diff --git a/helm-chart/flink-operator/Chart.yaml b/helm-chart/flink-operator/Chart.yaml index a3b45879..ffab42a8 100644 --- a/helm-chart/flink-operator/Chart.yaml +++ b/helm-chart/flink-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 name: flink-operator appVersion: "1.0" description: A Helm chart for flink on Kubernetes operator -version: "0.2.3" +version: "0.2.4" keywords: - flink home: https://github.com/spotify/flink-on-k8s-operator diff --git a/helm-chart/flink-operator/README.md b/helm-chart/flink-operator/README.md index 6f3910d6..ae3a0726 100644 --- a/helm-chart/flink-operator/README.md +++ b/helm-chart/flink-operator/README.md @@ -9,9 +9,6 @@ The instructions to install the Flink operator chart: 1. Prepare a Flink operator image. You can either use a released image e.g., `ghcr.io/spotify/flink-operator:latest` or follow the instructions [here](https://github.com/spotify/flink-on-k8s-operator/blob/master/docs/developer_guide.md#build-and-push-the-operator-image) to build and push an image from the source code. 2. Run the bash script `update_template.sh` to update the manifest files in templates from the Flink operator source repo (This step is only required if you want to install from the local chart repo). - You can set the following env vars to customize the script's behaviour - - * `export IMG=` - Operator image, defaults to `flink-operator:latest` - * `export NS=` - Namespace to install the operator in, defaults to `flink-operator-system` 3. Register CRD - Don't manually register CRD unless helm install below fails (You can skip this step if your helm version is v3). diff --git a/helm-chart/flink-operator/templates/flink-cluster-crd.yaml b/helm-chart/flink-operator/templates/flink-cluster-crd.yaml index 7366677d..f5be45ac 100644 --- a/helm-chart/flink-operator/templates/flink-cluster-crd.yaml +++ b/helm-chart/flink-operator/templates/flink-cluster-crd.yaml @@ -3,6 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: unapproved + cert-manager.io/inject-ca-from: {{ .Values.flinkOperatorNamespace.name }}/flink-operator-serving-cert controller-gen.kubebuilder.io/version: v0.6.2 name: flinkclusters.flinkoperator.k8s.io spec: @@ -165,6 +166,7 @@ spec: configMapName: type: string mountPath: + default: /etc/hadoop/conf type: string type: object image: @@ -172,6 +174,7 @@ spec: name: type: string pullPolicy: + default: Always type: string pullSecrets: items: @@ -186,6 +189,7 @@ spec: job: properties: allowNonRestoredState: + default: false type: boolean args: items: @@ -198,7 +202,15 @@ spec: type: boolean className: type: string + classPath: + items: + type: string + type: array cleanupPolicy: + default: + afterJobCancelled: DeleteCluster + afterJobFails: KeepCluster + afterJobSucceeds: DeleteCluster properties: afterJobCancelled: type: string @@ -209,6 +221,17 @@ spec: type: object fromSavepoint: type: string + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array initContainers: items: properties: @@ -803,14 +826,21 @@ spec: minimum: 0 type: integer mode: + default: Detached + enum: + - Detached + - Blocking + - Application type: string noLoggingToStdout: + default: false type: boolean nodeSelector: additionalProperties: type: string type: object parallelism: + default: 1 format: int32 type: integer podAnnotations: @@ -828,6 +858,13 @@ spec: pyModule: type: string resources: + default: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi properties: limits: additionalProperties: @@ -847,6 +884,7 @@ spec: type: object type: object restartPolicy: + default: Never type: string savepointGeneration: format: int32 @@ -935,17 +973,6 @@ spec: type: string type: object type: array - hostAliases: - items: - properties: - ip: - type: string - hostnames: - items: - type: string - type: array - type: object - type: array volumeMounts: items: properties: @@ -1663,13 +1690,11 @@ spec: - name type: object type: array - required: - - restartPolicy type: object jobManager: + default: + replicas: 1 properties: - accessScope: - type: string ServiceAnnotations: additionalProperties: type: string @@ -1678,6 +1703,9 @@ spec: additionalProperties: type: string type: object + accessScope: + default: Cluster + type: string extraPorts: items: properties: @@ -1698,6 +1726,17 @@ spec: - containerPort type: object type: array + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array ingress: properties: annotations: @@ -1709,6 +1748,7 @@ spec: tlsSecretName: type: string useTls: + default: false type: boolean type: object initContainers: @@ -2401,18 +2441,35 @@ spec: type: string type: object ports: + default: + blob: 6124 + query: 6125 + rpc: 6123 + ui: 8081 properties: blob: + default: 6124 format: int32 + maximum: 65535 + minimum: 1 type: integer query: + default: 6125 format: int32 + maximum: 65535 + minimum: 1 type: integer rpc: + default: 6123 format: int32 + maximum: 65535 + minimum: 1 type: integer ui: + default: 8081 format: int32 + maximum: 65535 + minimum: 1 type: integer type: object readinessProbe: @@ -2494,9 +2551,17 @@ spec: type: integer type: object replicas: + default: 1 format: int32 type: integer resources: + default: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi properties: limits: additionalProperties: @@ -3182,17 +3247,6 @@ spec: type: string type: object type: array - hostAliases: - items: - properties: - ip: - type: string - hostnames: - items: - type: string - type: array - type: object - type: array volumeClaimTemplates: items: properties: @@ -4072,6 +4126,7 @@ spec: type: string type: object recreateOnUpdate: + default: true type: boolean revisionHistoryLimit: format: int32 @@ -4079,9 +4134,12 @@ spec: serviceAccountName: type: string taskManager: + default: + replicas: 3 properties: deploymentType: - type: string + default: StatefulSet + type: string extraPorts: items: properties: @@ -4102,6 +4160,17 @@ spec: - containerPort type: object type: array + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array initContainers: items: properties: @@ -4792,15 +4861,28 @@ spec: type: string type: object ports: + default: + data: 6121 + query: 6125 + rpc: 6122 properties: data: + default: 6121 format: int32 + maximum: 65535 + minimum: 1 type: integer query: + default: 6125 format: int32 + maximum: 65535 + minimum: 1 type: integer rpc: + default: 6122 format: int32 + maximum: 65535 + minimum: 1 type: integer type: object readinessProbe: @@ -4882,9 +4964,17 @@ spec: type: integer type: object replicas: + default: 3 format: int32 type: integer resources: + default: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi properties: limits: additionalProperties: @@ -5570,17 +5660,6 @@ spec: type: string type: object type: array - hostAliases: - items: - properties: - ip: - type: string - hostnames: - items: - type: string - type: array - type: object - type: array volumeClaimTemplates: items: properties: @@ -6506,6 +6585,9 @@ spec: type: string state: type: string + submitterExitCode: + format: int32 + type: integer submitterName: type: string required: diff --git a/helm-chart/flink-operator/templates/flink-operator.yaml b/helm-chart/flink-operator/templates/flink-operator.yaml index fa0c9e9c..9a6a1af3 100644 --- a/helm-chart/flink-operator/templates/flink-operator.yaml +++ b/helm-chart/flink-operator/templates/flink-operator.yaml @@ -11,9 +11,9 @@ metadata: namespace: {{ .Values.flinkOperatorNamespace.name }} spec: ports: - - name: https - port: 8443 - targetPort: https + - name: https + port: 8443 + targetPort: https selector: control-plane: controller-manager --- @@ -24,8 +24,8 @@ metadata: namespace: {{ .Values.flinkOperatorNamespace.name }} spec: ports: - - port: 443 - targetPort: 9443 + - port: 443 + targetPort: 9443 selector: control-plane: controller-manager --- @@ -45,57 +45,57 @@ spec: control-plane: controller-manager template: metadata: + annotations: + kubectl.kubernetes.io/default-container: flink-operator labels: app: flink-operator control-plane: controller-manager - annotations: - kubectl.kubernetes.io/default-container: flink-operator spec: containers: - - name: kube-rbac-proxy - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: {{ .Values.rbacProxyImage.name }} - imagePullPolicy: {{ .Values.rbacProxyImage.pullPolicy }} - ports: - - containerPort: 8443 - name: https - - name: flink-operator - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - - --watch-namespace={{ .Values.watchNamespace.name }} - - --zap-devel=false - command: - - /flink-operator - image: {{ .Values.operatorImage.name }} - imagePullPolicy: {{ .Values.operatorImage.pullPolicy }} - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - requests: - cpu: {{ .Values.resources.requests.cpu }} - memory: {{ .Values.resources.requests.memory }} - limits: - cpu: {{ .Values.resources.limits.cpu }} - memory: {{ .Values.resources.limits.memory }} - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: {{ .Values.rbacProxyImage.name }} + imagePullPolicy: {{ .Values.rbacProxyImage.pullPolicy }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + - --enable-leader-election + - --zap-devel=false + - --watch-namespace={{ .Values.watchNamespace.name }} + command: + - /flink-operator + image: {{ .Values.operatorImage.name }} + imagePullPolicy: {{ .Values.operatorImage.pullPolicy }} + name: flink-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true securityContext: runAsNonRoot: false serviceAccountName: {{ template "flink-operator.serviceAccountName" . }} terminationGracePeriodSeconds: 10 volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/helm-chart/flink-operator/templates/generate-cert.yaml b/helm-chart/flink-operator/templates/generate-cert.yaml deleted file mode 100644 index c3e6d652..00000000 --- a/helm-chart/flink-operator/templates/generate-cert.yaml +++ /dev/null @@ -1,166 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - creationTimestamp: null - name: cert-configmap - namespace: {{ .Values.flinkOperatorNamespace.name }} - labels: - app.kubernetes.io/name: flink-operator - app.kubernetes.io/component: cert-configmap -data: - cert.sh: |- - set -euxo pipefail - service="flink-operator-webhook-service" - secret="webhook-server-cert" - namespace={{ .Values.flinkOperatorNamespace.name }} - csrName="${service}.${namespace}" - tmpdir="$(mktemp -d)" - echo "Creating certs in tmpdir ${tmpdir} " - cat <> "${tmpdir}/csr.conf" - [req] - req_extensions = v3_req - distinguished_name = req_distinguished_name - [req_distinguished_name] - [ v3_req ] - basicConstraints = CA:FALSE - keyUsage = nonRepudiation, digitalSignature, keyEncipherment - extendedKeyUsage = serverAuth - subjectAltName = @alt_names - [alt_names] - DNS.1 = ${service} - DNS.2 = ${service}.${namespace} - DNS.3 = ${service}.${namespace}.svc - EOF - openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -subj "/CN=Admission Controller Webhook CA" - openssl genrsa -out ${tmpdir}/server-key.pem 2048 - - openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -config ${tmpdir}/csr.conf \ - | openssl x509 -days 3650 -req -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile "${tmpdir}/csr.conf" -out ${tmpdir}/server-cert.pem - - serverCert="$(openssl base64 -A -in ${tmpdir}/server-cert.pem)" - if [[ -z ${serverCert} ]]; then - echo "ERROR: The signed certificate did not appear." >&2 - exit 1 - fi - export CA_PEM_B64="$(echo ${serverCert})" - # create the secret with CA cert and server cert/key - kubectl create secret generic ${secret} \ - --from-file=tls.key=${tmpdir}/server-key.pem \ - --from-file=tls.crt=${tmpdir}/server-cert.pem \ - --dry-run -o yaml | - kubectl -n ${namespace} apply -f - - for