This is an automated email from the ASF dual-hosted git repository. gyfora pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
commit 8abb9f7af486e6e2cc729b24645d0ed36e8482fc Author: Marton Balassi <[email protected]> AuthorDate: Fri Mar 4 16:19:30 2022 +0100 [FLINK-26308][FLINK-26471] Separate Flink job role from operator role --- e2e-tests/data/cr.yaml | 2 +- examples/basic-checkpoint-ha.yaml | 2 +- examples/basic-ingress.yaml | 2 +- examples/basic-session.yaml | 2 +- examples/basic.yaml | 2 +- examples/custom-logging.yaml | 2 +- examples/pod-template.yaml | 2 +- helm/flink-operator/templates/_helpers.tpl | 17 ++++- helm/flink-operator/templates/rbac.yaml | 84 +++++++++++++++++++++-- helm/flink-operator/templates/serviceaccount.yaml | 33 +++++++-- helm/flink-operator/values.yaml | 8 ++- 11 files changed, 135 insertions(+), 21 deletions(-) diff --git a/e2e-tests/data/cr.yaml b/e2e-tests/data/cr.yaml index 90069f9..3919e48 100644 --- a/e2e-tests/data/cr.yaml +++ b/e2e-tests/data/cr.yaml @@ -30,7 +30,7 @@ spec: high-availability.storageDir: file:///opt/flink/volume/flink-ha state.checkpoints.dir: file:///opt/flink/volume/flink-cp state.savepoints.dir: file:///opt/flink/volume/flink-sp - serviceAccount: flink-operator + serviceAccount: flink podTemplate: apiVersion: v1 kind: Pod diff --git a/examples/basic-checkpoint-ha.yaml b/examples/basic-checkpoint-ha.yaml index 42c137a..1796bfb 100644 --- a/examples/basic-checkpoint-ha.yaml +++ b/examples/basic-checkpoint-ha.yaml @@ -40,7 +40,7 @@ spec: cpu: 1 podTemplate: spec: - serviceAccount: flink-operator + serviceAccount: flink containers: - name: flink-main-container volumeMounts: diff --git a/examples/basic-ingress.yaml b/examples/basic-ingress.yaml index 5be18cd..ad9b1ef 100644 --- a/examples/basic-ingress.yaml +++ b/examples/basic-ingress.yaml @@ -29,7 +29,7 @@ spec: # rest.address: basic-example.flink.k8s.io # rest.port: "80" taskmanager.numberOfTaskSlots: "2" - serviceAccount: flink-operator + serviceAccount: flink jobManager: replicas: 1 resource: diff --git a/examples/basic-session.yaml b/examples/basic-session.yaml index 613b411..c78d030 100644 --- a/examples/basic-session.yaml +++ b/examples/basic-session.yaml @@ -26,7 +26,7 @@ spec: flinkVersion: 1.14.3 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" - serviceAccount: flink-operator + serviceAccount: flink jobManager: replicas: 1 resource: diff --git a/examples/basic.yaml b/examples/basic.yaml index 3e6c0e3..8844a35 100644 --- a/examples/basic.yaml +++ b/examples/basic.yaml @@ -26,7 +26,7 @@ spec: flinkVersion: 1.14.3 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" - serviceAccount: flink-operator + serviceAccount: flink jobManager: replicas: 1 resource: diff --git a/examples/custom-logging.yaml b/examples/custom-logging.yaml index 27450a1..4376a81 100644 --- a/examples/custom-logging.yaml +++ b/examples/custom-logging.yaml @@ -26,7 +26,7 @@ spec: flinkVersion: 1.14.3 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" - serviceAccount: flink-operator + serviceAccount: flink jobManager: replicas: 1 resource: diff --git a/examples/pod-template.yaml b/examples/pod-template.yaml index 3e40413..c81dc2b 100644 --- a/examples/pod-template.yaml +++ b/examples/pod-template.yaml @@ -32,7 +32,7 @@ spec: metadata: name: pod-template spec: - serviceAccount: flink-operator + serviceAccount: flink containers: # Do not change the main container name - name: flink-main-container diff --git a/helm/flink-operator/templates/_helpers.tpl b/helm/flink-operator/templates/_helpers.tpl index ab9e968..5e7bb9c 100644 --- a/helm/flink-operator/templates/_helpers.tpl +++ b/helm/flink-operator/templates/_helpers.tpl @@ -68,12 +68,23 @@ app.kubernetes.io/name: {{ include "flink-operator.name" . }} {{- end }} {{/* -Create the name of the service account to use +Create the name of the operator service account to use */}} {{- define "flink-operator.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "flink-operator.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.operatorServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Create the name of the job service account to use +*/}} +{{- define "flink-operator.jobServiceAccountName" -}} +{{- if .Values.jobServiceAccount.create }} +{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }} +{{- else }} +{{- default "default" .Values.jobServiceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/flink-operator/templates/rbac.yaml b/helm/flink-operator/templates/rbac.yaml index b9c4418..ee3887d 100644 --- a/helm/flink-operator/templates/rbac.yaml +++ b/helm/flink-operator/templates/rbac.yaml @@ -17,7 +17,7 @@ ################################################################################ {{/* -RBAC rules used to create the (cluster)role based on the operator scope +RBAC rules used to create the operator (cluster)role based on the scope */}} {{- define "flink-operator.rbacRules" }} rules: @@ -68,6 +68,27 @@ rules: verbs: - "*" {{- end }} + +{{/* +RBAC rules used to create the job (cluster)role based on the scope +*/}} +{{- define "flink-operator.jobRbacRules" }} +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + verbs: + - '*' +{{- end }} + --- {{- if .Values.rbac.create }} --- @@ -86,6 +107,17 @@ metadata: {{- template "flink-operator.rbacRules" $ }} --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: flink + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +{{- template "flink-operator.jobRbacRules" $ }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: flink-operator-role-binding @@ -98,10 +130,25 @@ roleRef: apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" $ }} + name: {{ include "flink-operator.serviceAccountName" $ }} namespace: {{ $.Values.operatorNamespace.name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flink-role-binding + namespace: {{ . }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +roleRef: + kind: Role + name: flink + apiGroup: rbac.authorization.k8s.io +subjects: - kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" $ }} + name: {{ include "flink-operator.jobServiceAccountName" $ }} namespace: {{ . }} --- {{- end }} @@ -120,6 +167,17 @@ metadata: {{- template "flink-operator.rbacRules" $ }} --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: flink + namespace: {{ .Values.operatorNamespace.name }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +{{- template "flink-operator.jobRbacRules" $ }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: flink-operator-cluster-role-binding @@ -132,7 +190,25 @@ roleRef: apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" . }} + name: {{ include "flink-operator.serviceAccountName" . }} + namespace: {{ .Values.operatorNamespace.name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flink-role-binding + namespace: {{ .Values.operatorNamespace.name }} + labels: + {{- include "flink-operator.labels" . | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +roleRef: + kind: Role + name: flink + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "flink-operator.jobServiceAccountName" . }} namespace: {{ .Values.operatorNamespace.name }} {{- end }} {{- end }} diff --git a/helm/flink-operator/templates/serviceaccount.yaml b/helm/flink-operator/templates/serviceaccount.yaml index b802b2a..6602e57 100644 --- a/helm/flink-operator/templates/serviceaccount.yaml +++ b/helm/flink-operator/templates/serviceaccount.yaml @@ -17,7 +17,7 @@ ################################################################################ --- -{{- if .Values.serviceAccount.create -}} +{{- if .Values.operatorServiceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -25,25 +25,46 @@ metadata: namespace: {{ .Values.operatorNamespace.name }} labels: {{- include "flink-operator.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} + {{- with .Values.operatorServiceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} +{{- end }} --- +{{- if .Values.jobServiceAccount.create -}} +{{/* +Create job service accounts for all watched namespaces. +*/}} {{- if .Values.watchNamespaces}} {{- range .Values.watchNamespaces }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "flink-operator.serviceAccountName" $ }} + name: {{ include "flink-operator.jobServiceAccountName" $ }} namespace: {{ . }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} - {{- with $.Values.serviceAccount.annotations }} + {{- with $.Values.jobServiceAccount.annotations }} annotations: - {{- toYaml $ | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} --- {{- end }} +{{/* +Create the job servife account for the operator namespace, it is to be added for other namespaces manually +(or via specifying them in watchNamespaces). +*/}} +{{- else}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flink-operator.jobServiceAccountName" $ }} + namespace: {{ .Values.operatorNamespace.name }} + labels: + {{- include "flink-operator.labels" $ | nindent 4 }} + {{- with .Values.jobServiceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/flink-operator/values.yaml b/helm/flink-operator/values.yaml index 854a36f..534ce59 100644 --- a/helm/flink-operator/values.yaml +++ b/helm/flink-operator/values.yaml @@ -36,11 +36,17 @@ rbac: ingress: create: false -serviceAccount: +operatorServiceAccount: create: true annotations: {} name: "flink-operator" +jobServiceAccount: + create: true + annotations: + "helm.sh/resource-policy": keep + name: "flink" + webhook: create: true keystore:
