This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 0b2d9b4 Decouple Service account creation from PodSecurityPolicy
(#387)
0b2d9b4 is described below
commit 0b2d9b4d5d48f74dfdd0e8e5b008cf8e2701e921
Author: Frank Kelly <[email protected]>
AuthorDate: Thu Dec 21 07:40:54 2023 -0500
Decouple Service account creation from PodSecurityPolicy (#387)
* Proposal: service accounts creation should be decoupled from
PodSecurityPolicy.
* Rename *-rbac.yaml to *-psp.yaml and move service account to
*-service-account.yaml
* Test with psp enabled
Co-authored-by: Lari Hotari <[email protected]>
---
.ci/clusters/values-psp.yaml | 87 ++++++++++++++++++++++
.github/workflows/pulsar-helm-chart-ci.yaml | 3 +
...utorecovery-rbac.yaml => autorecovery-psp.yaml} | 9 +--
...ount.yaml => autorecovery-service-account.yaml} | 8 +-
.../pulsar/templates/autorecovery-statefulset.yaml | 4 +-
.../templates/bookkeeper-cluster-initialize.yaml | 4 +-
.../{bookkeeper-rbac.yaml => bookkeeper-psp.yaml} | 9 +--
...ccount.yaml => bookkeeper-service-account.yaml} | 8 +-
.../pulsar/templates/bookkeeper-statefulset.yaml | 6 +-
.../templates/{proxy-rbac.yaml => broker-psp.yaml} | 25 +++----
charts/pulsar/templates/broker-rbac.yaml | 79 +-------------------
.../pulsar/templates/broker-service-account.yaml | 17 +++++
charts/pulsar/templates/broker-statefulset.yaml | 6 +-
.../templates/{proxy-rbac.yaml => proxy-psp.yaml} | 9 +--
...ice-account.yaml => proxy-service-account.yaml} | 8 +-
charts/pulsar/templates/proxy-statefulset.yaml | 4 +-
.../{toolset-rbac.yaml => toolset-psp.yaml} | 9 +--
...e-account.yaml => toolset-service-account.yaml} | 8 +-
charts/pulsar/templates/toolset-statefulset.yaml | 6 +-
.../{zookeeper-rbac.yaml => zookeeper-psp.yaml} | 9 +--
...account.yaml => zookeeper-service-account.yaml} | 8 +-
charts/pulsar/templates/zookeeper-statefulset.yaml | 4 +-
charts/pulsar/values.yaml | 29 +++++++-
23 files changed, 179 insertions(+), 180 deletions(-)
diff --git a/.ci/clusters/values-psp.yaml b/.ci/clusters/values-psp.yaml
new file mode 100644
index 0000000..51f2c67
--- /dev/null
+++ b/.ci/clusters/values-psp.yaml
@@ -0,0 +1,87 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+kube-prometheus-stack:
+ enabled: false
+ prometheusOperator:
+ enabled: false
+ grafana:
+ enabled: false
+ alertmanager:
+ enabled: false
+ prometheus:
+ enabled: false
+
+# disabled AntiAffinity
+affinity:
+ anti_affinity: false
+
+# disable auto recovery and pulsar manager
+components:
+ autorecovery: false
+ pulsar_manager: false
+
+zookeeper:
+ replicaCount: 1
+ # Disable pod monitor since we're disabling CRD installation
+ podMonitor:
+ enabled: false
+
+bookkeeper:
+ replicaCount: 2
+ # Disable pod monitor since we're disabling CRD installation
+ podMonitor:
+ enabled: false
+ configData:
+ diskUsageThreshold: "0.999"
+ diskUsageWarnThreshold: "0.999"
+ PULSAR_PREFIX_diskUsageThreshold: "0.999"
+ PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
+
+broker:
+ replicaCount: 1
+ # Disable pod monitor since we're disabling CRD installation
+ podMonitor:
+ enabled: false
+ configData:
+ ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
+ ## without persistence
+ autoSkipNonRecoverableData: "true"
+ # storage settings
+ managedLedgerDefaultEnsembleSize: "1"
+ managedLedgerDefaultWriteQuorum: "1"
+ managedLedgerDefaultAckQuorum: "1"
+
+autorecovery:
+ # Disable pod monitor since we're disabling CRD installation
+ podMonitor:
+ enabled: false
+
+proxy:
+ replicaCount: 1
+ # Disable pod monitor since we're disabling CRD installation
+ podMonitor:
+ enabled: false
+
+toolset:
+ useProxy: false
+
+rbac:
+ enabled: true
+ psp: true
diff --git a/.github/workflows/pulsar-helm-chart-ci.yaml
b/.github/workflows/pulsar-helm-chart-ci.yaml
index b1ef2d2..b880895 100644
--- a/.github/workflows/pulsar-helm-chart-ci.yaml
+++ b/.github/workflows/pulsar-helm-chart-ci.yaml
@@ -186,6 +186,9 @@ jobs:
- name: ZK & BK TLS Only
values_file: .ci/clusters/values-zkbk-tls.yaml
shortname: zkbk-tls
+ - name: PSP
+ values_file: .ci/clusters/values-psp.yaml
+ shortname: psp
env:
k8sVersion: ${{ matrix.k8sVersion.kind_image_tag }}
KUBECTL_VERSION: ${{ matrix.k8sVersion.version }}
diff --git a/charts/pulsar/templates/autorecovery-rbac.yaml
b/charts/pulsar/templates/autorecovery-psp.yaml
similarity index 91%
rename from charts/pulsar/templates/autorecovery-rbac.yaml
rename to charts/pulsar/templates/autorecovery-psp.yaml
index 6885497..d089f39 100644
--- a/charts/pulsar/templates/autorecovery-rbac.yaml
+++ b/charts/pulsar/templates/autorecovery-psp.yaml
@@ -17,7 +17,7 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -34,13 +34,6 @@ rules:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component
}}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/autorecovery-service-account.yaml
similarity index 79%
copy from charts/pulsar/templates/broker-service-account.yaml
copy to charts/pulsar/templates/autorecovery-service-account.yaml
index 6be8b1d..56da030 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/autorecovery-service-account.yaml
@@ -17,17 +17,17 @@
# under the License.
#
-{{- if .Values.components.broker }}
+{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component
}}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
- component: {{ .Values.broker.component }}
+ component: {{ .Values.autorecovery.component }}
annotations:
-{{- with .Values.broker.service_account.annotations }}
+{{- with .Values.autorecovery.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/autorecovery-statefulset.yaml
b/charts/pulsar/templates/autorecovery-statefulset.yaml
index 6c48f40..3d3b4ce 100644
--- a/charts/pulsar/templates/autorecovery-statefulset.yaml
+++ b/charts/pulsar/templates/autorecovery-statefulset.yaml
@@ -104,9 +104,7 @@ spec:
{{ end }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.autorecovery.component }}"
- {{- end}}
initContainers:
# This initContainer will wait for bookkeeper initnewcluster to complete
# before deploying the bookies
@@ -130,7 +128,7 @@ spec:
resources:
{{ toYaml .Values.autorecovery.resources | indent 10 }}
{{- end }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end}}
diff --git a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
index 6de4202..66fa404 100644
--- a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
+++ b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
@@ -34,9 +34,7 @@ spec:
{{- end }}
template:
spec:
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
- {{- end }}
nodeSelector:
{{- if .Values.pulsar_metadata.nodeSelector }}
{{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }}
@@ -83,7 +81,7 @@ spec:
{{- if .Values.extraInitCommand }}
{{ .Values.extraInitCommand }}
{{- end }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
diff --git a/charts/pulsar/templates/bookkeeper-rbac.yaml
b/charts/pulsar/templates/bookkeeper-psp.yaml
similarity index 91%
rename from charts/pulsar/templates/bookkeeper-rbac.yaml
rename to charts/pulsar/templates/bookkeeper-psp.yaml
index 0eaf2f2..ed7c6e6 100644
--- a/charts/pulsar/templates/bookkeeper-rbac.yaml
+++ b/charts/pulsar/templates/bookkeeper-psp.yaml
@@ -17,7 +17,7 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -34,13 +34,6 @@ rules:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/bookkeeper-service-account.yaml
similarity index 81%
copy from charts/pulsar/templates/broker-service-account.yaml
copy to charts/pulsar/templates/bookkeeper-service-account.yaml
index 6be8b1d..245284e 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/bookkeeper-service-account.yaml