webhook in /webhook_to_create/*; - do - echo $(cat $webhook | envsubst '${CA_PEM_B64}'); - cat $webhook | envsubst '${CA_PEM_B64}' | kubectl apply -f - - done ---- -apiVersion: v1 -kind: ConfigMap -metadata: - creationTimestamp: null - name: webhook-configmap - namespace: {{ .Values.flinkOperatorNamespace.name }} - labels: - app.kubernetes.io/name: flink-operator - app.kubernetes.io/component: webhook-configmap -data: - webook.yaml: |- - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration - metadata: - name: flink-operator-mutating-webhook-configuration - webhooks: - - clientConfig: - caBundle: $CA_PEM_B64 - service: - name: flink-operator-webhook-service - namespace: {{ .Values.flinkOperatorNamespace.name }} - path: /mutate-flinkoperator-k8s-io-v1beta1-flinkcluster - admissionReviewVersions: - - v1 - failurePolicy: Fail - name: mflinkcluster.flinkoperator.k8s.io - rules: - - apiGroups: - - flinkoperator.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - flinkclusters - sideEffects: None - --- - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - name: flink-operator-validating-webhook-configuration - webhooks: - - clientConfig: - caBundle: $CA_PEM_B64 - service: - name: flink-operator-webhook-service - namespace: {{ .Values.flinkOperatorNamespace.name }} - path: /validate-flinkoperator-k8s-io-v1beta1-flinkcluster - admissionReviewVersions: - - v1 - failurePolicy: Fail - name: vflinkcluster.flinkoperator.k8s.io - rules: - - apiGroups: - - flinkoperator.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - flinkclusters - sideEffects: None ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - name: cert-job - namespace: {{ .Values.flinkOperatorNamespace.name }} - labels: - app.kubernetes.io/name: flink-operator - app.kubernetes.io/component: cert-job -spec: - ttlSecondsAfterFinished: 300 - backoffLimit: 0 - completions: 1 - parallelism: 1 - template: - spec: - containers: - - command: - - "/bin/bash" - - "-ec" - - | - ls /cert_to_create - for cert in /cert_to_create/*; - do - bash $cert; - done - image: gcr.io/flink-operator/deployer:webhook-cert - imagePullPolicy: Always - name: create-cert - volumeMounts: - - name: cert-configmap - mountPath: "/cert_to_create/" - - name: webhook-configmap - mountPath: "/webhook_to_create/" - dnsPolicy: ClusterFirst - restartPolicy: Never - serviceAccountName: {{ template "flink-operator.serviceAccountName" . }} - volumes: - - name: cert-configmap - configMap: - name: cert-configmap - - name: webhook-configmap - configMap: - name: webhook-configmap diff --git a/helm-chart/flink-operator/templates/rbac.yaml b/helm-chart/flink-operator/templates/rbac.yaml index 6e0710e5..b1c164d8 100644 --- a/helm-chart/flink-operator/templates/rbac.yaml +++ b/helm-chart/flink-operator/templates/rbac.yaml @@ -5,46 +5,37 @@ metadata: name: flink-operator-leader-election-role namespace: {{ .Values.flinkOperatorNamespace.name }} rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -161,7 +152,7 @@ rules: - update - watch - apiGroups: - - "policy" + - policy resources: - poddisruptionbudgets verbs: @@ -171,7 +162,7 @@ rules: - list - watch - apiGroups: - - "policy" + - policy resources: - poddisruptionbudgets/status verbs: @@ -262,28 +253,28 @@ kind: ClusterRole metadata: name: flink-operator-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: flink-operator-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -295,9 +286,9 @@ roleRef: kind: Role name: flink-operator-leader-election-role subjects: -- kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" . }} - namespace: {{ .Values.flinkOperatorNamespace.name }} + - kind: ServiceAccount + name: {{ template "flink-operator.serviceAccountName" . }} + namespace: {{ .Values.flinkOperatorNamespace.name }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -308,9 +299,9 @@ roleRef: kind: ClusterRole name: