apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
pulsar-helm-chart/charts/pulsar/templates/proxy-statefulset.yaml
Thomas O'Neill 19d6ce6488
Add Support for imagePullSecrets (#140) 
Fixes #125

### Motivation

The default images in the values.yaml are in docker hub. This PR allows us to provide image pull secrets for the containers which will allow us to get around Docker Hub's rate limiting if the nodes are not logged into Docker Hub.

### Modifications

Added a new template to generate `imagePullSecrets`, and included them in the deployments and statefulsets. This will only add them if they are specified under `images.imagePullSecrets`

### Verifying this change

- [] Make sure that the change passes the CI checks.
2021-08-20 17:22:50 -07:00

272 lines
11 KiB
YAML
Raw Blame History

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
{{- if or .Values.components.proxy .Values.extra.proxy }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
component: {{ .Values.proxy.component }}
spec:
serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
replicas: {{ .Values.proxy.replicaCount }}
selector:
matchLabels:
{{- include "pulsar.matchLabels" . | nindent 6 }}
component: {{ .Values.proxy.component }}
updateStrategy:
type: RollingUpdate
podManagementPolicy: Parallel
template:
metadata:
labels:
{{- include "pulsar.template.labels" . | nindent 8 }}
component: {{ .Values.proxy.component }}
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.proxy.ports.http }}"
{{- if .Values.proxy.restartPodsOnConfigMapChange }}
checksum/config: {{ include (print $.Template.BasePath "/proxy-configmap.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.proxy.annotations }}
{{ toYaml . | indent 8 }}
{{- end }}
spec:
{{- if .Values.proxy.nodeSelector }}
nodeSelector:
{{ toYaml .Values.proxy.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.proxy.tolerations }}
tolerations:
{{ toYaml .Values.proxy.tolerations | indent 8 }}
{{- end }}
affinity:
{{- if and .Values.affinity.anti_affinity .Values.proxy.affinity.anti_affinity}}
podAntiAffinity:
{{ if eq .Values.proxy.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}}
{{ .Values.proxy.affinity.type }}:
- labelSelector:
matchExpressions:
- key: "app"
operator: In
values:
- "{{ template "pulsar.name" . }}"
- key: "release"
operator: In
values:
- {{ .Release.Name }}
- key: "component"
operator: In
values:
- {{ .Values.proxy.component }}
topologyKey: "kubernetes.io/hostname"
{{ else }}
{{ .Values.proxy.affinity.type }}:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "app"
operator: In
values:
- "{{ template "pulsar.name" . }}"
- key: "release"
operator: In
values:
- {{ .Release.Name }}
- key: "component"
operator: In
values:
- {{ .Values.proxy.component }}
topologyKey: "kubernetes.io/hostname"
{{ end }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- end}}
initContainers:
# This init container will wait for zookeeper to be ready before
# deploying the bookies
- name: wait-zookeeper-ready
image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}"
imagePullPolicy: {{ .Values.images.proxy.pullPolicy }}
command: ["sh", "-c"]
args:
- >-
{{- if $zk:=.Values.pulsar_metadata.userProvidedZookeepers }}
until bin/pulsar zookeeper-shell -server {{ $zk }} ls {{ or .Values.metadataPrefix "/" }}; do
echo "user provided zookeepers {{ $zk }} are unreachable... check in 3 seconds ..." && sleep 3;
done;
{{ else }}
until bin/pulsar zookeeper-shell -server {{ template "pulsar.configurationStore.service" . }} get {{ .Values.metadataPrefix }}/admin/clusters/{{ template "pulsar.cluster.name" . }}; do
sleep 3;
done;
{{- end}}
# This init container will wait for at least one broker to be ready before
# deploying the proxy
- name: wait-broker-ready
image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}"
imagePullPolicy: {{ .Values.images.proxy.pullPolicy }}
command: ["sh", "-c"]
args:
- >-
set -e;
brokerServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.broker.component }} | grep Name | wc -l)";
until [ ${brokerServiceNumber} -ge 1 ]; do
echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 10 seconds ...";
sleep 10;
brokerServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.broker.component }} | grep Name | wc -l)";
done;
containers:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}"
imagePullPolicy: {{ .Values.images.proxy.pullPolicy }}
{{- if .Values.proxy.probe.liveness.enabled }}
livenessProbe:
httpGet:
path: /status.html
port: {{ .Values.proxy.ports.http }}
initialDelaySeconds: {{ .Values.proxy.probe.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.proxy.probe.liveness.periodSeconds }}
failureThreshold: {{ .Values.proxy.probe.liveness.failureThreshold }}
{{- end }}
{{- if .Values.proxy.probe.readiness.enabled }}
readinessProbe:
httpGet:
path: /status.html
port: {{ .Values.proxy.ports.http }}
initialDelaySeconds: {{ .Values.proxy.probe.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.proxy.probe.readiness.periodSeconds }}
failureThreshold: {{ .Values.proxy.probe.readiness.failureThreshold }}
{{- end }}
{{- if .Values.proxy.probe.startup.enabled }}
startupProbe:
httpGet:
path: /status.html
port: {{ .Values.proxy.ports.http }}
initialDelaySeconds: {{ .Values.proxy.probe.startup.initialDelaySeconds }}
periodSeconds: {{ .Values.proxy.probe.startup.periodSeconds }}
failureThreshold: {{ .Values.proxy.probe.startup.failureThreshold }}
{{- end }}
{{- if .Values.proxy.resources }}
resources:
{{ toYaml .Values.proxy.resources | indent 10 }}
{{- end }}
command: ["sh", "-c"]
args:
- >
bin/apply-config-from-env.py conf/proxy.conf &&
echo "OK" > status &&
exec bin/pulsar proxy
ports:
# prometheus needs to access /metrics endpoint
- name: http
containerPort: {{ .Values.proxy.ports.http }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.proxy.enabled) }}
- name: pulsar
containerPort: {{ .Values.proxy.ports.pulsar }}
{{- end }}
{{- if and (.Values.tls.enabled) (.Values.tls.proxy.enabled) }}
- name: https
containerPort: {{ .Values.proxy.ports.https }}
- name: pulsarssl
containerPort: {{ .Values.proxy.ports.pulsarssl }}
{{- end }}
{{- if and .Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- if or .Values.auth.authentication.enabled (and .Values.tls.enabled (or .Values.tls.proxy.enabled .Values.tls.broker.enabled)) }}
volumeMounts:
{{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }}
- mountPath: "/pulsar/keys"
name: token-keys
readOnly: true
- mountPath: "/pulsar/tokens"
name: proxy-token
readOnly: true
{{- end }}
{{- end }}
{{- if .Values.tls.proxy.enabled }}
- mountPath: "/pulsar/certs/proxy"
name: proxy-certs
readOnly: true
{{- end}}
{{- if .Values.tls.enabled }}
- mountPath: "/pulsar/certs/ca"
name: ca
readOnly: true
{{- end}}
{{- end}}
{{- include "pulsar.imagePullSecrets" . | nindent 6}}
{{- if or .Values.auth.authentication.enabled (and .Values.tls.enabled .Values.tls.proxy.enabled) }}
volumes:
{{- if .Values.auth.authentication.enabled }}
{{- if eq .Values.auth.authentication.provider "jwt" }}
- name: token-keys
secret:
{{- if not .Values.auth.authentication.jwt.usingSecretKey }}
secretName: "{{ .Release.Name }}-token-asymmetric-key"
{{- end}}
{{- if .Values.auth.authentication.jwt.usingSecretKey }}
secretName: "{{ .Release.Name }}-token-symmetric-key"
{{- end}}
items:
{{- if .Values.auth.authentication.jwt.usingSecretKey }}
- key: SECRETKEY
path: token/secret.key
{{- else }}
- key: PUBLICKEY
path: token/public.key
{{- end}}
- name: proxy-token
secret:
secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.proxy }}"
items:
- key: TOKEN
path: proxy/token
{{- end}}
{{- end}}
{{- if .Values.tls.proxy.enabled }}
- name: ca
secret:
secretName: "{{ .Release.Name }}-ca-tls"
items:
- key: ca.crt
path: ca.crt
- name: proxy-certs
secret:
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
{{- end}}
{{- end}}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink