This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new f7a5fcf30f helm: Add serviceAccounts, rbac, and small fixes (#13747)
f7a5fcf30f is described below
commit f7a5fcf30fffb0ecce52130e6bf617aa20f67a4d
Author: Jason Witkowski <[email protected]>
AuthorDate: Thu Feb 23 01:12:03 2023 -0500
helm: Add serviceAccounts, rbac, and small fixes (#13747)
Update suggested segment-cache path, Allow for per-service serviceAccounts
in druid helm chart and finer-grained RBAC, and add a default annotation to
historical statefulset.
---
helm/druid/Chart.yaml | 2 +-
helm/druid/README.md | 31 +++++++++
helm/druid/templates/_helpers.tpl | 66 ++++++++++++++++++
helm/druid/templates/broker/deployment.yaml | 20 +++---
helm/druid/templates/broker/role.yaml | 40 +++++++++++
helm/druid/templates/broker/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/broker/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/coordinator/deployment.yaml | 20 +++---
helm/druid/templates/coordinator/role.yaml | 40 +++++++++++
helm/druid/templates/coordinator/roleBinding.yaml | 39 +++++++++++
.../templates/coordinator/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/historical/role.yaml | 40 +++++++++++
helm/druid/templates/historical/roleBinding.yaml | 39 +++++++++++
.../druid/templates/historical/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/historical/statefulset.yaml | 20 +++---
helm/druid/templates/middleManager/role.yaml | 40 +++++++++++
.../druid/templates/middleManager/roleBinding.yaml | 39 +++++++++++
.../templates/middleManager/serviceAccount.yaml | 39 +++++++++++
.../druid/templates/middleManager/statefulset.yaml | 22 +++---
helm/druid/templates/overlord/deployment.yaml | 20 +++---
helm/druid/templates/overlord/role.yaml | 46 +++++++++++++
helm/druid/templates/overlord/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/overlord/serviceAccount.yaml | 39 +++++++++++
helm/druid/templates/router/deployment.yaml | 20 +++---
helm/druid/templates/router/role.yaml | 40 +++++++++++
helm/druid/templates/router/roleBinding.yaml | 39 +++++++++++
helm/druid/templates/router/serviceAccount.yaml | 39 +++++++++++
helm/druid/values.yaml | 78 +++++++++++++++++++++-
28 files changed, 962 insertions(+), 51 deletions(-)
diff --git a/helm/druid/Chart.yaml b/helm/druid/Chart.yaml
index cc4083be29..aeb629d9fc 100644
--- a/helm/druid/Chart.yaml
+++ b/helm/druid/Chart.yaml
@@ -30,7 +30,7 @@ dependencies:
version: 8.6.4
repository: https://charts.helm.sh/stable
condition: postgresql.enabled
-version: 0.3.4
+version: 0.3.5
home: https://druid.apache.org/
icon: https://druid.apache.org/img/favicon.png
sources:
diff --git a/helm/druid/README.md b/helm/druid/README.md
index 64274a71d7..85c72ef2a8 100644
--- a/helm/druid/README.md
+++ b/helm/druid/README.md
@@ -96,10 +96,16 @@ The following table lists the configurable parameters of
the Druid chart and the
| `configVars` | druid configuration variables
for all components | `` |
| `gCloudStorage.enabled` | look for secret to set google
cloud credentials | `false` |
| `gCloudStorage.secretName` | secretName to be mounted as
google cloud credentials | `false` |
+| `rbac.create` | Create roles and roleBindings for
service Accounts | `true` |
| `broker.enabled` | enable broker
| `true` |
| `broker.name` | broker component name
| `broker` |
| `broker.replicaCount` | broker node replicas (deployment)
| `1` |
| `broker.port` | port of broker component
| `8082` |
+| `broker.serviceAccount.create` | Create a service account for
broker service | `true` |
+| `broker.serviceAccount.name` | Service account name
| Derived from the name of service |
+| `broker.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `broker.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `broker.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `broker.serviceType` | service type for service
| `ClusterIP` |
| `broker.resources` | broker node resources requests &
limits | `{}` |
| `broker.podAnnotations` | broker deployment annotations
| `{}` |
@@ -117,6 +123,11 @@ The following table lists the configurable parameters of
the Druid chart and the
| `coordinator.replicaCount` | coordinator node replicas
(deployment) | `1` |
| `coordinator.port` | port of coordinator component
| `8081` |
| `coordinator.serviceType` | service type for service
| `ClusterIP` |
+| `coordinator.serviceAccount.create` | Create a service account for
coordinator service | `true` |
+| `coordinator.serviceAccount.name` | Service account name
| Derived from the name of service |
+| `coordinator.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `coordinator.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `coordinator.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `coordinator.resources` | coordinator node resources
