diff --git a/charts/pulsarv2/.helmignore b/charts/pulsarv2/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/charts/pulsarv2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/pulsarv2/Chart.yaml b/charts/pulsarv2/Chart.yaml new file mode 100644 index 0000000..1dc40e8 --- /dev/null +++ b/charts/pulsarv2/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: 2.7.4 +description: Apache Pulsar Helm chart for Kubernetes +home: https://pulsar.apache.org +icon: http://pulsar.apache.org/img/pulsar.svg +maintainers: +- name: contact + email: contact@milvus.io +name: pulsarv2 +sources: +- https://github.com/apache/pulsar +version: 2.7.8 diff --git a/charts/pulsarv2/templates/_autorecovery.tpl b/charts/pulsarv2/templates/_autorecovery.tpl new file mode 100644 index 0000000..8343589 --- /dev/null +++ b/charts/pulsarv2/templates/_autorecovery.tpl @@ -0,0 +1,80 @@ +{{/* +Define the pulsar autorecovery service +*/}} +{{- define "pulsar.autorecovery.service" -}} +{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }} +{{- end }} + +{{/* +Define the autorecovery hostname +*/}} +{{- define "pulsar.autorecovery.hostname" -}} +${HOSTNAME}.{{ template "pulsar.autorecovery.service" . }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }} +{{- end -}} + +{{/* +Define autorecovery zookeeper client tls settings +*/}} +{{- define "pulsar.autorecovery.zookeeper.tls.settings" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true; +{{- end }} +{{- end }} + +{{/* +Define autorecovery tls certs mounts +*/}} +{{- define "pulsar.autorecovery.certs.volumeMounts" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +- name: autorecovery-certs + mountPath: "/pulsar/certs/autorecovery" + readOnly: true +- name: ca + mountPath: "/pulsar/certs/ca" + readOnly: true +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + mountPath: "/pulsar/keytool/keytool.sh" + subPath: keytool.sh +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define autorecovery tls certs volumes +*/}} +{{- define "pulsar.autorecovery.certs.volumes" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +- name: autorecovery-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key +- name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + configMap: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + defaultMode: 0755 +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define autorecovery init container : verify cluster id +*/}} +{{- define "pulsar.autorecovery.init.verify_cluster_id" -}} +bin/apply-config-from-env.py conf/bookkeeper.conf; +{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}} +until bin/bookkeeper shell whatisinstanceid; do + sleep 3; +done; +{{- end }} diff --git a/charts/pulsarv2/templates/_bookkeeper.tpl b/charts/pulsarv2/templates/_bookkeeper.tpl new file mode 100644 index 0000000..5b96953 --- /dev/null +++ b/charts/pulsarv2/templates/_bookkeeper.tpl @@ -0,0 +1,121 @@ +{{/* +Define the pulsar bookkeeper service +*/}} +{{- define "pulsar.bookkeeper.service" -}} +{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }} +{{- end }} + +{{/* +Define the bookkeeper hostname +*/}} +{{- define "pulsar.bookkeeper.hostname" -}} +${HOSTNAME}.{{ template "pulsar.bookkeeper.service" . }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }} +{{- end -}} + + +{{/* +Define bookie zookeeper client tls settings +*/}} +{{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true; +{{- end }} +{{- end }} + +{{/* +Define bookie tls certs mounts +*/}} +{{- define "pulsar.bookkeeper.certs.volumeMounts" -}} +{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }} +- name: bookie-certs + mountPath: "/pulsar/certs/bookie" + readOnly: true +- name: ca + mountPath: "/pulsar/certs/ca" + readOnly: true +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + mountPath: "/pulsar/keytool/keytool.sh" + subPath: keytool.sh +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define bookie tls certs volumes +*/}} +{{- define "pulsar.bookkeeper.certs.volumes" -}} +{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }} +- name: bookie-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key +- name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + configMap: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + defaultMode: 0755 +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define bookie common config +*/}} +{{- define "pulsar.bookkeeper.config.common" -}} +zkServers: "{{ template "pulsar.zookeeper.connect" . }}" +zkLedgersRootPath: "{{ .Values.metadataPrefix }}/ledgers" +# enable bookkeeper http server +httpServerEnabled: "true" +httpServerPort: "{{ .Values.bookkeeper.ports.http }}" +# config the stats provider +statsProviderClass: org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider +# use hostname as the bookie id +useHostNameAsBookieID: "true" +{{- end }} + +{{/* +Define bookie tls config +*/}} +{{- define "pulsar.bookkeeper.config.tls" -}} +{{- if and .Values.tls.enabled .Values.tls.bookie.enabled }} +PULSAR_PREFIX_tlsProviderFactoryClass: org.apache.bookkeeper.tls.TLSContextFactory +PULSAR_PREFIX_tlsCertificatePath: /pulsar/certs/bookie/tls.crt +PULSAR_PREFIX_tlsKeyStoreType: PEM +PULSAR_PREFIX_tlsKeyStore: /pulsar/certs/bookie/tls.key +PULSAR_PREFIX_tlsTrustStoreType: PEM +PULSAR_PREFIX_tlsTrustStore: /pulsar/certs/ca/ca.crt +{{- end }} +{{- end }} + +{{/* +Define bookie init container : verify cluster id +*/}} +{{- define "pulsar.bookkeeper.init.verify_cluster_id" -}} +{{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }} +bin/apply-config-from-env.py conf/bookkeeper.conf; +{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}} +until bin/bookkeeper shell whatisinstanceid; do + sleep 3; +done; +bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true +{{- end }} +{{- if and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence }} +set -e; +bin/apply-config-from-env.py conf/bookkeeper.conf; +{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}} +until bin/bookkeeper shell whatisinstanceid; do + sleep 3; +done; +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/_broker.tpl b/charts/pulsarv2/templates/_broker.tpl new file mode 100644 index 0000000..5614e8e --- /dev/null +++ b/charts/pulsarv2/templates/_broker.tpl @@ -0,0 +1,76 @@ +{{/* +Define the pulsar brroker service +*/}} +{{- define "pulsar.broker.service" -}} +{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }} +{{- end }} + +{{/* +Define the hostname +*/}} +{{- define "pulsar.broker.hostname" -}} +${HOSTNAME}.{{ template "pulsar.broker.service" . }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }} +{{- end -}} + +{{/* +Define the broker znode +*/}} +{{- define "pulsar.broker.znode" -}} +{{ .Values.metadataPrefix }}/loadbalance/brokers/{{ template "pulsar.broker.hostname" . }}:{{ .Values.broker.ports.http }} +{{- end }} + +{{/* +Define broker zookeeper client tls settings +*/}} +{{- define "pulsar.broker.zookeeper.tls.settings" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true; +{{- end }} +{{- end }} + +{{/* +Define broker tls certs mounts +*/}} +{{- define "pulsar.broker.certs.volumeMounts" -}} +{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }} +- name: broker-certs + mountPath: "/pulsar/certs/broker" + readOnly: true +- name: ca + mountPath: "/pulsar/certs/ca" + readOnly: true +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + mountPath: "/pulsar/keytool/keytool.sh" + subPath: keytool.sh +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define broker tls certs volumes +*/}} +{{- define "pulsar.broker.certs.volumes" -}} +{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }} +- name: broker-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key +- name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + configMap: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + defaultMode: 0755 +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/_configurationstore.tpl b/charts/pulsarv2/templates/_configurationstore.tpl new file mode 100644 index 0000000..2eebf98 --- /dev/null +++ b/charts/pulsarv2/templates/_configurationstore.tpl @@ -0,0 +1,20 @@ +{{/* +Define configuration store endpoint +*/}} +{{- define "pulsar.configurationStore.service" -}} +{{- if .Values.pulsar_metadata.configurationStore }} +{{- .Values.pulsar_metadata.configurationStore }} +{{- else -}} +{{ template "pulsar.zookeeper.service" . }} +{{- end -}} +{{- end -}} + +{{/* +Define configuration store connection string +*/}} +{{- define "pulsar.configurationStore.connect" -}} +{{- if .Values.pulsar_metadata.configurationStore }} +{{- template "pulsar.configurationStore.service" . }}:{{ .Values.pulsar_metadata.configurationStorePort }} +{{- end -}} +{{- end -}} + diff --git a/charts/pulsarv2/templates/_helpers.tpl b/charts/pulsarv2/templates/_helpers.tpl new file mode 100644 index 0000000..0ad71f9 --- /dev/null +++ b/charts/pulsarv2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +pulsar home +*/}} +{{- define "pulsar.home" -}} +{{- print "/pulsar" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "pulsar.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the namespace of the chart. +*/}} +{{- define "pulsar.namespace" -}} +{{- default .Release.Namespace .Values.namespace -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pulsar.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define cluster's name +*/}} +{{- define "pulsar.cluster.name" -}} +{{- if .Values.clusterName }} +{{- .Values.clusterName }} +{{- else -}} +{{- template "pulsar.fullname" .}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pulsar.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the common labels. +*/}} +{{- define "pulsar.standardLabels" -}} +app: {{ template "pulsar.name" . }} +chart: {{ template "pulsar.chart" . }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +cluster: {{ template "pulsar.cluster.name" . }} +{{- end }} + +{{/* +Create the template labels. +*/}} +{{- define "pulsar.template.labels" -}} +app: {{ template "pulsar.name" . }} +release: {{ .Release.Name }} +cluster: {{ template "pulsar.cluster.name" . }} +{{- end }} + +{{/* +Create the match labels. +*/}} +{{- define "pulsar.matchLabels" -}} +app: {{ template "pulsar.name" . }} +release: {{ .Release.Name }} +{{- end }} + +{{/* +Create ImagePullSecrets +*/}} +{{- define "pulsar.imagePullSecrets" -}} +{{- if .Values.images.imagePullSecrets -}} +imagePullSecrets: +{{- range .Values.images.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end -}} +{{- end }} diff --git a/charts/pulsarv2/templates/_toolset.tpl b/charts/pulsarv2/templates/_toolset.tpl new file mode 100644 index 0000000..c6bf857 --- /dev/null +++ b/charts/pulsarv2/templates/_toolset.tpl @@ -0,0 +1,69 @@ +{{/* +Define the pulsar toolset service +*/}} +{{- define "pulsar.toolset.service" -}} +{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }} +{{- end }} + +{{/* +Define the toolset hostname +*/}} +{{- define "pulsar.toolset.hostname" -}} +${HOSTNAME}.{{ template "pulsar.toolset.service" . }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }} +{{- end -}} + +{{/* +Define toolset zookeeper client tls settings +*/}} +{{- define "pulsar.toolset.zookeeper.tls.settings" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}} +/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true; +{{- end -}} +{{- end }} + +{{/* +Define toolset tls certs mounts +*/}} +{{- define "pulsar.toolset.certs.volumeMounts" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +- name: toolset-certs + mountPath: "/pulsar/certs/toolset" + readOnly: true +- name: ca + mountPath: "/pulsar/certs/ca" + readOnly: true +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + mountPath: "/pulsar/keytool/keytool.sh" + subPath: keytool.sh +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define toolset tls certs volumes +*/}} +{{- define "pulsar.toolset.certs.volumes" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +- name: toolset-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key +- name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt +{{- if .Values.tls.zookeeper.enabled }} +- name: keytool + configMap: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + defaultMode: 0755 +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/_zookeeper.tpl b/charts/pulsarv2/templates/_zookeeper.tpl new file mode 100644 index 0000000..6104afc --- /dev/null +++ b/charts/pulsarv2/templates/_zookeeper.tpl @@ -0,0 +1,39 @@ +{{/* +Define the pulsar zookeeper +*/}} +{{- define "pulsar.zookeeper.service" -}} +{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }} +{{- end }} + +{{/* +Define the pulsar zookeeper +*/}} +{{- define "pulsar.zookeeper.connect" -}} +{{$zk:=.Values.pulsar_metadata.userProvidedZookeepers}} +{{- if and (not .Values.components.zookeeper) $zk }} +{{- $zk -}} +{{ else }} +{{- if not (and .Values.tls.enabled .Values.tls.zookeeper.enabled) -}} +{{ template "pulsar.zookeeper.service" . }}:{{ .Values.zookeeper.ports.client }} +{{- end -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}} +{{ template "pulsar.zookeeper.service" . }}:{{ .Values.zookeeper.ports.clientTls }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define the zookeeper hostname +*/}} +{{- define "pulsar.zookeeper.hostname" -}} +${HOSTNAME}.{{ template "pulsar.zookeeper.service" . }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }} +{{- end -}} + +{{/* +Define zookeeper tls settings +*/}} +{{- define "pulsar.zookeeper.tls.settings" -}} +{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} +/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false; +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/autorecovery-configmap.yaml b/charts/pulsarv2/templates/autorecovery-configmap.yaml new file mode 100644 index 0000000..65cd644 --- /dev/null +++ b/charts/pulsarv2/templates/autorecovery-configmap.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.autorecovery.component }} +data: + # common config + {{- include "pulsar.bookkeeper.config.common" . | nindent 2 }} +{{ toYaml .Values.autorecovery.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/autorecovery-podmonitor.yaml b/charts/pulsarv2/templates/autorecovery-podmonitor.yaml new file mode 100644 index 0000000..21d9b9f --- /dev/null +++ b/charts/pulsarv2/templates/autorecovery-podmonitor.yaml @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy broker PodMonitor only when `$.Values.broker.podMonitor.enabled` is true +{{- if $.Values.autorecovery.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "pulsar.name" . }}-recovery + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + jobLabel: recovery + podMetricsEndpoints: + - port: http + path: /metrics + scheme: http + interval: {{ $.Values.autorecovery.podMonitor.interval }} + scrapeTimeout: {{ $.Values.autorecovery.podMonitor.scrapeTimeout }} + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + - sourceLabels: [__meta_kubernetes_pod_label_component] + action: replace + targetLabel: job + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: kubernetes_pod_name + selector: + matchLabels: + component: {{ .Values.autorecovery.component }} +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/autorecovery-rbac.yaml b/charts/pulsarv2/templates/autorecovery-rbac.yaml new file mode 100644 index 0000000..78c0447 --- /dev/null +++ b/charts/pulsarv2/templates/autorecovery-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/pulsarv2/templates/autorecovery-service.yaml b/charts/pulsarv2/templates/autorecovery-service.yaml new file mode 100644 index 0000000..a6cb064 --- /dev/null +++ b/charts/pulsarv2/templates/autorecovery-service.yaml @@ -0,0 +1,39 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.autorecovery.component }} +spec: + ports: + - name: http + port: {{ .Values.autorecovery.ports.http }} + clusterIP: None + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.autorecovery.component }} +{{- end }} + diff --git a/charts/pulsarv2/templates/autorecovery-statefulset.yaml b/charts/pulsarv2/templates/autorecovery-statefulset.yaml new file mode 100644 index 0000000..2b8a727 --- /dev/null +++ b/charts/pulsarv2/templates/autorecovery-statefulset.yaml @@ -0,0 +1,155 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.autorecovery.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + replicas: {{ .Values.autorecovery.replicaCount }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + # nodeSelector: + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.autorecovery.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.autorecovery.component }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.autorecovery.ports.http }}" + {{- if .Values.autorecovery.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/autorecovery-configmap.yaml") . | sha256sum }} + {{- end }} +{{- with .Values.autorecovery.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.autorecovery.nodeSelector }} + nodeSelector: +{{ toYaml .Values.autorecovery.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.autorecovery.tolerations }} + tolerations: +{{- with .Values.autorecovery.tolerations }} +{{ toYaml . | indent 8 }} +{{- end }} + {{- end }} + affinity: + {{- if and .Values.affinity.anti_affinity .Values.autorecovery.affinity.anti_affinity}} + podAntiAffinity: + {{ if eq .Values.autorecovery.