flink-operator-manager-role subjects: -- kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" . }} - namespace: {{ .Values.flinkOperatorNamespace.name }} + - kind: ServiceAccount + name: {{ template "flink-operator.serviceAccountName" . }} + namespace: {{ .Values.flinkOperatorNamespace.name }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -321,7 +312,7 @@ roleRef: kind: ClusterRole name: flink-operator-proxy-role subjects: -- kind: ServiceAccount - name: {{ template "flink-operator.serviceAccountName" . }} - namespace: {{ .Values.flinkOperatorNamespace.name }} + - kind: ServiceAccount + name: {{ template "flink-operator.serviceAccountName" . }} + namespace: {{ .Values.flinkOperatorNamespace.name }} {{- end }} diff --git a/helm-chart/flink-operator/templates/webhook.yaml b/helm-chart/flink-operator/templates/webhook.yaml new file mode 100644 index 00000000..46497181 --- /dev/null +++ b/helm-chart/flink-operator/templates/webhook.yaml @@ -0,0 +1,77 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: flink-operator-serving-cert + namespace: {{ .Values.flinkOperatorNamespace.name }} +spec: + dnsNames: + - flink-operator-webhook-service.{{ .Values.flinkOperatorNamespace.name }}.svc + - flink-operator-webhook-service.{{ .Values.flinkOperatorNamespace.name }}.svc.cluster.local + issuerRef: + kind: Issuer + name: flink-operator-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: flink-operator-selfsigned-issuer + namespace: {{ .Values.flinkOperatorNamespace.name }} +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Values.flinkOperatorNamespace.name }}/flink-operator-serving-cert + name: flink-operator-mutating-webhook-configuration +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Values.flinkOperatorNamespace.name }} + path: /mutate-flinkoperator-k8s-io-v1beta1-flinkcluster + failurePolicy: Fail + name: mflinkcluster.flinkoperator.k8s.io + rules: + - apiGroups: + - flinkoperator.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - flinkclusters + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Values.flinkOperatorNamespace.name }}/flink-operator-serving-cert + name: flink-operator-validating-webhook-configuration +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: flink-operator-webhook-service + namespace: {{ .Values.flinkOperatorNamespace.name }} + path: /validate-flinkoperator-k8s-io-v1beta1-flinkcluster + failurePolicy: Fail + name: vflinkcluster.flinkoperator.k8s.io + rules: + - apiGroups: + - flinkoperator.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - flinkclusters + sideEffects: None diff --git a/helm-chart/flink-operator/update_template.sh b/helm-chart/flink-operator/update_template.sh index 5be5e042..7fd79d3b 100755 --- a/helm-chart/flink-operator/update_template.sh +++ b/helm-chart/flink-operator/update_template.sh @@ -1,17 +1,88 @@ #!/bin/bash -IMG="${IMG:-flink-operator:latest}" -NS="${NS:-flink-operator-system}" - -sed -e 's#image: .*#image: '"${IMG}"'#' ../../config/default/manager_image_patch.template >../../config/default/manager_image_patch.yaml -sed -i '/- \.\.\/crd/d' ../../config/default/kustomization.yaml -kubectl kustomize ../../config/default | tee templates/flink-operator.yaml -sed -i '1s/^/{{- if .Values.rbac.create }}\n/' templates/flink-operator.yaml -sed -i -e "\$a{{- end }}\n" templates/flink-operator.yaml -sed -i 's/'"${NS}"'/{{ .Values.flinkOperatorNamespace.name }}/g' templates/flink-operator.yaml -sed -i 's/replicas: 1/replicas: {{ .Values.replicas }}/g' templates/flink-operator.yaml -sed -i "s/$IMG/{{ .Values.operatorImage.name }}/g" templates/flink-operator.yaml -sed -i 's/--watch-namespace=/--watch-namespace={{ .Values.watchNamespace.name }}/' templates/flink-operator.yaml -cp ../../config/crd/bases/flinkoperator.k8s.io_flinkclusters.yaml ../../config/crd/bases - -git checkout ../../config/default/kustomization.yaml +manifests=$(mktemp /tmp/flink-operator-manifests.yaml) + +function yqi() { + yq -i "$1" "$manifests" +} + +function modifyManifests() { + deploymentSelector='select(.kind == "Deployment")' + containersSelector="$deploymentSelector.spec.template.spec.containers" + managerSelector="($containersSelector | .