Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add extradeploy #484

Closed
wants to merge 1 commit into from
Closed

feat: add extradeploy #484

wants to merge 1 commit into from

Conversation

zhangzhaohuazai
Copy link

By defining the list of k8s resources that users need in relation to datahub in extradeploy, such as serviceAccount, role, rolebinding, and so on.
The reason is that we want to complete the creation of the token together during the deployment of datahub and write it to a k8s secret. We started with datahub's datahubSystemUpdate to execute the relevant commands.

        datahubSystemUpdate:
          image:
            repository: acryldata/datahub-upgrade
            command: ["/bin/sh", "-c"]
            args:
            - |
              curl -sSLo /tmp/kubectl "http://oss-cn-hangzhou-zjy-d01-a.ops.cloud.zhejianglab.com/data-and-computing/public/dl.k8s.io/release/v1.29.1/bin/linux/amd64/kubectl" &&
              chmod u+x /tmp/kubectl &&
              mkdir -p ${HOME}/bin &&
              mv -f /tmp/kubectl ${HOME}/bin/kubectl &&
              export PATH="${PATH}:${HOME}/bin" &&
              JQ_LINK=https://github.com/stedolan/jq/releases/download/jq-1.7/jq-linux64 &&
              wget $JQ_LINK -O ${HOME}/bin/jq-linux64 &&
              chmod +x ${HOME}/bin/jq-linux64 &&
              JQ_PATH="${HOME}/bin/jq-linux64" &&
              PASSWORD=$(kubectl -n datahub get secret datahub-user-secret -o jsonpath='{.data.user\.props}' | base64 -d | cut -d: -f2-) &&
              curl -k --cookie-jar /tmp/cookie.txt 'http://datahub-datahub-frontend:9002/logIn' \
                -H 'content-type: application/json' \
                --data-raw "{\"username\":\"datahub\",\"password\":\"$PASSWORD\"}" &&
              ACCESS_TOKEN=$(curl -k --cookie /tmp/cookie.txt -X POST 'http://datahub-datahub-frontend:9002/api/graphql' \
                --header 'X-DataHub-Actor: urn:li:corpuser:datahub' \
                --header 'Content-Type: application/json' \
                --data-raw '{ "query":"mutation { createAccessToken(input: { type: PERSONAL, actorUrn: \"urn:li:corpuser:datahub\", duration:NO_EXPIRY,name: \"my personal token2\" } ) { accessToken metadata { id name description} } }", "variables":{}}' | "$JQ_PATH" -r '.data.createAccessToken.accessToken') &&
              kubectl create secret generic datahub-access-token \
                --from-literal=access-token="$ACCESS_TOKEN" \
                -n datahub
          annotaions:
              helm.sh/hook: post-install
          serviceAccount:
            datahub-system-update

But the serviceAccount (here is 'datahub-system-update',as well as role and rolebinding) needed to execute the relevant kubectl commands needed to be created in advance of deploying datahub.
We want these k8s objects to be configured and installed together with datahub in a values.yaml, so we use the extrdeploy function to install the required serviceAccount, role, rolebinding together.

extraDeploy:
  - |
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: datahub-system-update
      namespace: datahub
  - |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: secret-manager-role
      namespace: datahub
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get","list", "create"]
  - |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: secret-manager-rolebinding
      namespace: datahub
    subjects:
    - kind: ServiceAccount
      name: datahub-system-update       
      namespace: datahub
    roleRef:
      kind: Role
      name: secret-manager-role
      apiGroup: rbac.authorization.k8s.io

Checklist

  • The PR conforms to DataHub's Contributing Guideline (particularly Commit Message Format)
  • Links to related issues (if applicable)
  • Tests for the changes have been added/updated (if applicable)
  • Docs related to the changes have been added/updated (if applicable)

@zhangzhaohuazai zhangzhaohuazai changed the title datahub extradeploy feat: add extradeploy Jul 2, 2024
@Masterchen09
Copy link
Contributor

Masterchen09 commented Jul 16, 2024
edited
Loading

I like the idea to have an option to add arbitrary objects to the Helm chart, however is there any common standard how this option should be named (I do not know!)? In case of the OpenSearch Helm chart the option is called "extraObjects": https://github.com/opensearch-project/helm-charts/blob/a018f838ec44dd0b9337e0403a541580cc39c0f3/charts/opensearch/values.yaml#L493-L531

"extraDeploy" could imply that it can only be used for deployments and not for any object?

edit: I think "extraObjects" is kind of a common standard:

@lhy-a
Copy link

lhy-a commented Aug 15, 2024

I like the idea to have an option to add arbitrary objects to the Helm chart, however is there any common standard how this option should be named (I do not know!)? In case of the OpenSearch Helm chart the option is called "extraObjects": https://github.com/opensearch-project/helm-charts/blob/a018f838ec44dd0b9337e0403a541580cc39c0f3/charts/opensearch/values.yaml#L493-L531

"extraDeploy" could imply that it can only be used for deployments and not for any object?

edit: I think "extraObjects" is kind of a common standard:

* [Add `extraObjects` value that allows creating supportive / adhoc resources traefik/traefik-helm-chart#595](https://github.com/traefik/traefik-helm-chart/issues/595)

* [[FR] Allow the Chart to create extra manifest  cert-manager/cert-manager#5900](https://github.com/cert-manager/cert-manager/issues/5900)

* [Install arbitrary resources with the Helm chart rstudio/helm#115](https://github.com/rstudio/helm/issues/115)

* [Add `extraObjects` value that allows creating supportive / adhoc resources apache/couchdb-helm#72](https://github.com/apache/couchdb-helm/issues/72)

* ...and of course the OpenSearch Helm chart

I noticed that the Bitnami repositories include an extraDeploy feature, as seen in this example. However, I couldn't find a similar feature in DataHub, so I copied some code from Bitnami here. Unfortunately, I found this issue after completing my implementation. After reviewing this code, it seems to follow Bitnami's approach and names it extraDeploy, so it should be fine.

@lhy-a lhy-a mentioned this pull request Aug 23, 2024
Open
4 tasks
@github-actions GitHub Actions
Copy link

This PR is stale. We will close it in 30 days if there is no comment or activity. If you want feedback but not able to get it on github please head to #contribute channel in slack at https://slack.datahubproject.io.

@github-actions github-actions bot added the stale label Sep 15, 2024
@github-actions GitHub Actions
Copy link

Closing stale PR.

@github-actions github-actions bot closed this Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zhangzhaohuazai @Masterchen09 @lhy-a