Move settings around

trifork · Aug 8, 2023 · dd50714 · dd50714
1 parent 01f8db2
commit dd50714
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 49 deletions.
diff --git a/charts/flink-job/README.md b/charts/flink-job/README.md
@@ -128,9 +128,23 @@ Read more about Flink and highly available job-managers [here](https://nightlies
 | image.pullPolicy | string | `"Always"` | Which image pull policy to use |
 | imagePullSecrets | list | `[]` | Image pull secrets. A list of `name: <secret-name>` |
 | version | string | `"v1_16"` | Which Flink version to use |
-| useSSLInternally | bool | `true` |  |
+| internalSsl.enabled | bool | `true` | Set up SSL authentication/encryption using an init-container for creating the certificate |
+| internalSsl.image | string | `"docker.io/bitnami/java:11.0.20-8"` |  |
+| internalSsl.command[0] | string | `"/bin/sh"` |  |
+| internalSsl.command[1] | string | `"-c"` |  |
+| internalSsl.args[0] | string | `"keytool -genkeypair -alias flink.internal -keystore /flinkkeystore/internal.keystore -dname \"CN=flink.internal\" -storepass internal_store_password -keyalg RSA -keysize 4096 -storetype PKCS12"` |  |
+| internalSsl.resources | object | `{}` |  |
+| internalSsl.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| internalSsl.securityContext.capabilities.add | list | `[]` |  |
+| internalSsl.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| internalSsl.securityContext.runAsGroup | int | `9999` |  |
+| internalSsl.securityContext.runAsUser | int | `9999` |  |
+| internalSsl.volumeMounts[0].mountPath | string | `"/flinkkeystore"` |  |
+| internalSsl.volumeMounts[0].name | string | `"truststore"` |  |
+| internalSsl.volumeMounts[0].readOnly | bool | `false` |  |
+| internalSsl.configuration.keystore | string | `"/flinkkeystore/internal.keystore"` |  |
+| internalSsl.configuration.keystore-password | string | `"internal_store_password"` |  |
 | flinkConfiguration | object | (see values.yaml) | Flink configuration For more configuration options, see here: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/config/> For specific metrics configuration, see here:  <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/metric_reporters/> |
-| flinkSSLConfiguration | object | `{"security.ssl.internal.enabled":"true","security.ssl.internal.key-password":"internal_store_password","security.ssl.internal.keystore":"/flinkkeystore/internal.keystore","security.ssl.internal.keystore-password":"internal_store_password","security.ssl.internal.truststore":"/flinkkeystore/internal.keystore","security.ssl.internal.truststore-password":"internal_store_password"}` | Setting up SSL for flink-jobs |
 | restartNonce | int | `0` | change this to force a restart of the job, see <https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/custom-resource/job-management/> for more info |
 | logConfiguration | object | `{"log4j-console.properties":"rootLogger.level = WARN\nrootLogger.appenderRef.console.ref = ConsoleAppender\n\n# Log all infos to the console\nappender.console.name = ConsoleAppender\nappender.console.type = CONSOLE\nappender.console.layout.type = PatternLayout\nappender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p %-60c %x - %m%n\n\n# Suppress the irrelevant (wrong) warnings from the Netty channel handler\nlogger.netty.name = org.apache.flink.shaded.akka.org.jboss.netty.channel.DefaultChannelPipeline\nlogger.netty.level = OFF\n\n# Ensure we get failure logs on startup\nlogger.bootstrap.name = org.apache.flink.client.deployment.application.ApplicationDispatcherBootstrap\nlogger.bootstrap.level = INFO\n"}` | Custom logging configuration |
 | mode | string | `"native"` | Cluster deployment mode. Support values are `native` and `standalone` `native` is the recommended mode, as this makes Flink aware of it running on Kubernetes |
@@ -145,7 +159,6 @@ Read more about Flink and highly available job-managers [here](https://nightlies
 | podLabels | object | `{}` | Additional labels attached to the pods |
 | podAnnotations | object | `{}` | Additional annotations attached to the pods |
 | initContainers | list | `[]` | InitContainers for the pods |
-| sslInitContainers | string | `"- name: cert-creator\n  image: docker.io/bitnami/java:11.0.20-8\n  command: [\"/bin/sh\", \"-c\"]\n  args:\n    [\n      \"keytool -genkeypair -alias flink.internal -keystore /flinkkeystore/internal.keystore -dname \\\"CN=flink.internal\\\" -storepass internal_store_password -keyalg RSA -keysize 4096 -storetype PKCS12\",\n    ]\n  securityContext:\n    allowPrivilegeEscalation: false\n    capabilities:\n      add: []\n      drop:\n        - ALL\n    runAsGroup: 9999\n    runAsUser: 9999\n  volumeMounts:\n    - mountPath: /flinkkeystore\n      name: truststore\n      readOnly: false"` | InitContainer for setting up SSL for the flink-job |
 | job.jarURI | string | `""` | The path of the job jar |
 | job.entryClass | string | `""` | The name of the job class |
 | job.args | list | `[]` | Arguments for the job |

diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl
@@ -169,10 +169,8 @@ Calculate the flinkConfiguration
   {{- $configs = fromJson (include "flink-job.haConfiguration" (dict "configs" $configs "global" $.Values "fullname" $fullname)) -}}
   {{- $configs = fromJson (include "flink-job.storageConfiguration" (dict "configs" $configs "global" $.Values "fullname" $fullname)) -}}
   {{- $configs = fromJson (include "flink-job.istioConfiguration" (dict "configs" $configs "global" $.Values "fullname" $fullname)) -}}
+  {{- $configs = fromJson (include "flink-job.sslConfiguration" (dict "configs" $configs "global" $.Values "fullname" $fullname)) -}}
   {{ toYaml $configs }}
-{{ if .Values.useSSLInternally -}}
-  {{- toYaml .Values.flinkSSLConfiguration }}
-{{- end -}}
 {{- end -}}
 
 {{/*
@@ -192,6 +190,22 @@ Add necessary metrics configuration
   {{- $configs | toJson -}}
 {{- end -}}
 
+{{/*
+Add necessary ssl configuration
+*/}}
+{{- define "flink-job.sslConfiguration" -}}
+  {{- $configs := .configs -}}
+  {{- if .global.internalSsl.enabled -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore" (toString .global.internalSsl.configuration.keystore))) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" (toString .global.internalSsl.configuration.keystore))) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore-password" (toString .global.internalSsl.configuration.keystorePassword))) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore-password" (toString .global.internalSsl.configuration.keystorePassword))) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.key-password" (toString .global.internalSsl.configuration.keystorePassword))) -}}
+  {{- end -}}
+  {{- $configs | toJson -}}
+{{- end -}}
+
 {{/*
 Add necessary istio configuration
 */}}

diff --git a/charts/flink-job/values.yaml b/charts/flink-job/values.yaml
@@ -26,8 +26,39 @@ imagePullSecrets: []
 # -- Which Flink version to use
 version: v1_16
 
-useSSLInternally: true
-
+internalSsl:
+  # -- Set up SSL authentication/encryption using an init-container for creating the certificate
+  enabled: true
+  image: docker.io/bitnami/java:11.0.20-8
+  command:
+    - /bin/sh
+    - -c
+  args:
+    - "keytool -genkeypair -alias flink.internal -keystore /flinkkeystore/internal.keystore -dname \"CN=flink.internal\" -storepass internal_store_password -keyalg RSA -keysize 4096 -storetype PKCS12"
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      add: []
+      drop:
+        - ALL
+    runAsGroup: 9999
+    runAsUser: 9999
+  volumeMounts:
+    - mountPath: /flinkkeystore
+      name: truststore
+      readOnly: false
+  configuration:
+    keystore: /flinkkeystore/internal.keystore
+    keystorePassword: internal_store_password
+  podVolumes:
+    - name: truststore
+      emptyDir: {}    
+  podVolumeMounts:
+    - mountPath: /flinkkeystore
+      name: truststore
+      readOnly: true
+
 # -- Flink configuration
 # For more configuration options, see here: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/config/>
 # For specific metrics configuration, see here:  <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/metric_reporters/>
@@ -40,15 +71,6 @@ flinkConfiguration:
   rest.flamegraph.enabled: "true"
   taskmanager.numberOfTaskSlots: "1"
 