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}} + {{ .Values.autorecovery.affinity.type }}: + - labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.autorecovery.component }} + topologyKey: "kubernetes.io/hostname" + {{ else }} + {{ .Values.autorecovery.affinity.type }}: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.autorecovery.component }} + topologyKey: "kubernetes.io/hostname" + {{ end }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + {{- end}} + initContainers: + # This initContainer will wait for bookkeeper initnewcluster to complete + # before deploying the bookies + - name: pulsar-bookkeeper-verify-clusterid + image: "{{ .Values.images.autorecovery.repository }}:{{ .Values.images.autorecovery.tag }}" + imagePullPolicy: {{ .Values.images.autorecovery.pullPolicy }} + command: ["sh", "-c"] + args: + - > + {{- include "pulsar.autorecovery.init.verify_cluster_id" . | nindent 10 }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + volumeMounts: + {{- include "pulsar.autorecovery.certs.volumeMounts" . | nindent 8 }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + image: "{{ .Values.images.autorecovery.repository }}:{{ .Values.images.autorecovery.tag }}" + imagePullPolicy: {{ .Values.images.autorecovery.pullPolicy }} + {{- if .Values.autorecovery.resources }} + resources: +{{ toYaml .Values.autorecovery.resources | indent 10 }} + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end}} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/bookkeeper.conf; + {{- include "pulsar.autorecovery.zookeeper.tls.settings" . | nindent 10 }} + OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/bookkeeper autorecovery + ports: + - name: http + containerPort: {{ .Values.autorecovery.ports.http }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + volumeMounts: + {{- include "pulsar.autorecovery.certs.volumeMounts" . | nindent 8 }} + volumes: + {{- include "pulsar.autorecovery.certs.volumes" . | nindent 6 }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} +{{- end }} + diff --git a/charts/pulsarv2/templates/bookkeeper-cluster-initialize.yaml b/charts/pulsarv2/templates/bookkeeper-cluster-initialize.yaml new file mode 100644 index 0000000..9f9f33a --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-cluster-initialize.yaml @@ -0,0 +1,88 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +{{- if or .Release.IsInstall .Values.initialize }} +{{- if .Values.components.bookkeeper }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-init" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: "{{ .Values.bookkeeper.component }}-init" +spec: + template: + spec: + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- end }} + initContainers: + - name: wait-zookeeper-ready + image: "{{ .Values.images.bookie.repository }}:{{ .Values.images.bookie.tag }}" + imagePullPolicy: {{ .Values.images.bookie.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + {{- if $zk:=.Values.pulsar_metadata.userProvidedZookeepers }} + until bin/pulsar zookeeper-shell -server {{ $zk }} ls {{ or .Values.metadataPrefix "/" }}; do + echo "user provided zookeepers {{ $zk }} are unreachable... check in 3 seconds ..." && sleep 3; + done; + {{ else }} + until nslookup {{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ add (.Values.zookeeper.replicaCount | int) -1 }}.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}; do + sleep 3; + done; + {{- end}} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-init" + image: "{{ .Values.images.bookie.repository }}:{{ .Values.images.bookie.tag }}" + imagePullPolicy: {{ .Values.images.bookie.pullPolicy }} + {{- if .Values.bookkeeper.metadata.resources }} + resources: +{{ toYaml .Values.bookkeeper.metadata.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/bookkeeper.conf; + {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 12 }} + if bin/bookkeeper shell whatisinstanceid; then + echo "bookkeeper cluster already initialized"; + else + {{- if not (eq .Values.metadataPrefix "") }} + bin/bookkeeper org.apache.zookeeper.ZooKeeperMain -server {{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }} create {{ .Values.metadataPrefix }} 'created for pulsar cluster "{{ template "pulsar.cluster.name" . }}"' || yes && + {{- end }} + bin/bookkeeper shell initnewcluster; + fi + {{- if .Values.extraInitCommand }} + {{ .Values.extraInitCommand }} + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + volumeMounts: + {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} + volumes: + {{- include "pulsar.toolset.certs.volumes" . | nindent 6 }} + restartPolicy: Never +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/bookkeeper-configmap.yaml b/charts/pulsarv2/templates/bookkeeper-configmap.yaml new file mode 100644 index 0000000..a99ee20 --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-configmap.yaml @@ -0,0 +1,44 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +data: + # common config + {{- include "pulsar.bookkeeper.config.common" . | nindent 2 }} + {{- if .Values.components.autorecovery }} + # disable auto recovery on bookies since we will start AutoRecovery in separated pods + autoRecoveryDaemonEnabled: "false" + {{- end }} + # Do not retain journal files as it increase the disk utilization + journalMaxBackups: "0" + journalDirectories: "/pulsar/data/bookkeeper/journal" + PULSAR_PREFIX_journalDirectories: "/pulsar/data/bookkeeper/journal" + ledgerDirectories: "/pulsar/data/bookkeeper/ledgers" + # TLS config + {{- include "pulsar.bookkeeper.config.tls" . | nindent 2 }} +{{ toYaml .Values.bookkeeper.configData | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/bookkeeper-pdb.yaml b/charts/pulsarv2/templates/bookkeeper-pdb.yaml new file mode 100644 index 0000000..74e1503 --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-pdb.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +{{- if .Values.bookkeeper.pdb.usePolicy }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +spec: + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.bookkeeper.component }} + maxUnavailable: {{ .Values.bookkeeper.pdb.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/bookkeeper-podmonitor.yaml b/charts/pulsarv2/templates/bookkeeper-podmonitor.yaml new file mode 100644 index 0000000..45a4aad --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-podmonitor.yaml @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy bookkeeper PodMonitor only when `$.Values.bookkeeper.podMonitor.enabled` is true +{{- if $.Values.bookkeeper.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "pulsar.name" . }}-bookie + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + jobLabel: bookie + podMetricsEndpoints: + - port: http + path: /metrics + scheme: http + interval: {{ $.Values.bookkeeper.podMonitor.interval }} + scrapeTimeout: {{ $.Values.bookkeeper.podMonitor.scrapeTimeout }} + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + - sourceLabels: [__meta_kubernetes_pod_label_component] + action: replace + targetLabel: job + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: kubernetes_pod_name + selector: + matchLabels: + component: bookie +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/bookkeeper-rbac.yaml b/charts/pulsarv2/templates/bookkeeper-rbac.yaml new file mode 100644 index 0000000..0b7213d --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsarv2/templates/bookkeeper-service.yaml b/charts/pulsarv2/templates/bookkeeper-service.yaml new file mode 100644 index 0000000..c434a4b --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-service.yaml @@ -0,0 +1,46 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +{{- if .Values.bookkeeper.service.annotations }} + annotations: +{{ toYaml .Values.bookkeeper.service.annotations | indent 4 }} +{{- end }} +spec: + ports: + - name: "{{ .Values.tcpPrefix }}bookie" + port: {{ .Values.bookkeeper.ports.bookie }} + - name: http + port: {{ .Values.bookkeeper.ports.http }} + clusterIP: None + selector: + {{- include "pulsar.matchLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} + {{- if .Values.bookkeeper.service.spec }} + {{- toYaml .Values.bookkeeper.service.spec | trim | nindent 2 }} + {{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/bookkeeper-statefulset.yaml b/charts/pulsarv2/templates/bookkeeper-statefulset.yaml new file mode 100644 index 0000000..9ada5aa --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-statefulset.yaml @@ -0,0 +1,257 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + replicas: {{ .Values.bookkeeper.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.bookkeeper.component }} + updateStrategy: +{{ toYaml .Values.bookkeeper.updateStrategy | indent 4 }} + podManagementPolicy: {{ .Values.bookkeeper.podManagementPolicy }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.bookkeeper.component }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.bookkeeper.ports.http }}" + {{- if .Values.bookkeeper.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/bookkeeper-configmap.yaml") . | sha256sum }} + {{- end }} +{{- with .Values.bookkeeper.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.bookkeeper.nodeSelector }} + nodeSelector: +{{ toYaml .Values.bookkeeper.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.bookkeeper.tolerations }} + tolerations: +{{ toYaml .Values.bookkeeper.tolerations | indent 8 }} + {{- end }} + affinity: + {{- if and .Values.affinity.anti_affinity .Values.bookkeeper.affinity.anti_affinity}} + podAntiAffinity: + {{ if eq .Values.bookkeeper.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}} + {{ .Values.bookkeeper.affinity.type }}: + - labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.bookkeeper.component }} + topologyKey: "kubernetes.io/hostname" + {{ else }} + {{ .Values.bookkeeper.affinity.type }}: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.bookkeeper.component }} + topologyKey: "kubernetes.io/hostname" + {{ end }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.bookkeeper.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- end}} + initContainers: + # This initContainer will wait for bookkeeper initnewcluster to complete + # before deploying the bookies + - name: pulsar-bookkeeper-verify-clusterid + image: "{{ .Values.images.bookie.repository }}:{{ .Values.images.bookie.tag }}" + imagePullPolicy: {{ .Values.images.bookie.pullPolicy }} + command: ["sh", "-c"] + args: + # only reformat bookie if bookkeeper is running without persistence + - > + {{- include "pulsar.bookkeeper.init.verify_cluster_id" . | nindent 10 }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end}} + volumeMounts: + {{- include "pulsar.bookkeeper.certs.volumeMounts" . | nindent 8 }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + image: "{{ .Values.images.bookie.repository }}:{{ .Values.images.bookie.tag }}" + imagePullPolicy: {{ .Values.images.bookie.pullPolicy }} + {{- if .Values.bookkeeper.probe.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/v1/bookie/state + port: {{ .Values.bookkeeper.ports.http }} + initialDelaySeconds: {{ .Values.bookkeeper.probe.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.bookkeeper.probe.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.bookkeeper.probe.liveness.timeoutSeconds }} + failureThreshold: {{ .Values.bookkeeper.probe.liveness.failureThreshold }} + {{- end }} + {{- if .Values.bookkeeper.probe.readiness.enabled }} + readinessProbe: + httpGet: + path: /api/v1/bookie/is_ready + port: {{ .Values.bookkeeper.ports.http }} + initialDelaySeconds: {{ .Values.bookkeeper.probe.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.bookkeeper.probe.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.bookkeeper.probe.readiness.timeoutSeconds }} + failureThreshold: {{ .Values.bookkeeper.probe.readiness.failureThreshold }} + {{- end }} + {{- if .Values.bookkeeper.probe.startup.enabled }} + startupProbe: + httpGet: + path: /api/v1/bookie/is_ready + port: {{ .Values.bookkeeper.ports.http }} + initialDelaySeconds: {{ .Values.bookkeeper.probe.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.bookkeeper.probe.startup.periodSeconds }} + timeoutSeconds: {{ .Values.bookkeeper.probe.startup.timeoutSeconds }} + failureThreshold: {{ .Values.bookkeeper.probe.startup.failureThreshold }} + {{- end }} + {{- if .Values.bookkeeper.resources }} + resources: +{{ toYaml .Values.bookkeeper.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/bookkeeper.conf; + {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }} + OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie; + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end}} + ports: + - name: "{{ .Values.tcpPrefix }}bookie" + containerPort: {{ .Values.bookkeeper.ports.bookie }} + - name: http + containerPort: {{ .Values.bookkeeper.ports.http }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + volumeMounts: + {{- if .Values.bookkeeper.volumes.useSingleCommonVolume }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.common.name }}" + mountPath: /pulsar/data/bookkeeper + {{- else }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.journal.name }}" + mountPath: /pulsar/data/bookkeeper/journal + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.ledgers.name }}" + mountPath: /pulsar/data/bookkeeper/ledgers + {{- end}} + {{- if .Values.bookkeeper.extraVolumeMounts }} +{{ toYaml .Values.bookkeeper.extraVolumeMounts | indent 8 }} + {{- end }} + {{- include "pulsar.bookkeeper.certs.volumeMounts" . | nindent 8 }} + volumes: + {{- if not (and (and .Values.persistence .Values.volumes.persistence) .Values.bookkeeper.volumes.persistence) }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.journal.name }}" + emptyDir: {} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.ledgers.name }}" + emptyDir: {} + {{- end }} + {{- include "pulsar.bookkeeper.certs.volumes" . | nindent 6 }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} + {{- if .Values.bookkeeper.extraVolumes }} +{{ toYaml .Values.bookkeeper.extraVolumes | indent 6 }} + {{- end }} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.bookkeeper.volumes.persistence}} + volumeClaimTemplates: + {{- if .Values.bookkeeper.volumes.useSingleCommonVolume }} + - metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.common.name }}" + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.bookkeeper.volumes.common.size }} + {{- if .Values.bookkeeper.volumes.common.storageClassName }} + storageClassName: "{{ .Values.bookkeeper.volumes.common.storageClassName }}" + {{- else if and (not (and .Values.volumes.local_storage .Values.bookkeeper.volumes.common.local_storage)) .Values.bookkeeper.volumes.common.storageClass }} + storageClassName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.common.name }}" + {{- else if and .Values.volumes.local_storage .Values.bookkeeper.volumes.common.local_storage }} + storageClassName: "local-storage" + {{- end }} + {{- else }} + - metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.journal.name }}" + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.bookkeeper.volumes.journal.size }} + {{- if .Values.bookkeeper.volumes.journal.storageClassName }} + storageClassName: "{{ .Values.bookkeeper.volumes.journal.storageClassName }}" + {{- else if and (not (and .Values.volumes.local_storage .Values.bookkeeper.volumes.journal.local_storage)) .Values.bookkeeper.volumes.journal.storageClass }} + storageClassName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.journal.name }}" + {{- else if and .Values.volumes.local_storage .Values.bookkeeper.volumes.journal.local_storage }} + storageClassName: "local-storage" + {{- end }} + - metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.ledgers.name }}" + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.bookkeeper.volumes.ledgers.size }} + {{- if .Values.bookkeeper.volumes.ledgers.storageClassName }} + storageClassName: "{{ .Values.bookkeeper.volumes.ledgers.storageClassName }}" + {{- else if and (not (and .Values.volumes.local_storage .Values.bookkeeper.volumes.ledgers.local_storage)) .Values.bookkeeper.volumes.ledgers.storageClass }} + storageClassName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.ledgers.name }}" + {{- else if and .Values.volumes.local_storage .Values.bookkeeper.volumes.ledgers.local_storage }} + storageClassName: "local-storage" + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/bookkeeper-storageclass.yaml b/charts/pulsarv2/templates/bookkeeper-storageclass.yaml new file mode 100644 index 0000000..a105d89 --- /dev/null +++ b/charts/pulsarv2/templates/bookkeeper-storageclass.yaml @@ -0,0 +1,74 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.bookkeeper.volumes.persistence }} +{{- if not .Values.volumes.local_storage }} + +{{- if .Values.bookkeeper.volumes.useSingleCommonVolume}} +{{- if and (not .Values.bookkeeper.volumes.common.local_storage) .Values.bookkeeper.volumes.common.storageClass }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.common.name }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +provisioner: {{ .Values.bookkeeper.volumes.common.storageClass.provisioner }} +parameters: + type: {{ .Values.bookkeeper.volumes.common.storageClass.type }} + fsType: {{ .Values.bookkeeper.volumes.common.storageClass.fsType }} +{{- end }} +{{- else }} + +{{- if and (not .Values.bookkeeper.volumes.journal.local_storage) .Values.bookkeeper.volumes.journal.storageClass }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.journal.name }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +provisioner: {{ .Values.bookkeeper.volumes.journal.storageClass.provisioner }} +parameters: + type: {{ .Values.bookkeeper.volumes.journal.storageClass.type }} + fsType: {{ .Values.bookkeeper.volumes.journal.storageClass.fsType }} +{{- end }} +--- +{{- if and (not .Values.bookkeeper.volumes.ledgers.local_storage) .Values.bookkeeper.volumes.ledgers.storageClass }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ .Values.bookkeeper.volumes.ledgers.name }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} +provisioner: {{ .Values.bookkeeper.volumes.ledgers.storageClass.provisioner }} +parameters: + type: {{ .Values.bookkeeper.volumes.ledgers.storageClass.type }} + fsType: {{ .Values.bookkeeper.volumes.ledgers.storageClass.fsType }} +{{- end }} +{{- end }} + +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/broker-cluster-role-binding.yaml b/charts/pulsarv2/templates/broker-cluster-role-binding.yaml new file mode 100644 index 0000000..706e1ba --- /dev/null +++ b/charts/pulsarv2/templates/broker-cluster-role-binding.yaml @@ -0,0 +1,83 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +## TODO create our own cluster role with less privledges than admin +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.limit_to_namespace }} +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-rolebinding" +{{- else}} +kind: ClusterRoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-clusterrolebinding" +{{- end}} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io +{{- if .Values.rbac.limit_to_namespace }} + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-role" +{{- else}} + kind: ClusterRole + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-clusterrole" +{{- end}} +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.limit_to_namespace }} +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-role" +{{- else}} +kind: ClusterRole +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-clusterrole" +{{- end}} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + verbs: ["get", "list", "watch"] +- apiGroups: ["", "extensions", "apps"] + resources: + - pods + - services + - deployments + - secrets + - statefulsets + verbs: + - list + - watch + - get + - update + - create + - delete + - patch +--- + +{{- end }} diff --git a/charts/pulsarv2/templates/broker-configmap.yaml b/charts/pulsarv2/templates/broker-configmap.yaml new file mode 100644 index 0000000..b67e5a8 --- /dev/null +++ b/charts/pulsarv2/templates/broker-configmap.yaml @@ -0,0 +1,146 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.broker.component }} +data: + # Metadata settings + zookeeperServers: "{{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }}" + {{- if .Values.pulsar_metadata.configurationStore }} + configurationStoreServers: "{{ template "pulsar.configurationStore.connect" . }}{{ .Values.pulsar_metadata.configurationStoreMetadataPrefix }}" + {{- end }} + {{- if not .Values.pulsar_metadata.configurationStore }} + configurationStoreServers: "{{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }}" + {{- end }} + + # Broker settings + clusterName: {{ template "pulsar.cluster.name" . }} + exposeTopicLevelMetricsInPrometheus: "true" + numHttpServerThreads: "8" + zooKeeperSessionTimeoutMillis: "30000" + statusFilePath: "{{ template "pulsar.home" . }}/status" + + # Function Worker Settings + # function worker configuration + {{- if not (or .Values.components.functions .Values.extra.functionsAsPods) }} + functionsWorkerEnabled: "false" + {{- end }} + {{- if or .Values.components.functions .Values.extra.functionsAsPods }} + functionsWorkerEnabled: "true" + PF_functionRuntimeFactoryClassName: "org.apache.pulsar.functions.runtime.kubernetes.KubernetesRuntimeFactory" + PF_pulsarFunctionsCluster: {{ template "pulsar.cluster.name" . }} + PF_connectorsDirectory: ./connectors + PF_containerFactory: k8s + PF_numFunctionPackageReplicas: "{{ .Values.broker.configData.managedLedgerDefaultEnsembleSize }}" + # support version >= 2.5.0 + PF_functionRuntimeFactoryConfigs_pulsarRootDir: {{ template "pulsar.home" . }} + PF_kubernetesContainerFactory_pulsarRootDir: {{ template "pulsar.home" . }} + PF_functionRuntimeFactoryConfigs_pulsarDockerImageName: "{{ .Values.images.functions.repository }}:{{ .Values.images.functions.tag }}" + PF_functionRuntimeFactoryConfigs_submittingInsidePod: "true" + PF_functionRuntimeFactoryConfigs_installUserCodeDependencies: "true" + PF_functionRuntimeFactoryConfigs_jobNamespace: {{ template "pulsar.namespace" . }} + PF_functionRuntimeFactoryConfigs_expectedMetricsCollectionInterval: "30" + {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }} + PF_functionRuntimeFactoryConfigs_pulsarAdminUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.http }}/" + PF_functionRuntimeFactoryConfigs_pulsarServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }}/" + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + PF_functionRuntimeFactoryConfigs_pulsarAdminUrl: "https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }}/" + PF_functionRuntimeFactoryConfigs_pulsarServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}/" + {{- end }} + PF_functionRuntimeFactoryConfigs_changeConfigMap: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-config" + PF_functionRuntimeFactoryConfigs_changeConfigMapNamespace: {{ template "pulsar.namespace" . }} + # support version < 2.5.0 + PF_kubernetesContainerFactory_pulsarDockerImageName: "{{ .Values.images.functions.repository }}:{{ .Values.images.functions.tag }}" + PF_kubernetesContainerFactory_submittingInsidePod: "true" + PF_kubernetesContainerFactory_installUserCodeDependencies: "true" + PF_kubernetesContainerFactory_jobNamespace: {{ template "pulsar.namespace" . }} + PF_kubernetesContainerFactory_expectedMetricsCollectionInterval: "30" + {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }} + PF_kubernetesContainerFactory_pulsarAdminUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.http }}/" + PF_kubernetesContainerFactory_pulsarServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }}/" + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + PF_kubernetesContainerFactory_pulsarAdminUrl: "https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }}/" + PF_kubernetesContainerFactory_pulsarServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}/" + {{- end }} + PF_kubernetesContainerFactory_changeConfigMap: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-config" + PF_kubernetesContainerFactory_changeConfigMapNamespace: {{ template "pulsar.namespace" . }} + {{- end }} + + # prometheus needs to access /metrics endpoint + webServicePort: "{{ .Values.broker.ports.http }}" + {{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }} + brokerServicePort: "{{ .Values.broker.ports.pulsar }}" + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + brokerServicePortTls: "{{ .Values.broker.ports.pulsarssl }}" + webServicePortTls: "{{ .Values.broker.ports.https }}" + # TLS Settings + tlsCertificateFilePath: "/pulsar/certs/broker/tls.crt" + tlsKeyFilePath: "/pulsar/certs/broker/tls.key" + tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" + {{- end }} + + # Authentication Settings + {{- if .Values.auth.authentication.enabled }} + authenticationEnabled: "true" + {{- if .Values.auth.authorization.enabled }} + authorizationEnabled: "true" + superUserRoles: {{ .Values.auth.superUsers | values | join "," }} + {{- end }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + # token authentication configuration + authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" + brokerClientAuthenticationParameters: "file:///pulsar/tokens/broker/token" + brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + tokenSecretKey: "file:///pulsar/keys/token/secret.key" + {{- else }} + tokenPublicKey: "file:///pulsar/keys/token/public.key" + {{- end }} + {{- end }} + {{- end }} + + {{- if and .Values.tls.enabled .Values.tls.bookie.enabled }} + # bookkeeper tls settings + bookkeeperTLSClientAuthentication: "true" + bookkeeperTLSKeyFileType: "PEM" + bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key" + bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt" + bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" + bookkeeperTLSTrustCertTypes: "PEM" + PULSAR_PREFIX_bookkeeperTLSClientAuthentication: "true" + PULSAR_PREFIX_bookkeeperTLSKeyFileType: "PEM" + PULSAR_PREFIX_bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key" + PULSAR_PREFIX_bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt" + PULSAR_PREFIX_bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" + PULSAR_PREFIX_bookkeeperTLSTrustCertTypes: "PEM" + # https://github.com/apache/bookkeeper/pull/2300 + bookkeeperUseV2WireProtocol: "false" + {{- end }} +{{ toYaml .Values.broker.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/broker-pdb.yaml b/charts/pulsarv2/templates/broker-pdb.yaml new file mode 100644 index 0000000..c03aca6 --- /dev/null +++ b/charts/pulsarv2/templates/broker-pdb.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +{{- if .Values.broker.pdb.usePolicy }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.broker.component }} +spec: + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.broker.component }} + maxUnavailable: {{ .Values.broker.pdb.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/broker-podmonitor.yaml b/charts/pulsarv2/templates/broker-podmonitor.yaml new file mode 100644 index 0000000..515d218 --- /dev/null +++ b/charts/pulsarv2/templates/broker-podmonitor.yaml @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy broker PodMonitor only when `$.Values.broker.podMonitor.enabled` is true +{{- if $.Values.broker.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "pulsar.name" . }}-broker + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + jobLabel: broker + podMetricsEndpoints: + - port: http + path: /metrics + scheme: http + interval: {{ $.Values.broker.podMonitor.interval }} + scrapeTimeout: {{ $.Values.broker.podMonitor.scrapeTimeout }} + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + - sourceLabels: [__meta_kubernetes_pod_label_component] + action: replace + targetLabel: job + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: kubernetes_pod_name + selector: + matchLabels: + component: broker +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/broker-rbac.yaml b/charts/pulsarv2/templates/broker-rbac.yaml new file mode 100644 index 0000000..f3f3c00 --- /dev/null +++ b/charts/pulsarv2/templates/broker-rbac.yaml @@ -0,0 +1,127 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.functions .Values.extra.functionsAsPods }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" +rules: +- apiGroups: [""] + resources: + - services + - configmaps + - pods + verbs: + - '*' +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - '*' +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" + namespace: {{ template "pulsar.namespace" . }} +{{- end }} + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end}} diff --git a/charts/pulsarv2/templates/broker-service-account.yaml b/charts/pulsarv2/templates/broker-service-account.yaml new file mode 100644 index 0000000..6be8b1d --- /dev/null +++ b/charts/pulsarv2/templates/broker-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.broker.component }} + annotations: +{{- with .Values.broker.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/broker-service.yaml b/charts/pulsarv2/templates/broker-service.yaml new file mode 100644 index 0000000..c31d74e --- /dev/null +++ b/charts/pulsarv2/templates/broker-service.yaml @@ -0,0 +1,51 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.broker.component }} + annotations: +{{ toYaml .Values.broker.service.annotations | indent 4 }} +spec: + ports: + # prometheus needs to access /metrics endpoint + - name: http + port: {{ .Values.broker.ports.http }} + {{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }} + - name: "{{ .Values.tcpPrefix }}pulsar" + port: {{ .Values.broker.ports.pulsar }} + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + - name: https + port: {{ .Values.broker.ports.https }} + - name: "{{ .Values.tlsPrefix }}pulsarssl" + port: {{ .Values.broker.ports.pulsarssl }} + {{- end }} + clusterIP: None + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.broker.component }} +{{- end }} diff --git a/charts/pulsarv2/templates/broker-statefulset.yaml b/charts/pulsarv2/templates/broker-statefulset.yaml new file mode 100644 index 0000000..3da522a --- /dev/null +++ b/charts/pulsarv2/templates/broker-statefulset.yaml @@ -0,0 +1,281 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.broker }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.broker.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + replicas: {{ .Values.broker.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.broker.component }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.broker.component }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.broker.ports.http }}" + {{- if .Values.broker.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/broker-configmap.yaml") . | sha256sum }} + {{- end }} +{{- with .Values.broker.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + {{- if .Values.broker.nodeSelector }} + nodeSelector: +{{ toYaml .Values.broker.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.broker.tolerations }} + tolerations: +{{ toYaml .Values.broker.tolerations | indent 8 }} + {{- end }} + affinity: + {{- if and .Values.affinity.anti_affinity .Values.broker.affinity.anti_affinity}} + podAntiAffinity: + {{ if eq .Values.broker.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}} + {{ .Values.broker.affinity.type }}: + - labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.broker.component }} + topologyKey: "kubernetes.io/hostname" + {{ else }} + {{ .Values.broker.affinity.type }}: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.broker.component }} + topologyKey: "kubernetes.io/hostname" + {{ end }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.broker.gracePeriod }} + initContainers: + # This init container will wait for zookeeper to be ready before + # deploying the bookies + - name: wait-zookeeper-ready + image: "{{ .Values.images.broker.repository }}:{{ .Values.images.broker.tag }}" + imagePullPolicy: {{ .Values.images.broker.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + {{- include "pulsar.broker.zookeeper.tls.settings" . | nindent 12 }} + {{- if .Values.pulsar_metadata.configurationStore }} + until bin/bookkeeper org.apache.zookeeper.ZooKeeperMain -server {{ template "pulsar.configurationStore.connect" . }} get {{ .Values.configurationStoreMetadataPrefix }}/admin/clusters/{{ template "pulsar.cluster.name" . }}; do + {{- end }} + {{- if not .Values.pulsar_metadata.configurationStore }} + until bin/bookkeeper org.apache.zookeeper.ZooKeeperMain -server {{ template "pulsar.zookeeper.connect" . }} get {{ .Values.metadataPrefix }}/admin/clusters/{{ template "pulsar.cluster.name" . }}; do + {{- end }} + echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3; + done; + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + volumeMounts: + {{- include "pulsar.broker.certs.volumeMounts" . | nindent 8 }} + # This init container will wait for bookkeeper to be ready before + # deploying the broker + - name: wait-bookkeeper-ready + image: "{{ .Values.images.broker.repository }}:{{ .Values.images.broker.tag }}" + imagePullPolicy: {{ .Values.images.broker.pullPolicy }} + command: ["sh", "-c"] + args: + - > + {{- include "pulsar.broker.zookeeper.tls.settings" . | nindent 12 }} + bin/apply-config-from-env.py conf/bookkeeper.conf; + until bin/bookkeeper shell whatisinstanceid; do + echo "bookkeeper cluster is not initialized yet. backoff for 3 seconds ..."; + sleep 3; + done; + echo "bookkeeper cluster is already initialized"; + bookieServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }} | grep Name | wc -l)"; + until [ ${bookieServiceNumber} -ge {{ .Values.broker.configData.managedLedgerDefaultEnsembleSize }} ]; do + echo "bookkeeper cluster {{ template "pulsar.cluster.name" . }} isn't ready yet ... check in 10 seconds ..."; + sleep 10; + bookieServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }} | grep Name | wc -l)"; + done; + echo "bookkeeper cluster is ready"; + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + volumeMounts: + {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + image: "{{ .Values.images.broker.repository }}:{{ .Values.images.broker.tag }}" + imagePullPolicy: {{ .Values.images.broker.pullPolicy }} + {{- if .Values.broker.probe.liveness.enabled }} + livenessProbe: + httpGet: + path: /status.html + port: {{ .Values.broker.ports.http }} + initialDelaySeconds: {{ .Values.broker.probe.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.broker.probe.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.broker.probe.liveness.timeoutSeconds }} + failureThreshold: {{ .Values.broker.probe.liveness.failureThreshold }} + {{- end }} + {{- if .Values.broker.probe.readiness.enabled }} + readinessProbe: + httpGet: + path: /status.html + port: {{ .Values.broker.ports.http }} + initialDelaySeconds: {{ .Values.broker.probe.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.broker.probe.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.broker.probe.readiness.timeoutSeconds }} + failureThreshold: {{ .Values.broker.probe.readiness.failureThreshold }} + {{- end }} + {{- if .Values.broker.probe.startup.enabled }} + startupProbe: + httpGet: + path: /status.html + port: {{ .Values.broker.ports.http }} + initialDelaySeconds: {{ .Values.broker.probe.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.broker.probe.startup.periodSeconds }} + timeoutSeconds: {{ .Values.broker.probe.startup.timeoutSeconds }} + failureThreshold: {{ .Values.broker.probe.startup.failureThreshold }} + {{- end }} + {{- if .Values.broker.resources }} + resources: +{{ toYaml .Values.broker.