@@ -17,17 +17,17 @@
# under the License.
#
-{{- if .Values.components.broker }}
+{{- if .Values.components.bookkeeper }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
- component: {{ .Values.broker.component }}
+ component: {{ .Values.bookkeeper.component }}
annotations:
-{{- with .Values.broker.service_account.annotations }}
+{{- with .Values.bookkeeper.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/bookkeeper-statefulset.yaml
b/charts/pulsar/templates/bookkeeper-statefulset.yaml
index 23706e1..a81245c 100644
--- a/charts/pulsar/templates/bookkeeper-statefulset.yaml
+++ b/charts/pulsar/templates/bookkeeper-statefulset.yaml
@@ -101,9 +101,7 @@ spec:
{{ end }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.bookkeeper.gracePeriod }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
- {{- end}}
{{- if .Values.bookkeeper.securityContext }}
securityContext:
{{ toYaml .Values.bookkeeper.securityContext | indent 8 }}
@@ -122,7 +120,7 @@ spec:
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end}}
@@ -175,7 +173,7 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent
10 }}
OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar
bookie;
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end}}
diff --git a/charts/pulsar/templates/proxy-rbac.yaml
b/charts/pulsar/templates/broker-psp.yaml
similarity index 69%
copy from charts/pulsar/templates/proxy-rbac.yaml
copy to charts/pulsar/templates/broker-psp.yaml
index 72298ee..35416be 100644
--- a/charts/pulsar/templates/proxy-rbac.yaml
+++ b/charts/pulsar/templates/broker-psp.yaml
@@ -17,42 +17,35 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
resources:
- podsecuritypolicies
verbs:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
namespace: {{ template "pulsar.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
subjects:
- kind: ServiceAccount
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
namespace: {{ template "pulsar.namespace" . }}
---
@@ -60,9 +53,9 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
{{- if .Values.rbac.limit_to_namespace }}
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}-{{
template "pulsar.namespace" . }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{
template "pulsar.namespace" . }}"
{{- else}}
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
{{- end}}
spec:
readOnlyRootFilesystem: false
@@ -89,4 +82,4 @@ spec:
- secret
- downwardAPI
- persistentVolumeClaim
- {{- end}}
+{{- end}}
diff --git a/charts/pulsar/templates/broker-rbac.yaml
b/charts/pulsar/templates/broker-rbac.yaml
index d2145d1..f7c5d8f 100644
--- a/charts/pulsar/templates/broker-rbac.yaml
+++ b/charts/pulsar/templates/broker-rbac.yaml
@@ -44,13 +44,6 @@ rules:
- '*'
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.functions.rbac.limit_to_namespace }}
kind: RoleBinding
@@ -74,74 +67,4 @@ subjects:
- kind: ServiceAccount
name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
namespace: {{ template "pulsar.namespace" . }}
-{{- end }}
-
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
----
-
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
- namespace: {{ template "pulsar.namespace" . }}
-rules:
- - apiGroups:
- - policy
- resourceNames:
- - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
- resources:
- - podsecuritypolicies
- verbs:
- - use
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
- namespace: {{ template "pulsar.namespace" . }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp"
-subjects:
-- kind: ServiceAccount
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
- namespace: {{ template "pulsar.namespace" . }}
----
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-{{- if .Values.rbac.limit_to_namespace }}
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{
template "pulsar.namespace" . }}"
-{{- else}}
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
-{{- end}}
-spec:
- readOnlyRootFilesystem: false
- privileged: false
- allowPrivilegeEscalation: false
- runAsUser:
- rule: 'RunAsAny'
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- seLinux:
- rule: 'RunAsAny'
- volumes:
- - configMap
- - emptyDir
- - projected
- - secret
- - downwardAPI
- - persistentVolumeClaim
-{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/broker-service-account.yaml
index 6be8b1d..ab9ae60 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/broker-service-account.yaml
@@ -30,4 +30,21 @@ metadata:
{{- with .Values.broker.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
+---
+{{- end }}
+