[] | select(.name == \"manager\"))" + rbacProxySelector="($containersSelector | .[] | select(.name == \"kube-rbac-proxy\"))" + + yqi "$rbacProxySelector"'.image = "__RBAC_PROXY_IMAGE__"' + yqi "$rbacProxySelector"'.imagePullPolicy = "__RBAC_PROXY_IMAGE_PULL_POLICY__"' + yqi "del($rbacProxySelector.resources)" + yqi "$rbacProxySelector |= sort_keys(.)" + + yqi "$managerSelector"'.args += "--watch-namespace=__WATCH_NAMESPACE__"' + yqi "$managerSelector"'.resources.limits.cpu = "__LIMITS_CPU__"' + yqi "$managerSelector"'.resources.limits.memory = "__LIMITS_MEMORY__"' + yqi "$managerSelector"'.resources.requests.cpu = "__REQUESTS_CPU__"' + yqi "$managerSelector"'.resources.requests.memory = "__REQUESTS_MEMORY__"' + yqi "$managerSelector"'.image = "__MANAGER_IMAGE__"' + yqi "$managerSelector"'.imagePullPolicy = "__MANAGER_IMAGE_PULL_POLICY__"' + yqi "$managerSelector"' |= sort_keys(.)' + + yqi "$containersSelector |= sort_by(.name)" + yqi "$managerSelector"'.name = "flink-operator"' + yqi "$deploymentSelector"'.spec.template.metadata.annotations["kubectl.kubernetes.io/default-container"] = "flink-operator"' + + yqi "$deploymentSelector"'.spec.replicas = "__REPLICAS__"' + yqi "$deploymentSelector"'.spec.template.spec.serviceAccountName = "__SERVICE_ACCOUNT__"' + yqi '(select(.kind == "ClusterRoleBinding" or .kind == "RoleBinding").subjects[] | select(.kind == "ServiceAccount")).name = "__SERVICE_ACCOUNT__"' +} + +function helmTemplating() { + sed 's/__WATCH_NAMESPACE__/{{ .Values.watchNamespace.name }}/' | + sed 's/__SERVICE_ACCOUNT__/{{ template "flink-operator.serviceAccountName" . }}/' | + sed 's/__NAMESPACE__/{{ .Values.flinkOperatorNamespace.name }}/g' | + sed 's/__LIMITS_CPU__/{{ .Values.resources.limits.cpu }}/' | + sed 's/__LIMITS_MEMORY__/{{ .Values.resources.limits.memory }}/' | + sed 's/__REQUESTS_CPU__/{{ .Values.resources.requests.cpu }}/' | + sed 's/__REQUESTS_MEMORY__/{{ .Values.resources.requests.memory }}/' | + sed 's/__MANAGER_IMAGE_PULL_POLICY__/{{ .Values.operatorImage.pullPolicy }}/' | + sed 's/__MANAGER_IMAGE__/{{ .Values.operatorImage.name }}/' | + sed 's/__RBAC_PROXY_IMAGE__/{{ .Values.rbacProxyImage.name }}/' | + sed 's/__RBAC_PROXY_IMAGE_PULL_POLICY__/{{ .Values.rbacProxyImage.pullPolicy }}/' | + sed 's/__REPLICAS__/{{ .Values.replicas }}/g' +} + +function separateManifests() { + yq 'select(.apiVersion == "apiextensions.k8s.io/v1")' "$manifests" | \ + helmTemplating > templates/flink-cluster-crd.yaml + + yq 'select(.apiVersion == "rbac.authorization.k8s.io/v1")' "$manifests" | \ + (echo "{{- if .Values.rbac.create }}" && cat && echo "{{- end }}") | \ + helmTemplating > templates/rbac.yaml + + yq 'select(.apiVersion == "cert-manager.io/v1" or .apiVersion == "admissionregistration.k8s.io/v1")' "$manifests" | \ + helmTemplating > templates/webhook.yaml + + read -r -d '' operatorSelector << EOM +select(true +and .apiVersion != "apiextensions.k8s.io/v1" +and .apiVersion != "rbac.authorization.k8s.io/v1" +and .apiVersion != "cert-manager.io/v1" +and .apiVersion != "admissionregistration.k8s.io/v1" +and .kind != "Namespace" +and .kind != "ServiceAccount" +) +EOM + yq "$operatorSelector" "$manifests" | \ + helmTemplating > templates/flink-operator.yaml +} + +function main() { + sourceKustomization="../../config/default/kustomization.yaml" + yq -i '.namespace = "__NAMESPACE__"' "$sourceKustomization" + kubectl kustomize "$(dirname $sourceKustomization)" > "$manifests" + modifyManifests + separateManifests + rm "$manifests" + git checkout "$sourceKustomization" +} + +main \ No newline at end of file