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/broker.conf; + bin/gen-yml-from-env.py conf/functions_worker.yml; + echo "OK" > status; + {{- include "pulsar.broker.zookeeper.tls.settings" . | nindent 10 }} + bin/pulsar zookeeper-shell -server {{ template "pulsar.zookeeper.connect" . }} get {{ template "pulsar.broker.znode" . }}; + while [ $? -eq 0 ]; do + echo "broker {{ template "pulsar.broker.hostname" . }} znode still exists ... check in 10 seconds ..."; + sleep 10; + bin/pulsar zookeeper-shell -server {{ template "pulsar.zookeeper.connect" . }} get {{ template "pulsar.broker.znode" . }}; + done; + cat conf/pulsar_env.sh; + OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar broker; + ports: + # prometheus needs to access /metrics endpoint + - name: http + containerPort: {{ .Values.broker.ports.http }} + {{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }} + - name: "{{ .Values.tcpPrefix }}pulsar" + containerPort: {{ .Values.broker.ports.pulsar }} + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + - name: https + containerPort: {{ .Values.broker.ports.https }} + - name: "{{ .Values.tlsPrefix }}pulsarssl" + containerPort: {{ .Values.broker.ports.pulsarssl }} + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + volumeMounts: + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - mountPath: "/pulsar/keys" + name: token-keys + readOnly: true + - mountPath: "/pulsar/tokens" + name: broker-token + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.broker.extraVolumeMounts }} +{{ toYaml .Values.broker.extraVolumeMounts | indent 10 }} + {{- end }} + {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + volumes: + {{- if .Values.broker.extraVolumes }} +{{ toYaml .Values.broker.extraVolumes | indent 6 }} + {{- end }} + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - name: token-keys + secret: + {{- if not .Values.auth.authentication.jwt.usingSecretKey }} + secretName: "{{ .Release.Name }}-token-asymmetric-key" + {{- end}} + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + secretName: "{{ .Release.Name }}-token-symmetric-key" + {{- end}} + items: + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + - key: SECRETKEY + path: token/secret.key + {{- else }} + - key: PUBLICKEY + path: token/public.key + {{- end}} + - name: broker-token + secret: + secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.broker }}" + items: + - key: TOKEN + path: broker/token + {{- end}} + {{- end}} + {{- include "pulsar.broker.certs.volumes" . | nindent 6 }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} +{{- end }} diff --git a/charts/pulsarv2/templates/dashboard-deployment.yaml b/charts/pulsarv2/templates/dashboard-deployment.yaml new file mode 100644 index 0000000..9a0a3a7 --- /dev/null +++ b/charts/pulsarv2/templates/dashboard-deployment.yaml @@ -0,0 +1,68 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.extra.dashboard }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.dashboard.component }} +spec: + replicas: {{ .Values.dashboard.replicaCount }} + selector: + matchLabels: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.dashboard.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.dashboard.component }} + + annotations: +{{ toYaml .Values.dashboard.annotations | indent 8 }} + spec: + {{- if .Values.dashboard.nodeSelector }} + nodeSelector: +{{ toYaml .Values.dashboard.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.dashboard.tolerations }} + tolerations: +{{ toYaml .Values.dashboard.tolerations | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.dashboard.gracePeriod }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + image: "{{ .Values.dashboard.image.repository }}:{{ .Values.dashboard.image.tag }}" + imagePullPolicy: {{ .Values.dashboard.image.pullPolicy }} + {{- if .Values.dashboard.resources }} + resources: +{{ toYaml .Values.dashboard.resources | indent 10 }} + {{- end }} + ports: + - name: http + containerPort: 80 + env: + - name: SERVICE_URL + value: http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:8080/ +{{- end }} diff --git a/charts/pulsarv2/templates/dashboard-ingress.yaml b/charts/pulsarv2/templates/dashboard-ingress.yaml new file mode 100644 index 0000000..d4379e7 --- /dev/null +++ b/charts/pulsarv2/templates/dashboard-ingress.yaml @@ -0,0 +1,65 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.extra.dashboard }} +{{- if .Values.dashboard.ingress.enabled }} +{{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.dashboard.component }} + annotations: +{{- with .Values.dashboard.ingress.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: +{{- if .Values.dashboard.ingress.tls.enabled }} + tls: + - hosts: + - {{ .Values.dashboard.ingress.hostname }} + {{- with .Values.dashboard.ingress.tls.secretName }} + secretName: {{ . }} + {{- end }} +{{- end }} + rules: + - host: {{ required "Dashboard ingress hostname not provided" .Values.dashboard.ingress.hostname }} + http: + paths: + - path: {{ .Values.dashboard.ingress.path }} + {{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} + backend: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + servicePort: {{ .Values.dashboard.ingress.port }} + {{- else }} + pathType: ImplementationSpecific + backend: + service: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + port: + number: {{ .Values.dashboard.ingress.port }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/dashboard-service.yaml b/charts/pulsarv2/templates/dashboard-service.yaml new file mode 100644 index 0000000..b306ec7 --- /dev/null +++ b/charts/pulsarv2/templates/dashboard-service.yaml @@ -0,0 +1,39 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.extra.dashboard }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.dashboard.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.dashboard.component }} + annotations: +{{ toYaml .Values.dashboard.service.annotations | indent 4 }} +spec: + ports: +{{ toYaml .Values.dashboard.service.ports | indent 2 }} + clusterIP: None + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.dashboard.component }} +{{- end }} diff --git a/charts/pulsarv2/templates/function-worker-configmap.yaml b/charts/pulsarv2/templates/function-worker-configmap.yaml new file mode 100644 index 0000000..186edad --- /dev/null +++ b/charts/pulsarv2/templates/function-worker-configmap.yaml @@ -0,0 +1,32 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.functions }} +## function config map +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-config" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.functions.component }} +data: + pulsarDockerImageName: "{{ .Values.images.functions.repository }}:{{ .Values.images.functions.tag }}" +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/grafana-admin-secret.yaml b/charts/pulsarv2/templates/grafana-admin-secret.yaml new file mode 100644 index 0000000..d38e823 --- /dev/null +++ b/charts/pulsarv2/templates/grafana-admin-secret.yaml @@ -0,0 +1,35 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.grafana .Values.extra.monitoring }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}-secret" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.grafana.component }} +type: Opaque +stringData: + {{- if .Values.grafana.admin}} + GRAFANA_ADMIN_PASSWORD: {{ .Values.grafana.admin.password | default "pulsar" }} + GRAFANA_ADMIN_USER: {{ .Values.grafana.admin.user | default "pulsar" }} + {{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/grafana-configmap.yaml b/charts/pulsarv2/templates/grafana-configmap.yaml new file mode 100644 index 0000000..9d5fa71 --- /dev/null +++ b/charts/pulsarv2/templates/grafana-configmap.yaml @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.grafana .Values.extra.monitoring }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.grafana.component }} +data: +{{ toYaml .Values.grafana.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/grafana-deployment.yaml b/charts/pulsarv2/templates/grafana-deployment.yaml new file mode 100644 index 0000000..86787d9 --- /dev/null +++ b/charts/pulsarv2/templates/grafana-deployment.yaml @@ -0,0 +1,91 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.grafana .Values.extra.monitoring }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.grafana.component }} +spec: + replicas: {{ .Values.grafana.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.grafana.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.grafana.component }} + annotations: + {{- if .Values.grafana.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/grafana-configmap.yaml") . | sha256sum }} + {{- end }} +{{- with .Values.grafana.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.grafana.nodeSelector }} + nodeSelector: +{{ toYaml .Values.grafana.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.grafana.tolerations }} + tolerations: +{{ toYaml .Values.grafana.tolerations | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.grafana.gracePeriod }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + image: "{{ .Values.images.grafana.repository }}:{{ .Values.images.grafana.tag }}" + imagePullPolicy: {{ .Values.images.grafana.pullPolicy }} + {{- if .Values.grafana.resources }} + resources: +{{ toYaml .Values.grafana.resources | indent 10 }} + {{- end }} + ports: + - name: server + containerPort: {{ .Values.grafana.service.targetPort }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + env: + # for supporting apachepulsar/pulsar-grafana + - name: PROMETHEUS_URL + value: http://{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}:9090/ + # for supporting streamnative/apache-pulsar-grafana-dashboard + - name: PULSAR_PROMETHEUS_URL + value: http://{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}:9090/ + - name: PULSAR_CLUSTER + value: {{ template "pulsar.fullname" . }} + - name: GRAFANA_ADMIN_USER + valueFrom: + secretKeyRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}-secret" + key: GRAFANA_ADMIN_USER + - name: GRAFANA_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}-secret" + key: GRAFANA_ADMIN_PASSWORD + {{- include "pulsar.imagePullSecrets" . | nindent 6}} +{{- end }} diff --git a/charts/pulsarv2/templates/grafana-ingress.yaml b/charts/pulsarv2/templates/grafana-ingress.yaml new file mode 100644 index 0000000..f556726 --- /dev/null +++ b/charts/pulsarv2/templates/grafana-ingress.yaml @@ -0,0 +1,66 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.grafana .Values.extra.monitoring }} +{{- if .Values.grafana.ingress.enabled }} +{{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.grafana.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.grafana.ingress.tls }} + tls: +{{ toYaml .Values.grafana.ingress.tls | indent 4 }} +{{- end }} + rules: + - http: + paths: + - path: {{ .Values.grafana.ingress.path }} + {{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} + backend: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + servicePort: {{ .Values.grafana.ingress.port }} + {{- else }} + pathType: ImplementationSpecific + backend: + service: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + port: + number: {{ .Values.grafana.ingress.port }} + {{- end }} + {{- if .Values.grafana.ingress.hostname }} + host: {{ .Values.grafana.ingress.hostname }} + {{- end }} + + {{- end }} + {{- end }} diff --git a/charts/pulsarv2/templates/grafana-service.yaml b/charts/pulsarv2/templates/grafana-service.yaml new file mode 100644 index 0000000..4aa7f2d --- /dev/null +++ b/charts/pulsarv2/templates/grafana-service.yaml @@ -0,0 +1,48 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.grafana .Values.extra.monitoring }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.grafana.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.grafana.component }} + annotations: +{{- with .Values.grafana.service.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.grafana.service.type }} + ports: + - name: server + port: {{ .Values.grafana.service.port }} + targetPort: {{ .Values.grafana.service.targetPort }} + protocol: TCP + selector: + {{- include "pulsar.matchLabels" . | nindent 4 }} + component: {{ .Values.grafana.component }} + sessionAffinity: None +{{- if .Values.grafana.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.grafana.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/keytool.yaml b/charts/pulsarv2/templates/keytool.yaml new file mode 100644 index 0000000..fb3af71 --- /dev/null +++ b/charts/pulsarv2/templates/keytool.yaml @@ -0,0 +1,105 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# script to process key/cert to keystore and truststore +{{- if .Values.tls.zookeeper.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: keytool +data: + keytool.sh: | + #!/bin/bash + component=$1 + name=$2 + isClient=$3 + crtFile=/pulsar/certs/${component}/tls.crt + keyFile=/pulsar/certs/${component}/tls.key + caFile=/pulsar/certs/ca/ca.crt + p12File=/pulsar/${component}.p12 + keyStoreFile=/pulsar/${component}.keystore.jks + trustStoreFile=/pulsar/${component}.truststore.jks + + function checkFile() { + local file=$1 + local len=$(wc -c ${file} | awk '{print $1}') + echo "processing ${file} : len = ${len}" + if [ ! -f ${file} ]; then + echo "${file} is not found" + return -1 + fi + if [ $len -le 0 ]; then + echo "${file} is empty" + return -1 + fi + } + + function ensureFileNotEmpty() { + local file=$1 + until checkFile ${file}; do + echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3; + done; + } + + ensureFileNotEmpty ${crtFile} + ensureFileNotEmpty ${keyFile} + ensureFileNotEmpty ${caFile} + + PASSWORD=$(head /dev/urandom | base64 | head -c 24) + + openssl pkcs12 \ + -export \ + -in ${crtFile} \ + -inkey ${keyFile} \ + -out ${p12File} \ + -name ${name} \ + -passout "pass:${PASSWORD}" + + keytool -importkeystore \ + -srckeystore ${p12File} \ + -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \ + -alias ${name} \ + -destkeystore ${keyStoreFile} \ + -deststorepass "${PASSWORD}" + + keytool -import \ + -file ${caFile} \ + -storetype JKS \ + -alias ${name} \ + -keystore ${trustStoreFile} \ + -storepass "${PASSWORD}" \ + -trustcacerts -noprompt + + ensureFileNotEmpty ${keyStoreFile} + ensureFileNotEmpty ${trustStoreFile} + + if [[ "x${isClient}" == "xtrue" ]]; then + echo $'\n' >> conf/pulsar_env.sh + echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh + echo $'\n' >> conf/bkenv.sh + echo "BOOKIE_EXTRA_OPTS=\"${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh + else + echo $'\n' >> conf/pulsar_env.sh + echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh + fi +{{- end }} diff --git a/charts/pulsarv2/templates/namespace.yaml b/charts/pulsarv2/templates/namespace.yaml new file mode 100644 index 0000000..13f70bd --- /dev/null +++ b/charts/pulsarv2/templates/namespace.yaml @@ -0,0 +1,25 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.namespaceCreate }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ template "pulsar.namespace" . }} +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-configmap.yaml b/charts/pulsarv2/templates/prometheus-configmap.yaml new file mode 100644 index 0000000..ffe9660 --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-configmap.yaml @@ -0,0 +1,66 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.prometheus.component }} +data: + # Include prometheus configuration file, setup to monitor all the + # Kubernetes pods with the "scrape=true" annotation. + prometheus.yml: | + global: + scrape_interval: 15s + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_label_component] + action: replace + target_label: job + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-deployment.yaml b/charts/pulsarv2/templates/prometheus-deployment.yaml new file mode 100644 index 0000000..f294b2a --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-deployment.yaml @@ -0,0 +1,97 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.prometheus.component }} +spec: + replicas: {{ .Values.prometheus.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.prometheus.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.prometheus.component }} + annotations: + {{- if .Values.prometheus.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/prometheus-configmap.yaml") . | sha256sum }} + {{- end }} +{{ toYaml .Values.prometheus.annotations | indent 8 }} + spec: + {{- if .Values.prometheus.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.tolerations | indent 8 }} + {{- end }} + {{- if or .Values.prometheus.rbac.enabled .Values.prometheus_rbac }} + serviceAccount: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + {{- end }} + terminationGracePeriodSeconds: {{ .Values.prometheus.gracePeriod }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + image: "{{ .Values.images.prometheus.repository }}:{{ .Values.images.prometheus.tag }}" + imagePullPolicy: {{ .Values.images.prometheus.pullPolicy }} + {{- if .Values.prometheus.enableAdminApi }} + args: + - --web.enable-admin-api + {{- end }} + {{- if .Values.prometheus.resources }} + resources: +{{ toYaml .Values.prometheus.resources | indent 10 }} + {{- end }} + ports: + - name: server + containerPort: {{ .Values.prometheus.port }} + volumeMounts: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-config" + mountPath: /etc/prometheus + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + mountPath: /prometheus + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + volumes: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-config" + configMap: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + {{- if not (and (and .Values.persistence .Values.volumes.persistence) .Values.prometheus.volumes.persistence) }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + emptyDir: {} + {{- end }} + {{- if and (and .Values.persistence .Values.volumes.persistence) .Values.prometheus.volumes.persistence }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + persistentVolumeClaim: + claimName: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + {{- end }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-pvc.yaml b/charts/pulsarv2/templates/prometheus-pvc.yaml new file mode 100644 index 0000000..ff9bb92 --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-pvc.yaml @@ -0,0 +1,40 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.prometheus.volumes.persistence }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + resources: + requests: + storage: {{ .Values.prometheus.volumes.data.size }} + accessModes: [ "ReadWriteOnce" ] +{{- if .Values.prometheus.volumes.data.storageClassName }} + storageClassName: "{{ .Values.prometheus.volumes.data.storageClassName }}" +{{- else if and (not (and .Values.volumes.local_storage .Values.prometheus.volumes.data.local_storage)) .Values.prometheus.volumes.data.storageClass }} + storageClassName: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" +{{- else if and .Values.volumes.local_storage .Values.prometheus.volumes.data.local_storage }} + storageClassName: "local-storage" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-rbac.yaml b/charts/pulsarv2/templates/prometheus-rbac.yaml new file mode 100644 index 0000000..8e3a166 --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-rbac.yaml @@ -0,0 +1,59 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +{{- if or .Values.prometheus.rbac.enabled .Values.prometheus_rbac }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" +rules: +- apiGroups: [""] + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + namespace: {{ template "pulsar.namespace" . }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-service.yaml b/charts/pulsarv2/templates/prometheus-service.yaml new file mode 100644 index 0000000..8cbc1f9 --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-service.yaml @@ -0,0 +1,40 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.prometheus.component }} + annotations: +{{ toYaml .Values.prometheus.service.annotations | indent 4 }} +spec: + clusterIP: None + ports: + - name: server + port: {{ .Values.prometheus.port }} + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.prometheus.component }} +{{- end }} diff --git a/charts/pulsarv2/templates/prometheus-storageclass.yaml b/charts/pulsarv2/templates/prometheus-storageclass.yaml new file mode 100644 index 0000000..8e2a5a3 --- /dev/null +++ b/charts/pulsarv2/templates/prometheus-storageclass.