+{{- if or .Values.components.functions .Values.extra.functionsAsPods }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+ namespace: {{ template "pulsar.namespace" . }}
+ labels:
+ {{- include "pulsar.standardLabels" . | nindent 4 }}
+ component: {{ .Values.functions.component }}
+ annotations:
+{{- with .Values.functions.service_account.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+---
{{- end }}
diff --git a/charts/pulsar/templates/broker-statefulset.yaml
b/charts/pulsar/templates/broker-statefulset.yaml
index 199cc8c..b436cfc 100644
--- a/charts/pulsar/templates/broker-statefulset.yaml
+++ b/charts/pulsar/templates/broker-statefulset.yaml
@@ -123,7 +123,7 @@ spec:
{{- end }}
echo "pulsar cluster {{ template "pulsar.cluster.name" . }}
isn't initialized yet ... check in 3 seconds ..." && sleep 3;
done;
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
@@ -155,7 +155,7 @@ spec:
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
@@ -253,7 +253,7 @@ spec:
{{ toYaml .Values.broker.extraVolumeMounts | indent 10 }}
{{- end }}
{{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
diff --git a/charts/pulsar/templates/proxy-rbac.yaml
b/charts/pulsar/templates/proxy-psp.yaml
similarity index 91%
rename from charts/pulsar/templates/proxy-rbac.yaml
rename to charts/pulsar/templates/proxy-psp.yaml
index 72298ee..768bfde 100644
--- a/charts/pulsar/templates/proxy-rbac.yaml
+++ b/charts/pulsar/templates/proxy-psp.yaml
@@ -17,7 +17,7 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -34,13 +34,6 @@ rules:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/proxy-service-account.yaml
similarity index 82%
copy from charts/pulsar/templates/broker-service-account.yaml
copy to charts/pulsar/templates/proxy-service-account.yaml
index 6be8b1d..1c3f381 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/proxy-service-account.yaml
@@ -17,17 +17,17 @@
# under the License.
#
-{{- if .Values.components.broker }}
+{{- if .Values.components.proxy }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
- component: {{ .Values.broker.component }}
+ component: {{ .Values.proxy.component }}
annotations:
-{{- with .Values.broker.service_account.annotations }}
+{{- with .Values.proxy.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml
b/charts/pulsar/templates/proxy-statefulset.yaml
index e162134..d50559c 100644
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -103,9 +103,7 @@ spec:
{{ end }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.proxy.component }}"
- {{- end}}
initContainers:
# This init container will wait for zookeeper to be ready before
# deploying the bookies
@@ -201,7 +199,7 @@ spec:
- name: "sts-{{ .Values.tlsPrefix }}pulsarssl"
containerPort: {{ .Values.proxy.ports.pulsarssl }}
{{- end }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
diff --git a/charts/pulsar/templates/toolset-rbac.yaml
b/charts/pulsar/templates/toolset-psp.yaml
similarity index 91%
rename from charts/pulsar/templates/toolset-rbac.yaml
rename to charts/pulsar/templates/toolset-psp.yaml
index c08c6f5..b1adc3b 100644
--- a/charts/pulsar/templates/toolset-rbac.yaml
+++ b/charts/pulsar/templates/toolset-psp.yaml
@@ -17,7 +17,7 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -34,13 +34,6 @@ rules:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/toolset-service-account.yaml
similarity index 82%
copy from charts/pulsar/templates/broker-service-account.yaml
copy to charts/pulsar/templates/toolset-service-account.yaml
index 6be8b1d..32b0b04 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/toolset-service-account.yaml
@@ -17,17 +17,17 @@
# under the License.
#
-{{- if .Values.components.broker }}
+{{- if .Values.components.toolset }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
- component: {{ .Values.broker.component }}
+ component: {{ .Values.toolset.component }}
annotations:
-{{- with .Values.broker.service_account.annotations }}
+{{- with .Values.toolset.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml
b/charts/pulsar/templates/toolset-statefulset.yaml
index 7861b69..3ecd479 100644
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -58,9 +58,7 @@ spec:
{{ toYaml .Values.toolset.tolerations | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
- serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.proxy.component }}"
- {{- end}}
+ serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.toolset.component }}"
containers:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component
}}"
image: "{{ template "pulsar.imageFullName" (dict "image"
.Values.images.broker "root" .) }}"