requests & limits | `{}` |
| `coordinator.podAnnotations` | coordinator Deployment
annotations | `{}` |
| `coordinator.nodeSelector` | node labels for coordinator pod
assignment | `{}` |
@@ -133,6 +144,11 @@ The following table lists the configurable parameters of
the Druid chart and the
| `overlord.replicaCount` | overlord node replicas
(deployment) | `1` |
| `overlord.port` | port of overlord component
| `8081` |
| `overlord.serviceType` | service type for service
| `ClusterIP` |
+| `overlord.serviceAccount.create` | Create a service account for
overlord service | `true` |
+| `overlord.serviceAccount.name` | Service account name
| Derived from the name of service |
+| `overlord.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `overlord.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `overlord.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `overlord.resources` | overlord node resources requests
& limits | `{}` |
| `overlord.podAnnotations` | overlord Deployment annotations
| `{}` |
| `overlord.nodeSelector` | node labels for overlord pod
assignment | `{}` |
@@ -149,6 +165,11 @@ The following table lists the configurable parameters of
the Druid chart and the
| `historical.replicaCount` | historical node replicas
(statefulset) | `1` |
| `historical.port` | port of historical component
| `8083` |
| `historical.serviceType` | service type for service
| `ClusterIP` |
+| `historical.serviceAccount.create` | Create a service account for
historical service | `true` |
+| `historical.serviceAccount.name` | Service account name
| Derived from the name of service |
+| `historical.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `historical.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `historical.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `historical.resources` | historical node resources
requests & limits | `{}` |
| `historical.livenessProbeInitialDelaySeconds` | historical node liveness
probe initial delay in seconds | `60` |
| `historical.readinessProbeInitialDelaySeconds` | historical node readiness
probe initial delay in seconds | `60` |
@@ -173,6 +194,11 @@ The following table lists the configurable parameters of
the Druid chart and the
| `middleManager.replicaCount` | middleManager node replicas
(statefulset) | `1` |
| `middleManager.port` | port of middleManager component
| `8091` |
| `middleManager.serviceType` | service type for service
| `ClusterIP` |
+| `middleManager.serviceAccount.create` | Create a service account for
middleManager service | `true` |
+| `middleManager.serviceAccount.name` | Service account name
| `` |
+| `middleManager.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `middleManager.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `middleManager.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `middleManager.resources` | middleManager node resources
requests & limits | `{}` |
| `middleManager.podAnnotations` | middleManager Deployment
annotations | `{}` |
| `middleManager.nodeSelector` | Node labels for middleManager pod
assignment | `{}` |
@@ -199,6 +225,11 @@ The following table lists the configurable parameters of
the Druid chart and the
| `router.replicaCount` | router node replicas (deployment)
| `1` |
| `router.port` | port of router component
| `8888` |
| `router.serviceType` | service type for service
| `ClusterIP` |
+| `router.serviceAccount.create` | Create a service account for
router service | `true` |
+| `router.serviceAccount.name` | Service account name
| Derived from the name of service |
+| `router.serviceAccount.annotations` | Annotations applied to created
service account | `{}` |
+| `router.serviceAccount.labels` | Labels applied to created service
account | `{}` |
+| `router.serviceAccount.automountServiceAccountToken` | Automount API
credentials for the Service Account | `true` |
| `router.resources` | router node resources requests &
limits | `{}` |
| `router.podAnnotations` | router Deployment annotations
| `{}` |
| `router.nodeSelector` | node labels for router pod
assignment | `{}` |
diff --git a/helm/druid/templates/_helpers.tpl
b/helm/druid/templates/_helpers.tpl
index bb4714953e..a4ca3c9a0e 100644
--- a/helm/druid/templates/_helpers.tpl
+++ b/helm/druid/templates/_helpers.tpl
@@ -98,3 +98,69 @@ We truncate at 63 chars because some Kubernetes name fields
are limited to this
{{- define "druid.router.fullname" -}}
{{ template "druid.fullname" . }}-{{ .Values.router.name }}
{{- end -}}
+
+{{/*
+Create the name of the broker service account
+*/}}
+{{- define "druid.broker.serviceAccountName" -}}
+ {{- if .Values.broker.serviceAccount.create }}
+ {{- default (include "druid.broker.fullname" .)