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.monitoring.prometheus .Values.extra.monitoring }} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.prometheus.volumes.persistence }} +{{- if .Values.prometheus.volumes.data.storageClass }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.prometheus.component }}-{{ .Values.prometheus.volumes.data.name }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.prometheus.component }} +provisioner: {{ .Values.prometheus.volumes.data.storageClass.provisioner }} +parameters: + type: {{ .Values.prometheus.volumes.data.storageClass.type }} + fsType: {{ .Values.prometheus.volumes.data.storageClass.fsType }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/proxy-configmap.yaml b/charts/pulsarv2/templates/proxy-configmap.yaml new file mode 100644 index 0000000..a069878 --- /dev/null +++ b/charts/pulsarv2/templates/proxy-configmap.yaml @@ -0,0 +1,83 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.proxy .Values.extra.proxy }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} +data: + clusterName: {{ template "pulsar.cluster.name" . }} + httpNumThreads: "8" + statusFilePath: "{{ template "pulsar.home" . }}/status" + # prometheus needs to access /metrics endpoint + webServicePort: "{{ .Values.proxy.ports.http }}" + {{- if or (not .Values.tls.enabled) (not .Values.tls.proxy.enabled) }} + servicePort: "{{ .Values.proxy.ports.pulsar }}" + brokerServiceURL: pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }} + brokerWebServiceURL: http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.http }} + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.proxy.enabled }} + tlsEnabledInProxy: "true" + servicePortTls: "{{ .Values.proxy.ports.pulsarssl }}" + webServicePortTls: "{{ .Values.proxy.ports.https }}" + tlsCertificateFilePath: "/pulsar/certs/proxy/tls.crt" + tlsKeyFilePath: "/pulsar/certs/proxy/tls.key" + tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + # if broker enables TLS, configure proxy to talk to broker using TLS + brokerServiceURLTLS: pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }} + brokerWebServiceURLTLS: https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }} + tlsEnabledWithBroker: "true" + tlsCertRefreshCheckDurationSec: "300" + brokerClientTrustCertsFilePath: "/pulsar/certs/ca/ca.crt" + {{- end }} + {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }} + brokerServiceURL: pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }} + brokerWebServiceURL: http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.http }} + {{- end }} + {{- end }} + + # Authentication Settings + {{- if .Values.auth.authentication.enabled }} + authenticationEnabled: "true" + {{- if .Values.auth.authorization.enabled }} + # disable authorization on proxy and forward authorization credentials to broker + authorizationEnabled: "false" + forwardAuthorizationCredentials: "true" + superUserRoles: {{ .Values.auth.superUsers | values | join "," }} + {{- end }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + # token authentication configuration + authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" + brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token" + brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + tokenSecretKey: "file:///pulsar/keys/token/secret.key" + {{- else }} + tokenPublicKey: "file:///pulsar/keys/token/public.key" + {{- end }} + {{- end }} + {{- end }} +{{ toYaml .Values.proxy.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/proxy-ingress.yaml b/charts/pulsarv2/templates/proxy-ingress.yaml new file mode 100644 index 0000000..d4c9e94 --- /dev/null +++ b/charts/pulsarv2/templates/proxy-ingress.yaml @@ -0,0 +1,73 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.proxy.ingress.enabled }} +{{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} + annotations: +{{- with .Values.proxy.ingress.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: +{{- if .Values.proxy.ingress.tls.enabled }} + tls: + - hosts: + - {{ .Values.proxy.ingress.hostname }} + {{- with .Values.proxy.ingress.tls.secretName }} + secretName: {{ . }} + {{- end }} +{{- end }} + rules: + - http: + paths: + - path: {{ .Values.proxy.ingress.path }} + {{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} + backend: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- if and .Values.tls.enabled .Values.tls.proxy.enabled }} + servicePort: {{ .Values.proxy.ports.https }} + {{- else }} + servicePort: {{ .Values.proxy.ports.http }} + {{- end }} + {{- else }} + pathType: ImplementationSpecific + backend: + service: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + port: + {{- if and .Values.tls.enabled .Values.tls.proxy.enabled }} + number: {{ .Values.proxy.ports.https }} + {{- else }} + number: {{ .Values.proxy.ports.http }} + {{- end }} + {{- end }} + {{- if .Values.proxy.ingress.hostname }} + host: {{ .Values.proxy.ingress.hostname }} + {{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/proxy-pdb.yaml b/charts/pulsarv2/templates/proxy-pdb.yaml new file mode 100644 index 0000000..befdccc --- /dev/null +++ b/charts/pulsarv2/templates/proxy-pdb.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.proxy .Values.extra.proxy }} +{{- if .Values.proxy.pdb.usePolicy }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} +spec: + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.proxy.component }} + maxUnavailable: {{ .Values.proxy.pdb.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/proxy-podmonitor.yaml b/charts/pulsarv2/templates/proxy-podmonitor.yaml new file mode 100644 index 0000000..18fd9ed --- /dev/null +++ b/charts/pulsarv2/templates/proxy-podmonitor.yaml @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy proxy PodMonitor only when `$.Values.proxy.podMonitor.enabled` is true +{{- if $.Values.proxy.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "pulsar.name" . }}-proxy + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + jobLabel: proxy + podMetricsEndpoints: + - port: http + path: /metrics + scheme: http + interval: {{ $.Values.proxy.podMonitor.interval }} + scrapeTimeout: {{ $.Values.proxy.podMonitor.scrapeTimeout }} + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + - sourceLabels: [__meta_kubernetes_pod_label_component] + action: replace + targetLabel: job + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: kubernetes_pod_name + selector: + matchLabels: + component: proxy +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/proxy-rbac.yaml b/charts/pulsarv2/templates/proxy-rbac.yaml new file mode 100644 index 0000000..4b379db --- /dev/null +++ b/charts/pulsarv2/templates/proxy-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsarv2/templates/proxy-service.yaml b/charts/pulsarv2/templates/proxy-service.yaml new file mode 100644 index 0000000..b9678f5 --- /dev/null +++ b/charts/pulsarv2/templates/proxy-service.yaml @@ -0,0 +1,56 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.proxy .Values.extra.proxy }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} + annotations: + {{- with .Values.proxy.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.proxy.service.type }} + ports: + {{- if or (not .Values.tls.enabled) (not .Values.tls.proxy.enabled) }} + - name: http + port: {{ .Values.proxy.ports.http }} + protocol: TCP + - name: "{{ .Values.tcpPrefix }}pulsar" + port: {{ .Values.proxy.ports.pulsar }} + protocol: TCP + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.proxy.enabled }} + - name: https + port: {{ .Values.proxy.ports.https }} + protocol: TCP + - name: "{{ .Values.tlsPrefix }}pulsarssl" + port: {{ .Values.proxy.ports.pulsarssl }} + protocol: TCP + {{- end }} + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.proxy.component }} +{{- end }} diff --git a/charts/pulsarv2/templates/proxy-statefulset.yaml b/charts/pulsarv2/templates/proxy-statefulset.yaml new file mode 100644 index 0000000..41f85de --- /dev/null +++ b/charts/pulsarv2/templates/proxy-statefulset.yaml @@ -0,0 +1,280 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.proxy .Values.extra.proxy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + replicas: {{ .Values.proxy.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.proxy.component }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.proxy.component }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.proxy.ports.http }}" + {{- if .Values.proxy.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/proxy-configmap.yaml") . | sha256sum }} + {{- end }} +{{- with .Values.proxy.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.proxy.nodeSelector }} + nodeSelector: +{{ toYaml .Values.proxy.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.proxy.tolerations }} + tolerations: +{{ toYaml .Values.proxy.tolerations | indent 8 }} + {{- end }} + affinity: + {{- if and .Values.affinity.anti_affinity .Values.proxy.affinity.anti_affinity}} + podAntiAffinity: + {{ if eq .Values.proxy.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}} + {{ .Values.proxy.affinity.type }}: + - labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.proxy.component }} + topologyKey: "kubernetes.io/hostname" + {{ else }} + {{ .Values.proxy.affinity.type }}: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.proxy.component }} + topologyKey: "kubernetes.io/hostname" + {{ end }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- end}} + initContainers: + # This init container will wait for zookeeper to be ready before + # deploying the bookies + - name: wait-zookeeper-ready + image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}" + imagePullPolicy: {{ .Values.images.proxy.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + {{- if $zk:=.Values.pulsar_metadata.userProvidedZookeepers }} + until bin/pulsar zookeeper-shell -server {{ $zk }} ls {{ or .Values.metadataPrefix "/" }}; do + echo "user provided zookeepers {{ $zk }} are unreachable... check in 3 seconds ..." && sleep 3; + done; + {{ else }} + until bin/pulsar zookeeper-shell -server {{ template "pulsar.configurationStore.service" . }} get {{ .Values.metadataPrefix }}/admin/clusters/{{ template "pulsar.cluster.name" . }}; do + sleep 3; + done; + {{- end}} + # This init container will wait for at least one broker to be ready before + # deploying the proxy + - name: wait-broker-ready + image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}" + imagePullPolicy: {{ .Values.images.proxy.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + set -e; + brokerServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.broker.component }} | grep Name | wc -l)"; + until [ ${brokerServiceNumber} -ge 1 ]; do + echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 10 seconds ..."; + sleep 10; + brokerServiceNumber="$(nslookup -timeout=10 {{ template "pulsar.fullname" . }}-{{ .Values.broker.component }} | grep Name | wc -l)"; + done; + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + image: "{{ .Values.images.proxy.repository }}:{{ .Values.images.proxy.tag }}" + imagePullPolicy: {{ .Values.images.proxy.pullPolicy }} + {{- if .Values.proxy.probe.liveness.enabled }} + livenessProbe: + httpGet: + path: /status.html + port: {{ .Values.proxy.ports.http }} + initialDelaySeconds: {{ .Values.proxy.probe.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.proxy.probe.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.proxy.probe.liveness.timeoutSeconds }} + failureThreshold: {{ .Values.proxy.probe.liveness.failureThreshold }} + {{- end }} + {{- if .Values.proxy.probe.readiness.enabled }} + readinessProbe: + httpGet: + path: /status.html + port: {{ .Values.proxy.ports.http }} + initialDelaySeconds: {{ .Values.proxy.probe.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.proxy.probe.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.proxy.probe.readiness.timeoutSeconds }} + failureThreshold: {{ .Values.proxy.probe.readiness.failureThreshold }} + {{- end }} + {{- if .Values.proxy.probe.startup.enabled }} + startupProbe: + httpGet: + path: /status.html + port: {{ .Values.proxy.ports.http }} + initialDelaySeconds: {{ .Values.proxy.probe.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.proxy.probe.startup.periodSeconds }} + timeoutSeconds: {{ .Values.proxy.probe.startup.timeoutSeconds }} + failureThreshold: {{ .Values.proxy.probe.startup.failureThreshold }} + {{- end }} + {{- if .Values.proxy.resources }} + resources: +{{ toYaml .Values.proxy.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/proxy.conf && + echo "OK" > status && + OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar proxy + ports: + # prometheus needs to access /metrics endpoint + - name: http + containerPort: {{ .Values.proxy.ports.http }} + {{- if or (not .Values.tls.enabled) (not .Values.tls.proxy.enabled) }} + - name: "{{ .Values.tcpPrefix }}pulsar" + containerPort: {{ .Values.proxy.ports.pulsar }} + {{- end }} + {{- if and (.Values.tls.enabled) (.Values.tls.proxy.enabled) }} + - name: https + containerPort: {{ .Values.proxy.ports.https }} + - name: "{{ .Values.tlsPrefix }}pulsarssl" + containerPort: {{ .Values.proxy.ports.pulsarssl }} + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- if or .Values.proxy.extraVolumeMounts .Values.auth.authentication.enabled (and .Values.tls.enabled (or .Values.tls.proxy.enabled .Values.tls.broker.enabled)) }} + volumeMounts: + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - mountPath: "/pulsar/keys" + name: token-keys + readOnly: true + - mountPath: "/pulsar/tokens" + name: proxy-token + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.tls.proxy.enabled }} + - mountPath: "/pulsar/certs/proxy" + name: proxy-certs + readOnly: true + {{- end}} + {{- if .Values.tls.enabled }} + - mountPath: "/pulsar/certs/ca" + name: ca + readOnly: true + {{- end}} + {{- if .Values.proxy.extraVolumeMounts }} +{{ toYaml .Values.proxy.extraVolumeMounts | indent 10 }} + {{- end }} + {{- end}} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} + {{- if or .Values.proxy.extraVolumes .Values.auth.authentication.enabled (and .Values.tls.enabled .Values.tls.proxy.enabled) }} + volumes: + {{- if .Values.proxy.extraVolumes }} +{{ toYaml .Values.proxy.extraVolumes | indent 8 }} + {{- end }} + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - name: token-keys + secret: + {{- if not .Values.auth.authentication.jwt.usingSecretKey }} + secretName: "{{ .Release.Name }}-token-asymmetric-key" + {{- end}} + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + secretName: "{{ .Release.Name }}-token-symmetric-key" + {{- end}} + items: + {{- if .Values.auth.authentication.jwt.usingSecretKey }} + - key: SECRETKEY + path: token/secret.key + {{- else }} + - key: PUBLICKEY + path: token/public.key + {{- end}} + - name: proxy-token + secret: + secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.proxy }}" + items: + - key: TOKEN + path: proxy/token + {{- end}} + {{- end}} + {{- if .Values.tls.proxy.enabled }} + - name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt + - name: proxy-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end}} + {{- end}} +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-cluster-initialize.yaml b/charts/pulsarv2/templates/pulsar-cluster-initialize.yaml new file mode 100644 index 0000000..8f0c0a0 --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-cluster-initialize.yaml @@ -0,0 +1,113 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Release.IsInstall .Values.initialize }} +{{- if .Values.components.broker }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_metadata.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.pulsar_metadata.component }} +spec: + template: + spec: + initContainers: + {{- if .Values.pulsar_metadata.configurationStore }} + - name: wait-cs-ready + image: "{{ .Values.pulsar_metadata.image.repository }}:{{ .Values.pulsar_metadata.image.tag }}" + imagePullPolicy: {{ .Values.pulsar_metadata.image.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + until nslookup {{ .Values.pulsar_metadata.configurationStore}}; do + sleep 3; + done; + + {{- end }} + - name: wait-zookeeper-ready + image: "{{ .Values.pulsar_metadata.image.repository }}:{{ .Values.pulsar_metadata.image.tag }}" + imagePullPolicy: {{ .Values.pulsar_metadata.image.pullPolicy }} + command: ["sh", "-c"] + args: + - >- + {{- if $zk:=.Values.pulsar_metadata.userProvidedZookeepers }} + until bin/pulsar zookeeper-shell -server {{ $zk }} ls {{ or .Values.metadataPrefix "/" }}; do + echo "user provided zookeepers {{ $zk }} are unreachable... check in 3 seconds ..." && sleep 3; + done; + {{ else }} + until nslookup {{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ add (.Values.zookeeper.replicaCount | int) -1 }}.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}; do + sleep 3; + done; + {{- end}} + # This initContainer will wait for bookkeeper initnewcluster to complete + # before initializing pulsar metadata + - name: pulsar-bookkeeper-verify-clusterid + image: "{{ .Values.pulsar_metadata.image.repository }}:{{ .Values.pulsar_metadata.image.tag }}" + imagePullPolicy: {{ .Values.pulsar_metadata.image.pullPolicy }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/bookkeeper.conf; + {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} + until bin/bookkeeper shell whatisinstanceid; do + sleep 3; + done; + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + volumeMounts: + {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_metadata.component }}" + image: "{{ .Values.pulsar_metadata.image.repository }}:{{ .Values.pulsar_metadata.image.tag }}" + imagePullPolicy: {{ .Values.pulsar_metadata.image.pullPolicy }} + {{- if .Values.pulsar_metadata.resources }} + resources: +{{ toYaml .Values.pulsar_metadata.