@@ -79,7 +77,7 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
sleep 10000000000
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end }}
diff --git a/charts/pulsar/templates/zookeeper-rbac.yaml
b/charts/pulsar/templates/zookeeper-psp.yaml
similarity index 91%
rename from charts/pulsar/templates/zookeeper-rbac.yaml
rename to charts/pulsar/templates/zookeeper-psp.yaml
index 23f80f5..fd32e3c 100644
--- a/charts/pulsar/templates/zookeeper-rbac.yaml
+++ b/charts/pulsar/templates/zookeeper-psp.yaml
@@ -17,7 +17,7 @@
# under the License.
#
-{{- if and .Values.rbac.enabled .Values.rbac.psp }}
+{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -34,13 +34,6 @@ rules:
- use
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
- namespace: {{ template "pulsar.namespace" . }}
----
-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/pulsar/templates/broker-service-account.yaml
b/charts/pulsar/templates/zookeeper-service-account.yaml
similarity index 81%
copy from charts/pulsar/templates/broker-service-account.yaml
copy to charts/pulsar/templates/zookeeper-service-account.yaml
index 6be8b1d..e347677 100644
--- a/charts/pulsar/templates/broker-service-account.yaml
+++ b/charts/pulsar/templates/zookeeper-service-account.yaml
@@ -17,17 +17,17 @@
# under the License.
#
-{{- if .Values.components.broker }}
+{{- if .Values.components.zookeeper }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}-acct"
+ name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
namespace: {{ template "pulsar.namespace" . }}
labels:
{{- include "pulsar.standardLabels" . | nindent 4 }}
- component: {{ .Values.broker.component }}
+ component: {{ .Values.zookeeper.component }}
annotations:
-{{- with .Values.broker.service_account.annotations }}
+{{- with .Values.zookeeper.service_account.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml
b/charts/pulsar/templates/zookeeper-statefulset.yaml
index 739f617..fde47c4 100644
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -100,9 +100,7 @@ spec:
{{ end }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{
.Values.zookeeper.component }}"
- {{- end }}
{{- if .Values.zookeeper.securityContext }}
securityContext:
{{ toYaml .Values.zookeeper.securityContext | indent 8 }}
@@ -163,7 +161,7 @@ spec:
{{- $zkConnectCommand = print "nc -q 1 localhost "
.Values.zookeeper.ports.client -}}
{{- end }}
{{- if .Values.zookeeper.probe.readiness.enabled }}
- {{- if and .Values.rbac.enabled .Values.rbac.psp }}
+ {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version)
.Values.rbac.enabled .Values.rbac.psp }}
securityContext:
readOnlyRootFilesystem: false
{{- end}}
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index ecf5a4d..6b8b8a6 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -376,6 +376,10 @@ zookeeper:
# External zookeeper server list in case of global-zk list to create zk
cluster across zk deployed on different clusters/namespaces
# Example value:
"us-east1-pulsar-zookeeper-0.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-1.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-2.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-0.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-1.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-z
[...]
externalZookeeperServerList: ""
+ ## Zookeeper service account
+ ## templates/zookeeper-service-account.yaml
+ service_account:
+ annotations: {}
## Zookeeper configmap
## templates/zookeeper-configmap.yaml
##
@@ -554,7 +558,10 @@ bookkeeper:
# ...
# selector:
# ...
-
+ ## Bookkeeper service account
+ ## templates/bookkeeper-service-account.yaml
+ service_account:
+ annotations: {}
## Bookkeeper configmap
## templates/bookkeeper-configmap.yaml
##
@@ -630,6 +637,10 @@ autorecovery:
requests:
memory: 64Mi
cpu: 0.05
+ ## Bookkeeper auto-recovery service account
+ ## templates/autorecovery-service-account.yaml
+ service_account:
+ annotations: {}
## Bookkeeper auto-recovery configmap
## templates/autorecovery-configmap.yaml
##
@@ -805,6 +816,10 @@ functions:
# Set to true to deploy functions with Role and RoleBinding inside the
specified namespace
rbac:
limit_to_namespace: false
+ ### Functions Worker service account
+ ## templates/broker-service-account.yaml
+ service_account:
+ annotations: {}
## Pulsar: Proxy Cluster
## templates/proxy-statefulset.yaml
@@ -881,6 +896,10 @@ proxy:
# fieldRef:
# apiVersion: v1
# fieldPath: status.podIP
+ ## Proxy service account
+ ## templates/proxy-service-account.yaml
+ service_account:
+ annotations: {}
## Proxy configmap
## templates/proxy-configmap.yaml
##
@@ -1016,8 +1035,12 @@ toolset:
# readOnly: true
extraVolumes: []
extraVolumeMounts: []
- ## Bastion configmap
- ## templates/bastion-configmap.yaml
+ ## Toolset service account
+ ## templates/toolset-service-account.yaml
+ service_account:
+ annotations: {}
+ ## Toolset configmap
+ ## templates/toolset-configmap.yaml
##
configData:
PULSAR_MEM: >