.Values.broker.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.broker.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the historical service account
+*/}}
+{{- define "druid.historical.serviceAccountName" -}}
+ {{- if .Values.historical.serviceAccount.create }}
+ {{- default (include "druid.historical.fullname" .)
.Values.historical.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.historical.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the middleManager service account
+*/}}
+{{- define "druid.middleManager.serviceAccountName" -}}
+ {{- if .Values.middleManager.serviceAccount.create }}
+ {{- default (include "druid.middleManager.fullname" .)
.Values.middleManager.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.middleManager.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the coordinator service account
+*/}}
+{{- define "druid.coordinator.serviceAccountName" -}}
+ {{- if .Values.coordinator.serviceAccount.create }}
+ {{- default (include "druid.coordinator.fullname" .)
.Values.coordinator.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.coordinator.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the overlord service account
+*/}}
+{{- define "druid.overlord.serviceAccountName" -}}
+ {{- if .Values.overlord.serviceAccount.create }}
+ {{- default (include "druid.overlord.fullname" .)
.Values.overlord.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.overlord.serviceAccount.name }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the router service account
+*/}}
+{{- define "druid.router.serviceAccountName" -}}
+ {{- if .Values.router.serviceAccount.create }}
+ {{- default (include "druid.router.fullname" .)
.Values.router.serviceAccount.name }}
+ {{- else }}
+ {{- default "default" .Values.router.serviceAccount.name }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/broker/deployment.yaml
b/helm/druid/templates/broker/deployment.yaml
index fa87515e90..80251de1ec 100644
--- a/helm/druid/templates/broker/deployment.yaml
+++ b/helm/druid/templates/broker/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.broker.name }}
annotations:
- {{- with .Values.broker.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.broker.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.broker.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.broker.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/broker/role.yaml
b/helm/druid/templates/broker/role.yaml
new file mode 100644
index 0000000000..f6ff22d8b5
--- /dev/null
+++ b/helm/druid/templates/broker/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.broker.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.broker.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/broker/roleBinding.yaml
b/helm/druid/templates/broker/roleBinding.yaml
new file mode 100644
index 0000000000..0667c282cf
--- /dev/null
+++ b/helm/druid/templates/broker/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.broker.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.broker.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.broker.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.broker.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/broker/serviceAccount.yaml
b/helm/druid/templates/broker/serviceAccount.yaml
new file mode 100644
index 0000000000..644aa7dad8
--- /dev/null
+++ b/helm/druid/templates/broker/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.broker.serviceAccount.create) (.Values.broker.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.broker.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.broker.serviceAccountName" . }}
+ {{- with .Values.broker.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.broker.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.broker.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/coordinator/deployment.yaml
b/helm/druid/templates/coordinator/deployment.yaml
index affc0ff522..66456a5112 100644
--- a/helm/druid/templates/coordinator/deployment.yaml
+++ b/helm/druid/templates/coordinator/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.coordinator.name }}
annotations:
- {{- with .Values.coordinator.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.coordinator.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.coordinator.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.coordinator.serviceAccountName" .
}}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/coordinator/role.yaml
b/helm/druid/templates/coordinator/role.yaml
new file mode 100644
index 0000000000..c4dc3ba136
--- /dev/null
+++ b/helm/druid/templates/coordinator/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.coordinator.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.coordinator.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/coordinator/roleBinding.yaml
b/helm/druid/templates/coordinator/roleBinding.yaml
new file mode 100644
index 0000000000..fd60eb5d06
--- /dev/null
+++ b/helm/druid/templates/coordinator/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.coordinator.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.coordinator.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.coordinator.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.coordinator.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/coordinator/serviceAccount.yaml
b/helm/druid/templates/coordinator/serviceAccount.yaml
new file mode 100644
index 0000000000..b7778322c7
--- /dev/null
+++ b/helm/druid/templates/coordinator/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.coordinator.serviceAccount.create)
(.Values.coordinator.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.coordinator.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.coordinator.serviceAccountName" . }}
+ {{- with .Values.coordinator.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.coordinator.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.coordinator.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/historical/role.yaml
b/helm/druid/templates/historical/role.yaml
new file mode 100644
