pulsar/templates/toolset-rbac.yaml → charts/pulsar/templates/toolset-psp.yaml
View File

@ -17,7 +17,7 @@
# under the License. # under the License.
# #
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -34,13 +34,6 @@ rules:
- use - use
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

33
charts/pulsar/templates/toolset-service-account.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if .Values.components.toolset }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.toolset.component }}
annotations:
{{- with .Values.toolset.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}

6
charts/pulsar/templates/toolset-statefulset.yaml
View File

@ -58,9 +58,7 @@ spec:
{{ toYaml .Values.toolset.tolerations | indent 8 }} {{ toYaml .Values.toolset.tolerations | indent 8 }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }} terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- end}}
containers: containers:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.broker "root" .) }}" image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.broker "root" .) }}"
@ -79,7 +77,7 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf; bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
sleep 10000000000 sleep 10000000000
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}

9
charts/pulsar/templates/zookeeper-rbac.yaml → charts/pulsar/templates/zookeeper-psp.yaml
View File

@ -17,7 +17,7 @@
# under the License. # under the License.
# #
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -34,13 +34,6 @@ rules:
- use - use
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

33
charts/pulsar/templates/zookeeper-service-account.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if .Values.components.zookeeper }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.zookeeper.component }}
annotations:
{{- with .Values.zookeeper.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}

4
charts/pulsar/templates/zookeeper-statefulset.yaml
View File

@ -100,9 +100,7 @@ spec:
{{ end }} {{ end }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }} terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
{{- end }}
{{- if .Values.zookeeper.securityContext }} {{- if .Values.zookeeper.securityContext }}
securityContext: securityContext:
{{ toYaml .Values.zookeeper.securityContext | indent 8 }} {{ toYaml .Values.zookeeper.securityContext | indent 8 }}
@ -163,7 +161,7 @@ spec:
{{- $zkConnectCommand = print "nc -q 1 localhost " .Values.zookeeper.ports.client -}} {{- $zkConnectCommand = print "nc -q 1 localhost " .Values.zookeeper.ports.client -}}
{{- end }} {{- end }}
{{- if .Values.zookeeper.probe.readiness.enabled }} {{- if .Values.zookeeper.probe.readiness.enabled }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end}} {{- end}}

29
charts/pulsar/values.yaml
View File

@ -376,6 +376,10 @@ zookeeper:
# External zookeeper server list in case of global-zk list to create zk cluster across zk deployed on different clusters/namespaces # External zookeeper server list in case of global-zk list to create zk cluster across zk deployed on different clusters/namespaces
# Example value: "us-east1-pulsar-zookeeper-0.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-1.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-2.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-0.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-1.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-2.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888" # Example value: "us-east1-pulsar-zookeeper-0.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-1.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-2.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-0.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-1.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-2.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888"
externalZookeeperServerList: "" externalZookeeperServerList: ""
## Zookeeper service account
## templates/zookeeper-service-account.yaml
service_account:
annotations: {}
## Zookeeper configmap ## Zookeeper configmap
## templates/zookeeper-configmap.yaml ## templates/zookeeper-configmap.yaml
## ##
@ -554,7 +558,10 @@ bookkeeper:
# ... # ...
# selector: # selector:
# ... # ...
## Bookkeeper service account
## templates/bookkeeper-service-account.yaml
service_account:
annotations: {}
## Bookkeeper configmap ## Bookkeeper configmap
## templates/bookkeeper-configmap.yaml ## templates/bookkeeper-configmap.yaml
## ##
@ -630,6 +637,10 @@ autorecovery:
requests: requests:
memory: 64Mi memory: 64Mi
cpu: 0.05 cpu: 0.05
## Bookkeeper auto-recovery service account
## templates/autorecovery-service-account.yaml
service_account:
annotations: {}
## Bookkeeper auto-recovery configmap ## Bookkeeper auto-recovery configmap
## templates/autorecovery-configmap.yaml ## templates/autorecovery-configmap.yaml
## ##
@ -805,6 +816,10 @@ functions:
# Set to true to deploy functions with Role and RoleBinding inside the specified namespace # Set to true to deploy functions with Role and RoleBinding inside the specified namespace
rbac: rbac:
limit_to_namespace: false limit_to_namespace: false
### Functions Worker service account
## templates/broker-service-account.yaml
service_account:
annotations: {}
## Pulsar: Proxy Cluster ## Pulsar: Proxy Cluster
## templates/proxy-statefulset.yaml ## templates/proxy-statefulset.yaml
@ -881,6 +896,10 @@ proxy:
# fieldRef: # fieldRef:
# apiVersion: v1 # apiVersion: v1
# fieldPath: status.podIP # fieldPath: status.podIP
## Proxy service account
## templates/proxy-service-account.yaml
service_account:
annotations: {}
## Proxy configmap ## Proxy configmap
## templates/proxy-configmap.yaml ## templates/proxy-configmap.yaml
## ##
@ -1016,8 +1035,12 @@ toolset:
# readOnly: true # readOnly: true
extraVolumes: [] extraVolumes: []
extraVolumeMounts: [] extraVolumeMounts: []
## Bastion configmap ## Toolset service account
## templates/bastion-configmap.yaml ## templates/toolset-service-account.yaml
service_account:
annotations: {}
## Toolset configmap
## templates/toolset-configmap.yaml
## ##
configData: configData:
PULSAR_MEM: > PULSAR_MEM: >