-# -- Setting up SSL for flink-jobs
-flinkSSLConfiguration:
-  security.ssl.internal.enabled: "true"
-  security.ssl.internal.keystore: /flinkkeystore/internal.keystore
-  security.ssl.internal.truststore: /flinkkeystore/internal.keystore
-  security.ssl.internal.keystore-password: internal_store_password
-  security.ssl.internal.truststore-password: internal_store_password
-  security.ssl.internal.key-password: internal_store_password
-
 # -- change this to force a restart of the job,
 # see <https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/custom-resource/job-management/> for more info
 restartNonce: 0
@@ -102,27 +124,6 @@ podLabels: {}
 podAnnotations: {}
 # -- InitContainers for the pods
 initContainers: []
-# -- InitContainer for setting up SSL for the flink-job
-sslInitContainers: |-
-    - name: cert-creator
-      image: docker.io/bitnami/java:11.0.20-8
-      command: ["/bin/sh", "-c"]
-      args:
-        [
-          "keytool -genkeypair -alias flink.internal -keystore /flinkkeystore/internal.keystore -dname \"CN=flink.internal\" -storepass internal_store_password -keyalg RSA -keysize 4096 -storetype PKCS12",
-        ]
-      securityContext:
-        allowPrivilegeEscalation: false
-        capabilities:
-          add: []
-          drop:
-            - ALL
-        runAsGroup: 9999
-        runAsUser: 9999
-      volumeMounts:
-        - mountPath: /flinkkeystore
-          name: truststore
-          readOnly: false
 
 job:
   # -- The path of the job jar
@@ -202,10 +203,16 @@ podTemplate: |-
     {{- with .Values.initContainers }}
       {{- tpl . $ | nindent 4 }}
     {{- end }}
-    {{ if .Values.useSSLInternally}}
-    {{- with .Values.sslInitContainers }}
-      {{- tpl . $ | nindent 4 }}
-    {{- end }}
+    {{ if .Values.internalSsl.enabled }}
+    - name: cert-creator
+      image: {{ .Values.internalSsl.image }}
+      command: {{ toYaml .Values.internalSsl.command | nindent 8 }}
+      args:
+        {{ toYaml .Values.internalSsl.args | nindent 8 }}
+      securityContext:
+        {{ toYaml .Values.internalSsl.securityContext | nindent 8 }}
+      volumeMounts:
+        {{ toYaml .Values.internalSsl.volumeMounts | nindent 8}}
     {{- end }}
 
 taskManager:
@@ -333,17 +340,12 @@ jobManager:
           envFrom:
             {{- toYaml . | nindent 8 }}
           {{- end }}
+          {{- with (concat .Values.volumeMounts .Values.jobManager.volumeMounts .Values.internalSsl.podVolumeMounts) }}
           volumeMounts:
-            - mountPath: /flinkkeystore
-              name: truststore
-              readOnly: true
-          {{- with (concat .Values.volumeMounts .Values.jobManager.volumeMounts) }}
             {{- toYaml . | nindent 8 -}}
           {{- end }}
+      {{- with (concat .Values.volumes .Values.jobManager.volumes .Values.internalSsl.podVolumes) }}
       volumes:
-        - name: truststore
-          emptyDir: {}
-      {{- with (concat .Values.volumes .Values.jobManager.volumes) }}
         {{- toYaml . | nindent 4 -}}
       {{- end }}