index 0000000000..b4be8cc42f
--- /dev/null
+++ b/helm/druid/templates/historical/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.historical.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.historical.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/historical/roleBinding.yaml
b/helm/druid/templates/historical/roleBinding.yaml
new file mode 100644
index 0000000000..aa9e9fbeb3
--- /dev/null
+++ b/helm/druid/templates/historical/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.historical.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.historical.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.historical.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.historical.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/historical/serviceAccount.yaml
b/helm/druid/templates/historical/serviceAccount.yaml
new file mode 100644
index 0000000000..2524503c89
--- /dev/null
+++ b/helm/druid/templates/historical/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.historical.serviceAccount.create)
(.Values.historical.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.historical.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.historical.serviceAccountName" . }}
+ {{- with .Values.historical.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.historical.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.historical.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/historical/statefulset.yaml
b/helm/druid/templates/historical/statefulset.yaml
index 8f56f9039e..0e12c6508c 100644
--- a/helm/druid/templates/historical/statefulset.yaml
+++ b/helm/druid/templates/historical/statefulset.yaml
@@ -43,14 +43,15 @@ spec:
component: {{ .Values.historical.name }}
release: {{ .Release.Name }}
annotations:
- {{- with .Values.historical.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.historical.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
{{- if or .Values.historical.antiAffinity
.Values.historical.nodeAffinity }}
affinity:
@@ -96,6 +97,9 @@ spec:
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
+ {{- if .Values.historical.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.historical.serviceAccountName" . }}
+ {{- end }}
containers:
- name: druid
args: [ "historical" ]
diff --git a/helm/druid/templates/middleManager/role.yaml
b/helm/druid/templates/middleManager/role.yaml
new file mode 100644
index 0000000000..22e0622f2c
--- /dev/null
+++ b/helm/druid/templates/middleManager/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.middleManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.middleManager.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/middleManager/roleBinding.yaml
b/helm/druid/templates/middleManager/roleBinding.yaml
new file mode 100644
index 0000000000..fbca099428
--- /dev/null
+++ b/helm/druid/templates/middleManager/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.middleManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.middleManager.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.middleManager.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.middleManager.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/middleManager/serviceAccount.yaml
b/helm/druid/templates/middleManager/serviceAccount.yaml
new file mode 100644
index 0000000000..00dc83cb1f
--- /dev/null
+++ b/helm/druid/templates/middleManager/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.middleManager.serviceAccount.create)
(.Values.middleManager.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.middleManager.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.middleManager.serviceAccountName" . }}
+ {{- with .Values.middleManager.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.middleManager.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.middleManager.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/middleManager/statefulset.yaml
b/helm/druid/templates/middleManager/statefulset.yaml
index 87da92995e..b91824e2c5 100644
--- a/helm/druid/templates/middleManager/statefulset.yaml
+++ b/helm/druid/templates/middleManager/statefulset.yaml
@@ -43,14 +43,15 @@ spec:
component: {{ .Values.middleManager.name }}
release: {{ .Release.Name }}
annotations:
- {{- with .Values.middleManager.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.middleManager.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
{{- if or .Values.middleManager.antiAffinity
.Values.middleManager.nodeAffinity }}
affinity:
@@ -96,6 +97,9 @@ spec:
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- end }}
+ {{- if .Values.middleManager.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.middleManager.serviceAccountName"
. }}
+ {{- end }}
containers:
- name: druid
args: [ "middleManager" ]
@@ -170,4 +174,4 @@ spec:
requests:
storage: "{{ .Values.middleManager.persistence.size }}"
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/druid/templates/overlord/deployment.yaml
b/helm/druid/templates/overlord/deployment.yaml
index 20b096bb6c..f347228859 100644
--- a/helm/druid/templates/overlord/deployment.yaml
+++ b/helm/druid/templates/overlord/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.overlord.name }}
annotations:
- {{- with .Values.overlord.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.overlord.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.overlord.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.overlord.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/overlord/role.yaml
b/helm/druid/templates/overlord/role.yaml
new file mode 100644
index 0000000000..37ffbd8918
--- /dev/null
+++ b/helm/druid/templates/overlord/role.yaml
@@ -0,0 +1,46 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.overlord.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.overlord.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+ - apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/overlord/roleBinding.yaml
b/helm/druid/templates/overlord/roleBinding.yaml
new file mode 100644
index 0000000000..2a5284e606
--- /dev/null