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - | + {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 12 }} + bin/pulsar initialize-cluster-metadata \ + --cluster {{ template "pulsar.cluster.name" . }} \ + --zookeeper {{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }} \ + {{- if .Values.pulsar_metadata.configurationStore }} + --configuration-store {{ template "pulsar.configurationStore.connect" . }}{{ .Values.pulsar_metadata.configurationStoreMetadataPrefix }} \ + {{- end }} + {{- if not .Values.pulsar_metadata.configurationStore }} + --configuration-store {{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }} \ + {{- end }} + --web-service-url http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.broker.ports.http }}/ \ + --web-service-url-tls https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.broker.ports.https }}/ \ + --broker-service-url pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.broker.ports.pulsar }}/ \ + --broker-service-url-tls pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.broker.ports.pulsarssl }}/ ; + {{- if .Values.extraInitCommand }} + {{ .Values.extraInitCommand }} + {{- end }} + volumeMounts: + {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} + volumes: + {{- include "pulsar.toolset.certs.volumes" . | nindent 6 }} + restartPolicy: OnFailure +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-manager-admin-secret.yaml b/charts/pulsarv2/templates/pulsar-manager-admin-secret.yaml new file mode 100644 index 0000000..be31a47 --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-manager-admin-secret.yaml @@ -0,0 +1,39 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and (or .Values.components.pulsar_manager .Values.extra.pulsar_manager) (not .Values.pulsar_manager.existingSecretName) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret" + namespace: {{ template "pulsar.namespace" . }} + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: {{ .Values.pulsar_manager.component }} + cluster: {{ template "pulsar.fullname" . }} +type: Opaque +data: + {{- if .Values.pulsar_manager.admin}} + PULSAR_MANAGER_ADMIN_PASSWORD: {{ .Values.pulsar_manager.admin.password | default "pulsar" | b64enc }} + PULSAR_MANAGER_ADMIN_USER: {{ .Values.pulsar_manager.admin.user | default "pulsar" | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-manager-configmap.yaml b/charts/pulsarv2/templates/pulsar-manager-configmap.yaml new file mode 100644 index 0000000..6154265 --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-manager-configmap.yaml @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.pulsar_manager .Values.extra.pulsar_manager }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.pulsar_manager.component }} +data: +{{ toYaml .Values.pulsar_manager.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-manager-deployment.yaml b/charts/pulsarv2/templates/pulsar-manager-deployment.yaml new file mode 100644 index 0000000..7dead79 --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-manager-deployment.yaml @@ -0,0 +1,97 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.pulsar_manager .Values.extra.pulsar_manager }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.pulsar_manager.component }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.pulsar_manager.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.pulsar_manager.component }} + annotations: + {{- if .Values.pulsar_manager.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/pulsar-manager-configmap.yaml") . | sha256sum }} + {{- end }} +{{ toYaml .Values.pulsar_manager.annotations | indent 8 }} + spec: + {{- if .Values.pulsar_manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pulsar_manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.pulsar_manager.tolerations }} + tolerations: +{{ toYaml .Values.pulsar_manager.tolerations | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.pulsar_manager.gracePeriod }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + image: "{{ .Values.images.pulsar_manager.repository }}:{{ .Values.images.pulsar_manager.tag }}" + imagePullPolicy: {{ .Values.images.pulsar_manager.pullPolicy }} + {{- if .Values.pulsar_manager.resources }} + resources: +{{ toYaml .Values.pulsar_manager.resources | indent 12 }} + {{- end }} + ports: + - containerPort: {{ .Values.pulsar_manager.service.targetPort }} + volumeMounts: + - name: pulsar-manager-data + mountPath: /data + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + env: + - name: PULSAR_CLUSTER + value: {{ template "pulsar.fullname" . }} + - name: USERNAME + valueFrom: + secretKeyRef: + key: PULSAR_MANAGER_ADMIN_USER + {{- if .Values.pulsar_manager.existingSecretName }} + name: "{{ .Values.pulsar_manager.existingSecretName }}" + {{- else }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret" + {{- end }} + - name: PASSWORD + valueFrom: + secretKeyRef: + key: PULSAR_MANAGER_ADMIN_PASSWORD + {{- if .Values.pulsar_manager.existingSecretName }} + name: "{{ .Values.pulsar_manager.existingSecretName }}" + {{- else }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret" + {{- end }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} + volumes: + - name: pulsar-manager-data + emptyDir: {} + +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-manager-ingress.yaml b/charts/pulsarv2/templates/pulsar-manager-ingress.yaml new file mode 100644 index 0000000..0de8ebc --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-manager-ingress.yaml @@ -0,0 +1,65 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.pulsar_manager.ingress.enabled }} +{{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.pulsar_manager.component }} + annotations: +{{- with .Values.pulsar_manager.ingress.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: +{{- if .Values.pulsar_manager.ingress.tls.enabled }} + tls: + - hosts: + - {{ .Values.pulsar_manager.ingress.hostname }} + {{- with .Values.pulsar_manager.ingress.tls.secretName }} + secretName: {{ . }} + {{- end }} +{{- end }} + rules: + - http: + paths: + - path: {{ .Values.pulsar_manager.ingress.path }} + {{- if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version }} + backend: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + servicePort: {{ .Values.pulsar_manager.service.targetPort }} + {{- else }} + pathType: ImplementationSpecific + backend: + service: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + port: + number: {{ .Values.pulsar_manager.service.targetPort }} + {{- end }} + {{- if .Values.pulsar_manager.ingress.hostname }} + host: {{ .Values.pulsar_manager.ingress.hostname }} + {{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/pulsar-manager-service.yaml b/charts/pulsarv2/templates/pulsar-manager-service.yaml new file mode 100644 index 0000000..ae02f19 --- /dev/null +++ b/charts/pulsarv2/templates/pulsar-manager-service.yaml @@ -0,0 +1,46 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.pulsar_manager .Values.extra.pulsar_manager }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.pulsar_manager.component }} + annotations: +{{ toYaml .Values.pulsar_manager.service.annotations | indent 4 }} +spec: + type: {{ .Values.pulsar_manager.service.type }} + ports: + - name: server + port: {{ .Values.pulsar_manager.service.port }} + targetPort: {{ .Values.pulsar_manager.service.targetPort }} + protocol: TCP + selector: + app: {{ template "pulsar.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.pulsar_manager.component }} +{{- if .Values.pulsar_manager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.pulsar_manager.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/tls-cert-internal-issuer.yaml b/charts/pulsarv2/templates/tls-cert-internal-issuer.yaml new file mode 100644 index 0000000..e9c3a2f --- /dev/null +++ b/charts/pulsarv2/templates/tls-cert-internal-issuer.yaml @@ -0,0 +1,64 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.certs.internal_issuer.enabled }} +{{- if eq .Values.certs.internal_issuer.type "selfsigning" }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Issuer +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + selfSigned: {} +--- + +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-ca" + namespace: {{ template "pulsar.namespace" . }} +spec: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + duration: "{{ .Values.certs.internal_issuer.duration }}" + renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}" + usages: + - server auth + - client auth + isCA: true + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- + +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Issuer +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + namespace: {{ template "pulsar.namespace" . }} +spec: + ca: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/tls-certs-internal.yaml b/charts/pulsarv2/templates/tls-certs-internal.yaml new file mode 100644 index 0000000..a766b3d --- /dev/null +++ b/charts/pulsarv2/templates/tls-certs-internal.yaml @@ -0,0 +1,265 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.tls.enabled }} +{{- if .Values.certs.internal_issuer.enabled }} + +{{- if .Values.tls.proxy.enabled }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + # At least one of a DNS Name, USI SAN, or IP address is required. + dnsNames: + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" +{{- if .Values.tls.proxy.dnsNames }} +{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }} +{{- end }} + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +{{- end }} + +{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + # At least one of a DNS Name, USI SAN, or IP address is required. + dnsNames: +{{- if .Values.tls.broker.dnsNames }} +{{ toYaml .Values.tls.broker.dnsNames | indent 4 }} +{{- end}} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +{{- end }} + +{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + dnsNames: +{{- if .Values.tls.bookie.dnsNames }} +{{ toYaml .Values.tls.bookie.dnsNames | indent 4 }} +{{- end }} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +{{- end }} + +{{- if .Values.tls.zookeeper.enabled }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.autorecovery.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + dnsNames: +{{- if .Values.tls.autorecovery.dnsNames }} +{{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }} +{{- end }} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + dnsNames: +{{- if .Values.tls.toolset.dnsNames }} +{{ toYaml .Values.tls.toolset.dnsNames | indent 4 }} +{{- end }} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + # Secret names are always required. + secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}" + duration: "{{ .Values.tls.common.duration }}" + renewBefore: "{{ .Values.tls.common.renewBefore }}" + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + isCA: false + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + dnsNames: +{{- if .Values.tls.zookeeper.dnsNames }} +{{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }} +{{- end }} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +{{- end }} + +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/toolset-configmap.yaml b/charts/pulsarv2/templates/toolset-configmap.yaml new file mode 100644 index 0000000..7a1cafe --- /dev/null +++ b/charts/pulsarv2/templates/toolset-configmap.yaml @@ -0,0 +1,70 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.toolset }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.toolset.component }} +data: + BOOKIE_LOG_APPENDER: "RollingFile" + {{- include "pulsar.bookkeeper.config.common" . | nindent 2 }} + {{- if not .Values.toolset.useProxy }} + # talk to broker + {{- if and .Values.tls.enabled .Values.tls.broker.enabled }} + webServiceUrl: "https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }}/" + brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}/" + useTls: "true" + tlsAllowInsecureConnection: "false" + tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt" + tlsEnableHostnameVerification: "false" + {{- end }} + {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }} + webServiceUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.http }}/" + brokerServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }}/" + {{- end }} + {{- end }} + {{- if .Values.toolset.useProxy }} + # talk to proxy + {{- if and .Values.tls.enabled .Values.tls.proxy.enabled }} + webServiceUrl: "https://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.https }}/" + brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.pulsarssl }}/" + useTls: "true" + tlsAllowInsecureConnection: "false" + tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt" + tlsEnableHostnameVerification: "false" + {{- end }} + {{- if not (and .Values.tls.enabled .Values.tls.proxy.enabled) }} + webServiceUrl: "http://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.http }}/" + brokerServiceUrl: "pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.pulsar }}/" + {{- end }} + {{- end }} + # Authentication Settings + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + authParams: "file:///pulsar/tokens/client/token" + authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" + {{- end }} + {{- end }} +{{ toYaml .Values.toolset.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/toolset-rbac.yaml b/charts/pulsarv2/templates/toolset-rbac.yaml new file mode 100644 index 0000000..ab0f931 --- /dev/null +++ b/charts/pulsarv2/templates/toolset-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsarv2/templates/toolset-service.yaml b/charts/pulsarv2/templates/toolset-service.yaml new file mode 100644 index 0000000..000711b --- /dev/null +++ b/charts/pulsarv2/templates/toolset-service.yaml @@ -0,0 +1,34 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.toolset }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.toolset.component }} +spec: + clusterIP: None + selector: + {{- include "pulsar.matchLabels" . | nindent 4 }} + component: {{ .Values.toolset.component }} +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/toolset-statefulset.yaml b/charts/pulsarv2/templates/toolset-statefulset.yaml new file mode 100644 index 0000000..8e3b8d5 --- /dev/null +++ b/charts/pulsarv2/templates/toolset-statefulset.yaml @@ -0,0 +1,125 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.toolset }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.toolset.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + replicas: {{ .Values.toolset.replicaCount }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.toolset.component }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.toolset.component }} + annotations: + {{- if .Values.toolset.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/toolset-configmap.yaml") . | sha256sum }} + {{- end }} +{{ toYaml .Values.toolset.annotations | indent 8 }} + spec: + {{- if .Values.toolset.nodeSelector }} + nodeSelector: +{{ toYaml .Values.toolset.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.toolset.tolerations }} + tolerations: +{{ toYaml .Values.toolset.tolerations | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- end}} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + image: "{{ .Values.images.broker.repository }}:{{ .Values.images.broker.tag }}" + imagePullPolicy: {{ .Values.images.broker.pullPolicy }} + {{- if .Values.toolset.resources }} + resources: +{{ toYaml .Values.toolset.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/client.conf; + bin/apply-config-from-env.py conf/bookkeeper.conf; + {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} + sleep 10000000000 + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + volumeMounts: + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - mountPath: "/pulsar/tokens" + name: client-token + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} + - mountPath: "/pulsar/certs/proxy-ca" + name: proxy-ca + readOnly: true + {{- end}} + {{- if .Values.toolset.extraVolumeMounts }} +{{ toYaml .Values.toolset.extraVolumeMounts | indent 8 }} + {{- end }} + {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} + volumes: + {{- if .Values.auth.authentication.enabled }} + {{- if eq .Values.auth.authentication.provider "jwt" }} + - name: client-token + secret: + secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" + items: + - key: TOKEN + path: client/token + {{- end}} + {{- end}} + {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} + - name: proxy-ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt + {{- end}} + {{- if .Values.toolset.extraVolumes }} +{{ toYaml .Values.toolset.extraVolumes | indent 6 }} + {{- end }} + {{- include "pulsar.toolset.certs.volumes" . | nindent 6 }} + {{- include "pulsar.imagePullSecrets" . | nindent 6}} +{{- end }} diff --git a/charts/pulsarv2/templates/zookeeper-configmap.yaml b/charts/pulsarv2/templates/zookeeper-configmap.yaml new file mode 100644 index 0000000..6536507 --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-configmap.yaml @@ -0,0 +1,43 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper only when `components.zookeeper` is true +{{- if .Values.components.zookeeper }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} +data: + dataDir: /pulsar/data/zookeeper + {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} + # enable zookeeper tls + PULSAR_PREFIX_serverCnxnFactory: org.apache.zookeeper.server.NettyServerCnxnFactory + serverCnxnFactory: org.apache.zookeeper.server.NettyServerCnxnFactory + secureClientPort: "{{ .Values.zookeeper.ports.clientTls }}" + PULSAR_PREFIX_secureClientPort: "{{ .Values.zookeeper.ports.clientTls }}" + {{- else }} + PULSAR_PREFIX_serverCnxnFactory: org.apache.zookeeper.server.NIOServerCnxnFactory + serverCnxnFactory: org.apache.zookeeper.server.NIOServerCnxnFactory + {{- end }} +{{ toYaml .Values.zookeeper.configData | indent 2 }} +{{- end }} diff --git a/charts/pulsarv2/templates/zookeeper-pdb.yaml b/charts/pulsarv2/templates/zookeeper-pdb.yaml new file mode 100644 index 0000000..387a05a --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-pdb.yaml @@ -0,0 +1,38 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper only when `components.zookeeper` is true +{{- if .Values.components.zookeeper }} +{{- if .Values.zookeeper.pdb.usePolicy }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} +spec: + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.zookeeper.component }} + maxUnavailable: {{ .Values.zookeeper.pdb.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/zookeeper-podmonitor.yaml b/charts/pulsarv2/templates/zookeeper-podmonitor.yaml new file mode 100644 index 0000000..0ca8853 --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-podmonitor.yaml @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper PodMonitor only when `$.Values.zookeeper.podMonitor.enabled` is true +{{- if $.Values.zookeeper.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "pulsar.name" . }}-zookeeper + labels: + app: {{ template "pulsar.name" . }} + chart: {{ template "pulsar.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + jobLabel: zookeeper + podMetricsEndpoints: + - port: http + path: /metrics + scheme: http + interval: {{ $.Values.zookeeper.podMonitor.interval }} + scrapeTimeout: {{ $.Values.zookeeper.podMonitor.scrapeTimeout }} + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + - sourceLabels: [__meta_kubernetes_pod_label_component] + action: replace + targetLabel: job + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: kubernetes_pod_name + selector: + matchLabels: + component: zookeeper +{{- end }} \ No newline at end of file diff --git a/charts/pulsarv2/templates/zookeeper-rbac.yaml b/charts/pulsarv2/templates/zookeeper-rbac.yaml new file mode 100644 index 0000000..4b541a4 --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsarv2/templates/zookeeper-service.yaml b/charts/pulsarv2/templates/zookeeper-service.yaml new file mode 100644 index 0000000..83cb604 --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-service.yaml @@ -0,0 +1,51 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper only when `components.zookeeper` is true +{{- if .Values.components.zookeeper }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} + annotations: +{{ toYaml .Values.zookeeper.service.annotations | indent 4 }} +spec: + ports: + # prometheus needs to access /metrics endpoint + - name: http + port: {{ .Values.zookeeper.ports.http }} + - name: "{{ .Values.tcpPrefix }}follower" + port: {{ .Values.zookeeper.ports.follower }} + - name: "{{ .Values.tcpPrefix }}leader-election" + port: {{ .Values.zookeeper.ports.leaderElection }} + - name: "{{ .Values.tcpPrefix }}client" + port: {{ .Values.zookeeper.ports.client }} + {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} + - name: "{{ .Values.tlsPrefix }}client-tls" + port: {{ .Values.zookeeper.ports.clientTls }} + {{- end }} + clusterIP: None + selector: + {{- include "pulsar.matchLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} +{{- end }} diff --git a/charts/pulsarv2/templates/zookeeper-statefulset.yaml b/charts/pulsarv2/templates/zookeeper-statefulset.yaml new file mode 100644 index 0000000..a94ae87 --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-statefulset.yaml @@ -0,0 +1,237 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper only when `components.zookeeper` is true +{{- if .Values.components.zookeeper }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} +spec: + serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + replicas: {{ .Values.zookeeper.replicaCount }} + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.zookeeper.component }} + updateStrategy: +{{ toYaml .Values.zookeeper.updateStrategy | indent 4 }} + podManagementPolicy: {{ .Values.zookeeper.podManagementPolicy }} + template: + metadata: + labels: + {{- include "pulsar.template.labels" . | nindent 8 }} + component: {{ .Values.zookeeper.component }} + annotations: + {{- if .Values.zookeeper.restartPodsOnConfigMapChange }} + checksum/config: {{ include (print $.Template.BasePath "/zookeeper-configmap.yaml") . | sha256sum }} + {{- end }} +{{ toYaml .Values.zookeeper.annotations | indent 8 }} + spec: + {{- if .Values.zookeeper.nodeSelector }} + nodeSelector: +{{ toYaml .Values.zookeeper.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.zookeeper.tolerations }} + tolerations: +{{ toYaml .Values.zookeeper.tolerations | indent 8 }} + {{- end }} + affinity: + {{- if and .Values.affinity.anti_affinity .Values.zookeeper.affinity.anti_affinity}} + podAntiAffinity: + {{ if eq .Values.zookeeper.affinity.type "requiredDuringSchedulingIgnoredDuringExecution"}} + {{ .Values.zookeeper.affinity.type }}: + - labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.zookeeper.component }} + topologyKey: "kubernetes.io/hostname" + {{ else }} + {{ .Values.zookeeper.affinity.type }}: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - "{{ template "pulsar.name" . }}" + - key: "release" + operator: In + values: + - {{ .Release.Name }} + - key: "component" + operator: In + values: + - {{ .Values.zookeeper.component }} + topologyKey: "kubernetes.io/hostname" + {{ end }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + {{- end }} + containers: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + image: "{{ .Values.images.zookeeper.repository }}:{{ .Values.images.zookeeper.tag }}" + imagePullPolicy: {{ .Values.images.zookeeper.pullPolicy }} + {{- if .Values.zookeeper.resources }} + resources: +{{ toYaml .Values.zookeeper.resources | indent 10 }} + {{- end }} + command: ["sh", "-c"] + args: + - > + bin/apply-config-from-env.py conf/zookeeper.conf; + {{- include "pulsar.zookeeper.tls.settings" . | nindent 10 }} + bin/generate-zookeeper-config.sh conf/zookeeper.conf; + OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar zookeeper; + ports: + # prometheus needs to access /metrics endpoint + - name: http + containerPort: {{ .Values.zookeeper.ports.http }} + - name: client + containerPort: {{ .Values.zookeeper.ports.client }} + - name: follower + containerPort: {{ .Values.zookeeper.ports.follower }} + - name: leader-election + containerPort: {{ .Values.zookeeper.ports.leaderElection }} + {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} + - name: client-tls + containerPort: {{ .Values.zookeeper.ports.clientTls }} + {{- end }} + env: + - name: ZOOKEEPER_SERVERS + value: + {{- $global := . }} + {{ range $i, $e := until (.Values.zookeeper.replicaCount | int) }}{{ if ne $i 0 }},{{ end }}{{ template "pulsar.fullname" $global }}-{{ $global.Values.zookeeper.component }}-{{ printf "%d" $i }}{{ end }} + envFrom: + - configMapRef: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + {{- if .Values.zookeeper.probe.readiness.enabled }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end}} + readinessProbe: + exec: + command: + - bin/pulsar-zookeeper-ruok.sh + initialDelaySeconds: {{ .Values.zookeeper.probe.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.zookeeper.probe.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.zookeeper.probe.readiness.timeoutSeconds }} + failureThreshold: {{ .Values.zookeeper.probe.readiness.failureThreshold }} + {{- end }} + {{- if .Values.zookeeper.probe.liveness.enabled }} + livenessProbe: + exec: + command: + - bin/pulsar-zookeeper-ruok.sh + initialDelaySeconds: {{ .Values.zookeeper.probe.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.zookeeper.probe.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.zookeeper.probe.liveness.timeoutSeconds }} + failureThreshold: {{ .Values.zookeeper.probe.liveness.failureThreshold }} + {{- end }} + {{- if .Values.zookeeper.probe.startup.enabled }} + startupProbe: + exec: + command: + - bin/pulsar-zookeeper-ruok.sh + initialDelaySeconds: {{ .Values.zookeeper.probe.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.zookeeper.probe.startup.periodSeconds }} + timeoutSeconds: {{ .Values.zookeeper.probe.startup.timeoutSeconds }} + failureThreshold: {{ .Values.zookeeper.probe.startup.failureThreshold }} + {{- end }} + volumeMounts: + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}" + mountPath: /pulsar/data + {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} + - mountPath: "/pulsar/certs/zookeeper" + name: zookeeper-certs + readOnly: true + - mountPath: "/pulsar/certs/ca" + name: ca + readOnly: true + - name: keytool + mountPath: "/pulsar/keytool/keytool.sh" + subPath: keytool.sh + {{- end }} + {{- if .Values.zookeeper.extraVolumeMounts }} +{{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }} + {{- end }} + volumes: + {{- if not (and (and .Values.volumes.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence) }} + - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}" + emptyDir: {} + {{- end }} + {{- if .Values.zookeeper.extraVolumes }} +{{ toYaml .Values.zookeeper.extraVolumes | indent 6 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} + - name: zookeeper-certs + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}" + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - name: ca + secret: + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + items: + - key: ca.crt + path: ca.crt + - name: keytool + configMap: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + defaultMode: 0755 + {{- end}} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }} + volumeClaimTemplates: + - metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}" + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.zookeeper.volumes.data.size }} + {{- if .Values.zookeeper.volumes.data.storageClassName }} + storageClassName: "{{ .Values.zookeeper.volumes.data.storageClassName }}" + {{- else if and (not (and .Values.volumes.local_storage .Values.zookeeper.volumes.data.local_storage)) .Values.zookeeper.volumes.data.storageClass }} + storageClassName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}" + {{- else if and .Values.volumes.local_storage .Values.zookeeper.volumes.data.local_storage }} + storageClassName: "local-storage" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/templates/zookeeper-storageclass.yaml b/charts/pulsarv2/templates/zookeeper-storageclass.yaml new file mode 100644 index 0000000..ff2af9f --- /dev/null +++ b/charts/pulsarv2/templates/zookeeper-storageclass.yaml @@ -0,0 +1,40 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# deploy zookeeper only when `components.zookeeper` is true +{{- if .Values.components.zookeeper }} +{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }} + +# define the storage class for data directory +{{- if and (not (and .Values.volumes.local_storage .Values.zookeeper.volumes.data.local_storage)) .Values.zookeeper.volumes.data.storageClass }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} +provisioner: {{ .Values.zookeeper.volumes.data.storageClass.provisioner }} +parameters: + type: {{ .Values.zookeeper.volumes.data.storageClass.type }} + fsType: {{ .Values.zookeeper.volumes.data.storageClass.fsType }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/pulsarv2/values.yaml b/charts/pulsarv2/values.yaml new file mode 100644 index 0000000..a69ccfb --- /dev/null +++ b/charts/pulsarv2/values.yaml @@ -0,0 +1,1104 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +### +### K8S Settings +### + +### Namespace to deploy pulsar +# The namespace to use to deploy the pulsar components, if left empty +# will default to .Release.Namespace (aka helm --namespace). +namespace: "" +namespaceCreate: false + +## clusterDomain as defined for your k8s cluster +clusterDomain: cluster.local + +### +### Global Settings +### + +## Set to true on install +initialize: false + +## Set cluster name +# clusterName: + +## Pulsar Metadata Prefix +## +## By default, pulsar stores all the metadata at root path. +## You can configure to have a prefix (e.g. "/my-pulsar-cluster"). +## If you do so, all the pulsar and bookkeeper metadata will +## be stored under the provided path +metadataPrefix: "" + +## Port name prefix +## +## Used for Istio support which depends on a standard naming of ports +## See https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection +## Prefixes are disabled by default + +tcpPrefix: "" # For Istio this will be "tcp-" +tlsPrefix: "" # For Istio this will be "tls-" + +## Persistence +## +## If persistence is enabled, components that have state will +## be deployed with PersistentVolumeClaims, otherwise, for test +## purposes, they will be deployed with emptyDir +## +## This is a global setting that is applied to all components. +## If you need to disable persistence for a component, +## you can set the `volume.persistence` setting to `false` for +## that component. +## +## Deprecated in favor of using `volumes.persistence` +persistence: true +## Volume settings +volumes: + persistence: true + # configure the components to use local persistent volume + # the local provisioner should be installed prior to enable local persistent volume + local_storage: false + +## RBAC +## +## Configure settings related to RBAC such as limiting broker access to single +## namespece or enabling PSP + +rbac: + enabled: false + psp: false + limit_to_namespace: false + + +## AntiAffinity +## +## Flag to enable and disable `AntiAffinity` for all components. +## This is a global setting that is applied to all components. +## If you need to disable AntiAffinity for a component, you can set +## the `affinity.anti_affinity` settings to `false` for that component. +affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: requiredDuringSchedulingIgnoredDuringExecution + +## Components +## +## Control what components of Apache Pulsar to deploy for the cluster +components: + # zookeeper + zookeeper: true + # bookkeeper + bookkeeper: true + # bookkeeper - autorecovery + autorecovery: true + # broker + broker: true + # functions + functions: true + # proxy + proxy: true + # toolset + toolset: true + # pulsar manager + pulsar_manager: true + +## Monitoring Components +## +## Control what components of the monitoring stack to deploy for the cluster +monitoring: + # monitoring - prometheus + prometheus: true + # monitoring - grafana + grafana: true + # monitoring - node_exporter + node_exporter: true + # alerting - alert-manager + alert_manager: true + +## which extra components to deploy (Deprecated) +extra: + # Pulsar proxy + proxy: false + # Bookkeeper auto-recovery + autoRecovery: false + # Pulsar dashboard + # Deprecated + # Replace pulsar-dashboard with pulsar-manager + dashboard: false + # pulsar manager + pulsar_manager: false + # Monitoring stack (prometheus and grafana) + monitoring: false + # Configure Kubernetes runtime for Functions + functionsAsPods: false + +## Images +## +## Control what images to use for each component +images: + zookeeper: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + bookie: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + autorecovery: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + broker: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + proxy: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + functions: + repository: apachepulsar/pulsar-all + tag: 2.7.4 + prometheus: + repository: prom/prometheus + tag: v2.17.2 + pullPolicy: IfNotPresent + grafana: + repository: streamnative/apache-pulsar-grafana-dashboard-k8s + tag: 0.0.10 + pullPolicy: IfNotPresent + pulsar_manager: + repository: apachepulsar/pulsar-manager + tag: v0.1.0 + pullPolicy: IfNotPresent + hasCommand: false + +## TLS +## templates/tls-certs.yaml +## +## The chart is using cert-manager for provisioning TLS certs for +## brokers and proxies. +tls: + enabled: false + ca_suffix: ca-tls + # common settings for generating certs + common: + # 90d + duration: 2160h + # 15d + renewBefore: 360h + organization: + - pulsar + keySize: 4096 + keyAlgorithm: rsa + keyEncoding: pkcs8 + # settings for generating certs for proxy + proxy: + enabled: false + cert_name: tls-proxy + # settings for generating certs for broker + broker: + enabled: false + cert_name: tls-broker + # settings for generating certs for bookies + bookie: + enabled: false + cert_name: tls-bookie + # settings for generating certs for zookeeper + zookeeper: + enabled: false + cert_name: tls-zookeeper + # settings for generating certs for recovery + autorecovery: + cert_name: tls-recovery + # settings for generating certs for toolset + toolset: + cert_name: tls-toolset + +# Enable or disable broker authentication and authorization. +auth: + authentication: + enabled: false + provider: "jwt" + jwt: + # Enable JWT authentication + # If the token is generated by a secret key, set the usingSecretKey as true. + # If the token is generated by a private key, set the usingSecretKey as false. + usingSecretKey: false + authorization: + enabled: false + superUsers: + # broker to broker communication + broker: "broker-admin" + # proxy to broker communication + proxy: "proxy-admin" + # pulsar-admin client to broker/proxy communication + client: "admin" + +###################################################################### +# External dependencies +###################################################################### + +## cert-manager +## templates/tls-cert-issuer.yaml +## +## Cert manager is used for automatically provisioning TLS certificates +## for components within a Pulsar cluster +certs: + internal_issuer: + apiVersion: cert-manager.io/v1alpha2 + enabled: false + component: internal-cert-issuer + type: selfsigning + # 90d + duration: 2160h + # 15d + renewBefore: 360h + issuers: + selfsigning: + +###################################################################### +# Below are settings for each component +###################################################################### + +## Pulsar: Zookeeper cluster +## templates/zookeeper-statefulset.yaml +## +zookeeper: + # use a component name that matches your grafana configuration + # so the metrics are correctly rendered in grafana dashboard + component: zookeeper + # the number of zookeeper servers to run. it should be an odd number larger than or equal to 3. + replicaCount: 3 + updateStrategy: + type: RollingUpdate + podManagementPolicy: OrderedReady + # If using Prometheus-Operator enable this PodMonitor to discover zookeeper scrape targets + # Prometheus-Operator does not add scrape targets based on k8s annotations + podMonitor: + enabled: false + interval: 10s + scrapeTimeout: 10s + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + ports: + http: 8000 + client: 2181 + clientTls: 2281 + follower: 2888 + leaderElection: 3888 + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + probe: + liveness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + readiness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + startup: + enabled: false + failureThreshold: 30 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: requiredDuringSchedulingIgnoredDuringExecution + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 256Mi + cpu: 0.1 + # extraVolumes and extraVolumeMounts allows you to mount other volumes + # Example Use Case: mount ssl certificates + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /certs + # readOnly: true + extraVolumes: [] + extraVolumeMounts: [] + volumes: + # use a persistent volume or emptyDir + persistence: true + data: + name: data + size: 20Gi + local_storage: true + ## If you already have an existent storage class and want to reuse it, you can specify its name with the option below + ## + # storageClassName: existent-storage-class + # + ## Instead if you want to create a new storage class define it below + ## If left undefined no storage class will be defined along with PVC + ## + # storageClass: + # type: pd-ssd + # fsType: xfs + # provisioner: kubernetes.io/gce-pd + ## Zookeeper configmap + ## templates/zookeeper-configmap.yaml + ## + configData: + PULSAR_MEM: > + -Xms64m -Xmx128m + PULSAR_GC: > + -XX:+UseG1GC + -XX:MaxGCPauseMillis=10 + -Dcom.sun.management.jmxremote + -Djute.maxbuffer=10485760 + -XX:+ParallelRefProcEnabled + -XX:+UnlockExperimentalVMOptions + -XX:+DoEscapeAnalysis + -XX:+DisableExplicitGC + -XX:+PerfDisableSharedMem + ## Zookeeper service + ## templates/zookeeper-service.yaml + ## + service: + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + ## Zookeeper PodDisruptionBudget + ## templates/zookeeper-pdb.yaml + ## + pdb: + usePolicy: true + maxUnavailable: 1 + +## Pulsar: Bookkeeper cluster +## templates/bookkeeper-statefulset.yaml +## +bookkeeper: + # use a component name that matches your grafana configuration + # so the metrics are correctly rendered in grafana dashboard + component: bookie + ## BookKeeper Cluster Initialize + ## templates/bookkeeper-cluster-initialize.yaml + metadata: + ## Set the resources used for running `bin/bookkeeper shell initnewcluster` + ## + resources: + # requests: + # memory: 4Gi + # cpu: 2 + replicaCount: 4 + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + # If using Prometheus-Operator enable this PodMonitor to discover bookie scrape targets + # Prometheus-Operator does not add scrape targets based on k8s annotations + podMonitor: + enabled: false + interval: 10s + scrapeTimeout: 10s + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + ports: + http: 8000 + bookie: 3181 + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + probe: + liveness: + enabled: true + failureThreshold: 60 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + readiness: + enabled: true + failureThreshold: 60 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + startup: + enabled: false + failureThreshold: 30 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: requiredDuringSchedulingIgnoredDuringExecution + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 512Mi + cpu: 0.2 + # extraVolumes and extraVolumeMounts allows you to mount other volumes + # Example Use Case: mount ssl certificates + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /certs + # readOnly: true + extraVolumes: [] + extraVolumeMounts: [] + volumes: + # use a persistent volume or emptyDir + persistence: true + journal: + name: journal + size: 10Gi + local_storage: true + ## If you already have an existent storage class and want to reuse it, you can specify its name with the option below + ## + # storageClassName: existent-storage-class + # + ## Instead if you want to create a new storage class define it below + ## If left undefined no storage class will be defined along with PVC + ## + # storageClass: + # type: pd-ssd + # fsType: xfs + # provisioner: kubernetes.io/gce-pd + ledgers: + name: ledgers + size: 50Gi + local_storage: true + # storageClassName: + # storageClass: + # ... + + ## use a single common volume for both journal and ledgers + useSingleCommonVolume: false + common: + name: common + size: 60Gi + local_storage: true + # storageClassName: + # storageClass: ## this is common too + # ... + + ## Bookkeeper configmap + ## templates/bookkeeper-configmap.yaml + ## + configData: + # we use `bin/pulsar` for starting bookie daemons + PULSAR_MEM: > + -Xms128m + -Xmx256m + -XX:MaxDirectMemorySize=256m + PULSAR_GC: > + -XX:+UseG1GC + -XX:MaxGCPauseMillis=10 + -XX:+ParallelRefProcEnabled + -XX:+UnlockExperimentalVMOptions + -XX:+DoEscapeAnalysis + -XX:ParallelGCThreads=4 + -XX:ConcGCThreads=4 + -XX:G1NewSizePercent=50 + -XX:+DisableExplicitGC + -XX:-ResizePLAB + -XX:+ExitOnOutOfMemoryError + -XX:+PerfDisableSharedMem + -XX:+PrintGCDetails + -XX:+PrintGCTimeStamps + -XX:+PrintGCApplicationStoppedTime + -XX:+PrintHeapAtGC + -verbosegc + -Xloggc:/var/log/bookie-gc.log + -XX:G1LogLevel=finest + # configure the memory settings based on jvm memory settings + dbStorage_writeCacheMaxSizeMb: "32" + dbStorage_readAheadCacheMaxSizeMb: "32" + dbStorage_rocksDB_writeBufferSizeMB: "8" + dbStorage_rocksDB_blockCacheSize: "8388608" + ## Bookkeeper Service + ## templates/bookkeeper-service.yaml + ## + service: + spec: + publishNotReadyAddresses: true + ## Bookkeeper PodDisruptionBudget + ## templates/bookkeeper-pdb.yaml + ## + pdb: + usePolicy: true + maxUnavailable: 1 + +## Pulsar: Bookkeeper AutoRecovery +## templates/autorecovery-statefulset.yaml +## +autorecovery: + # use a component name that matches your grafana configuration + # so the metrics are correctly rendered in grafana dashboard + component: recovery + replicaCount: 1 + # If using Prometheus-Operator enable this PodMonitor to discover autorecovery scrape targets + # # Prometheus-Operator does not add scrape targets based on k8s annotations + podMonitor: + enabled: false + interval: 10s + scrapeTimeout: 10s + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + ports: + http: 8000 + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: requiredDuringSchedulingIgnoredDuringExecution + annotations: {} + # tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 64Mi + cpu: 0.05 + ## Bookkeeper auto-recovery configmap + ## templates/autorecovery-configmap.yaml + ## + configData: + BOOKIE_MEM: > + -Xms64m -Xmx64m + +## Pulsar Zookeeper metadata. The metadata will be deployed as +## soon as the last zookeeper node is reachable. The deployment +## of other components that depends on zookeeper, such as the +## bookkeeper nodes, broker nodes, etc will only start to be +## deployed when the zookeeper cluster is ready and with the +## metadata deployed +pulsar_metadata: + component: pulsar-init + image: + # the image used for running `pulsar-cluster-initialize` job + repository: apachepulsar/pulsar-all + tag: 2.7.4 + pullPolicy: IfNotPresent + ## set an existing configuration store + # configurationStore: + configurationStoreMetadataPrefix: "" + configurationStorePort: 2181 + + ## optional, you can provide your own zookeeper metadata store for other components + # to use this, you should explicit set components.zookeeper to false + # + # userProvidedZookeepers: "zk01.example.com:2181,zk02.example.com:2181" + +# Can be used to run extra commands in the initialization jobs e.g. to quit istio sidecars etc. +extraInitCommand: "" + +## Pulsar: Broker cluster +## templates/broker-statefulset.yaml +## +broker: + # use a component name that matches your grafana configuration + # so the metrics are correctly rendered in grafana dashboard + component: broker + replicaCount: 3 + # If using Prometheus-Operator enable this PodMonitor to discover broker scrape targets + # Prometheus-Operator does not add scrape targets based on k8s annotations + podMonitor: + enabled: false + interval: 10s + scrapeTimeout: 10s + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + ports: + http: 8080 + https: 8443 + pulsar: 6650 + pulsarssl: 6651 + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + probe: + liveness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + readiness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + startup: + enabled: false + failureThreshold: 30 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: preferredDuringSchedulingIgnoredDuringExecution + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 512Mi + cpu: 0.2 + # extraVolumes and extraVolumeMounts allows you to mount other volumes + # Example Use Case: mount ssl certificates + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /certs + # readOnly: true + extraVolumes: [] + extraVolumeMounts: [] + ## Broker configmap + ## templates/broker-configmap.yaml + ## + configData: + PULSAR_MEM: > + -Xms128m -Xmx256m -XX:MaxDirectMemorySize=256m + PULSAR_GC: > + -XX:+UseG1GC + -XX:MaxGCPauseMillis=10 + -Dio.netty.leakDetectionLevel=disabled + -Dio.netty.recycler.linkCapacity=1024 + -XX:+ParallelRefProcEnabled + -XX:+UnlockExperimentalVMOptions + -XX:+DoEscapeAnalysis + -XX:ParallelGCThreads=4 + -XX:ConcGCThreads=4 + -XX:G1NewSizePercent=50 + -XX:+DisableExplicitGC + -XX:-ResizePLAB + -XX:+ExitOnOutOfMemoryError + -XX:+PerfDisableSharedMem + managedLedgerDefaultEnsembleSize: "2" + managedLedgerDefaultWriteQuorum: "2" + managedLedgerDefaultAckQuorum: "2" + ## Broker service + ## templates/broker-service.yaml + ## + service: + annotations: {} + ## Broker PodDisruptionBudget + ## templates/broker-pdb.yaml + ## + pdb: + usePolicy: true + maxUnavailable: 1 + ### Broker service account + ## templates/broker-service-account.yaml + service_account: + annotations: {} + +## Pulsar: Functions Worker +## templates/function-worker-configmap.yaml +## +functions: + component: functions-worker + +## Pulsar: Proxy Cluster +## templates/proxy-statefulset.yaml +## +proxy: + # use a component name that matches your grafana configuration + # so the metrics are correctly rendered in grafana dashboard + component: proxy + replicaCount: 3 + # If using Prometheus-Operator enable this PodMonitor to discover proxy scrape targets + # Prometheus-Operator does not add scrape targets based on k8s annotations + podMonitor: + enabled: false + interval: 10s + scrapeTimeout: 10s + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + probe: + liveness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + readiness: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + startup: + enabled: false + failureThreshold: 30 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + affinity: + anti_affinity: true + # Set the anti affinity type. Valid values: + # requiredDuringSchedulingIgnoredDuringExecution - rules must be met for pod to be scheduled (hard) requires at least one node per replica + # preferredDuringSchedulingIgnoredDuringExecution - scheduler will try to enforce but not guranentee + type: requiredDuringSchedulingIgnoredDuringExecution + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 128Mi + cpu: 0.2 + # extraVolumes and extraVolumeMounts allows you to mount other volumes + # Example Use Case: mount ssl certificates + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /certs + # readOnly: true + extraVolumes: [] + extraVolumeMounts: [] + ## Proxy configmap + ## templates/proxy-configmap.yaml + ## + configData: + PULSAR_MEM: > + -Xms64m -Xmx64m -XX:MaxDirectMemorySize=64m + PULSAR_GC: > + -XX:+UseG1GC + -XX:MaxGCPauseMillis=10 + -Dio.netty.leakDetectionLevel=disabled + -Dio.netty.recycler.linkCapacity=1024 + -XX:+ParallelRefProcEnabled + -XX:+UnlockExperimentalVMOptions + -XX:+DoEscapeAnalysis + -XX:ParallelGCThreads=4 + -XX:ConcGCThreads=4 + -XX:G1NewSizePercent=50 + -XX:+DisableExplicitGC + -XX:-ResizePLAB + -XX:+ExitOnOutOfMemoryError + -XX:+PerfDisableSharedMem + ## Proxy service + ## templates/proxy-service.yaml + ## + ports: + http: 80 + https: 443 + pulsar: 6650 + pulsarssl: 6651 + service: + annotations: {} + type: LoadBalancer + ## Proxy ingress + ## templates/proxy-ingress.yaml + ## + ingress: + enabled: false + annotations: {} + tls: + enabled: false + + ## Optional. Leave it blank if your Ingress Controller can provide a default certificate. + secretName: "" + + hostname: "" + path: "/" + ## Proxy PodDisruptionBudget + ## templates/proxy-pdb.yaml + ## + pdb: + usePolicy: true + maxUnavailable: 1 + +## Pulsar Extra: Dashboard +## templates/dashboard-deployment.yaml +## Deprecated +## +dashboard: + component: dashboard + replicaCount: 1 + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + annotations: {} + tolerations: [] + gracePeriod: 0 + image: + repository: apachepulsar/pulsar-dashboard + tag: latest + pullPolicy: IfNotPresent + resources: + requests: + memory: 1Gi + cpu: 250m + ## Dashboard service + ## templates/dashboard-service.yaml + ## + service: + annotations: {} + ports: + - name: server + port: 80 + ingress: + enabled: false + annotations: {} + tls: + enabled: false + + ## Optional. Leave it blank if your Ingress Controller can provide a default certificate. + secretName: "" + + ## Required if ingress is enabled + hostname: "" + path: "/" + port: 80 + + +## Pulsar ToolSet +## templates/toolset-deployment.yaml +## +toolset: + component: toolset + useProxy: true + replicaCount: 1 + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 256Mi + cpu: 0.1 + # extraVolumes and extraVolumeMounts allows you to mount other volumes + # Example Use Case: mount ssl certificates + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /certs + # readOnly: true + extraVolumes: [] + extraVolumeMounts: [] + ## Bastion configmap + ## templates/bastion-configmap.yaml + ## + configData: + PULSAR_MEM: > + -Xms64M + -Xmx128M + -XX:MaxDirectMemorySize=128M + +############################################################# +### Monitoring Stack : Prometheus / Grafana +############################################################# + +## Monitoring Stack: Prometheus +## templates/prometheus-deployment.yaml +## + +## Deprecated in favor of using `prometheus.rbac.enabled` +prometheus_rbac: false +prometheus: + component: prometheus + rbac: + enabled: true + replicaCount: 1 + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + annotations: {} + tolerations: [] + gracePeriod: 5 + port: 9090 + enableAdminApi: false + resources: + requests: + memory: 256Mi + cpu: 0.1 + volumes: + # use a persistent volume or emptyDir + persistence: true + data: + name: data + size: 10Gi + local_storage: true + ## If you already have an existent storage class and want to reuse it, you can specify its name with the option below + ## + # storageClassName: existent-storage-class + # + ## Instead if you want to create a new storage class define it below + ## If left undefined no storage class will be defined along with PVC + ## + # storageClass: + # type: pd-standard + # fsType: xfs + # provisioner: kubernetes.io/gce-pd + ## Prometheus service + ## templates/prometheus-service.yaml + ## + service: + annotations: {} + +## Monitoring Stack: Grafana +## templates/grafana-deployment.yaml +## +grafana: + component: grafana + replicaCount: 1 + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 250Mi + cpu: 0.1 + ## Grafana service + ## templates/grafana-service.yaml + ## + service: + type: LoadBalancer + port: 3000 + targetPort: 3000 + annotations: {} + plugins: [] + ## Grafana configMap + ## templates/grafana-configmap.yaml + ## + configData: {} + ## Grafana ingress + ## templates/grafana-ingress.yaml + ## + ingress: + enabled: false + annotations: {} + labels: {} + + tls: [] + + ## Optional. Leave it blank if your Ingress Controller can provide a default certificate. + ## - secretName: "" + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + hostname: "" + protocol: http + path: /grafana + port: 80 + admin: + user: pulsar + password: pulsar + +## Components Stack: pulsar_manager +## templates/pulsar-manager.yaml +## +pulsar_manager: + component: pulsar-manager + replicaCount: 1 + # True includes annotation for statefulset that contains hash of corresponding configmap, which will cause pods to restart on configmap change + restartPodsOnConfigMapChange: false + # nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + annotations: {} + tolerations: [] + gracePeriod: 30 + resources: + requests: + memory: 250Mi + cpu: 0.1 + configData: + REDIRECT_HOST: "http://127.0.0.1" + REDIRECT_PORT: "9527" + DRIVER_CLASS_NAME: org.postgresql.Driver + URL: jdbc:postgresql://127.0.0.1:5432/pulsar_manager + LOG_LEVEL: DEBUG + ## If you enabled authentication support + ## JWT_TOKEN: + ## SECRET_KEY: data:base64, + ## Pulsar manager service + ## templates/pulsar-manager-service.yaml + ## + service: + type: LoadBalancer + port: 9527 + targetPort: 9527 + annotations: {} + ## Pulsar manager ingress + ## templates/pulsar-manager-ingress.yaml + ## + ingress: + enabled: false + annotations: {} + tls: + enabled: false + + ## Optional. Leave it blank if your Ingress Controller can provide a default certificate. + secretName: "" + + hostname: "" + path: "/" + + ## If set use existing secret with specified name to set pulsar admin credentials. + existingSecretName: + admin: + user: pulsar + password: pulsar