+++ b/helm/druid/templates/overlord/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.overlord.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.overlord.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.overlord.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.overlord.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/overlord/serviceAccount.yaml
b/helm/druid/templates/overlord/serviceAccount.yaml
new file mode 100644
index 0000000000..b27ea8b4b3
--- /dev/null
+++ b/helm/druid/templates/overlord/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.overlord.serviceAccount.create) (.Values.overlord.enabled)
}}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.overlord.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.overlord.serviceAccountName" . }}
+ {{- with .Values.overlord.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.overlord.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.overlord.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/templates/router/deployment.yaml
b/helm/druid/templates/router/deployment.yaml
index d2f9e7d8ed..79960fe13b 100644
--- a/helm/druid/templates/router/deployment.yaml
+++ b/helm/druid/templates/router/deployment.yaml
@@ -42,15 +42,19 @@ spec:
release: {{ .Release.Name }}
component: {{ .Values.router.name }}
annotations:
- {{- with .Values.router.podAnnotations }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- if .Values.prometheus.enabled }}
- {{- with .Values.prometheus.annotation }}
-{{ toYaml . | indent 8 }}
- {{- end }}
- {{- end }}
+ druid.k8s.enablePatching: "true"
+ {{- with .Values.router.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.prometheus.enabled }}
+ {{- with .Values.prometheus.annotation }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if .Values.router.serviceAccount.create }}
+ serviceAccountName: {{ include "druid.router.serviceAccountName" . }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm/druid/templates/router/role.yaml
b/helm/druid/templates/router/role.yaml
new file mode 100644
index 0000000000..52afc0a685
--- /dev/null
+++ b/helm/druid/templates/router/role.yaml
@@ -0,0 +1,40 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.router.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "druid.router.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - '*'
+{{- end }}
+
diff --git a/helm/druid/templates/router/roleBinding.yaml
b/helm/druid/templates/router/roleBinding.yaml
new file mode 100644
index 0000000000..1b9e129305
--- /dev/null
+++ b/helm/druid/templates/router/roleBinding.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.rbac.create) (.Values.router.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "druid.router.fullname" . }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "druid.router.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "druid.router.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/druid/templates/router/serviceAccount.yaml
b/helm/druid/templates/router/serviceAccount.yaml
new file mode 100644
index 0000000000..d357b2bd0c
--- /dev/null
+++ b/helm/druid/templates/router/serviceAccount.yaml
@@ -0,0 +1,39 @@
+{{/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/}}
+
+{{- if and (.Values.router.serviceAccount.create) (.Values.router.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{
.Values.router.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ include "druid.router.serviceAccountName" . }}
+ {{- with .Values.router.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ include "druid.name" . }}
+ chart: {{ include "druid.chart" . }}
+ component: {{ .Values.router.name }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- with .Values.router.serviceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/druid/values.yaml b/helm/druid/values.yaml
index f7dc218bd4..dab6a49b80 100644
--- a/helm/druid/values.yaml
+++ b/helm/druid/values.yaml
@@ -26,6 +26,10 @@ configMap:
##
enabled: true
+# Required if using kubernetes extensions which modify resources like
'druid-kubernetes-extensions' or 'druid-kubernetes-overlord-extensions'
+rbac:
+ create: true
+
## Define the key value pairs in the configmap
configVars:
## DRUID env vars. ref:
https://github.com/apache/druid/blob/master/distribution/docker/druid.sh#L29
@@ -91,6 +95,18 @@ broker:
# cpu: 250m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the broker
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -134,6 +150,18 @@ coordinator:
# cpu: 250m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the coordinator
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -168,6 +196,18 @@ overlord:
resources: {}
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
@@ -193,7 +233,7 @@ historical:
druid_processing_numMergeBuffers: 2
druid_processing_numThreads: 1
# druid_monitoring_monitors:
'["org.apache.druid.client.cache.CacheMonitor",
"org.apache.druid.server.metrics.HistoricalMetricsMonitor",
"org.apache.druid.server.metrics.QueryCountStatsMonitor"]'
- # druid_segmentCache_locations:
'[{"path":"/var/druid/segment-cache","maxSize":300000000000}]'
+ # druid_segmentCache_locations:
'[{"path":"/opt/druid/var/druid/segment-cache","maxSize":300000000000}]'
ingress:
enabled: false
@@ -233,6 +273,18 @@ historical:
# cpu: 500m
# memory: 512Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
livenessProbeInitialDelaySeconds: 60
readinessProbeInitialDelaySeconds: 60
@@ -318,6 +370,18 @@ middleManager:
# cpu: 250m
# memory: 256Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
## (dict) If specified, apply these annotations to each master Pod
podAnnotations: {}
@@ -364,6 +428,18 @@ router:
# cpu: 100m
# memory: 128Mi
+ serviceAccount:
+ # -- Create a service account for the overlord
+ create: true
+ # -- Service Account name
+ name:
+ # -- Annotations applied to created service account
+ annotations: {}
+ # -- Labels applied to created service account
+ labels: {}
+ # -- Automount API credentials for the service account
+ automountServiceAccountToken: true
+
nodeSelector: {}
tolerations: []
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
