Explorar o código

Add (sealed) secrets support (#14)

* Add (sealed) secrets support
* Update README.md
Damian Fiłonowicz %!s(int64=4) %!d(string=hai) anos
pai
achega
3442b8a5db

+ 11 - 10
flink/README.md

@@ -57,20 +57,20 @@ following configurable parameters(other parameters can be found in values.yaml):
 | Parameter                                | Description                                                                                                                                                              | Default                |
 |------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|
 | `image.repository`                       | Flink Container image name                                                                                                                                               | `flink`                |
-| `image.tag`                              | Flink Container image tag                                                                                                                                                | `1.10.0-scala_2.12`     |
+| `image.tag`                              | Flink Container image tag                                                                                                                                                | `1.10.0-scala_2.12`    |
 | `image.PullPolicy`                       | Flink Containers pull policy                                                                                                                                             | `IfNotPresent`         |
-| `flink.monitoring.enabled`               | Enable flink monitoring                                                                                                                                                  | `true`                 |
-| `jobmanager.highAvailability.enabled`    | Enabled jobmanager HA mode key                                                                                                                                           | `false`                |
+| `flink.monitoring.enabled`               | Enables Flink monitoring                                                                                                                                                 | `true`                 |
+| `jobmanager.highAvailability.enabled`    | Enables Jobmanager HA mode key                                                                                                                                           | `false`                |
 | `jobmanager.highAvailability.storageDir` | storageDir for Jobmanager in HA mode                                                                                                                                     | `null`                 |
 | `jobmanager.replicaCount`                | Jobmanagers count context                                                                                                                                                | `1`                    |
-| `jobmanager.heapSize`                    | Jobmanager HeapSize options                                                                                                                                             | `1g`                   |
-| `jobmanager.resources`                   | Jobmanager resources                                                                                                                                                     | `{}`                 |
-| `taskmanager.resources`    | Taskmanager Resources key                                                                                                                                           | `{}`                |
-| `taskmanager.heapSize` | Taskmanager heapSize mode                                                                                                                                     | `1g`                 |
+| `jobmanager.heapSize`                    | Jobmanager HeapSize options                                                                                                                                              | `1g`                   |
+| `jobmanager.resources`                   | Jobmanager resources                                                                                                                                                     | `{}`                   |
+| `taskmanager.resources`                  | Taskmanager Resources key                                                                                                                                                | `{}`                   |
+| `taskmanager.heapSize`                   | Taskmanager heapSize mode                                                                                                                                                | `1g`                   |
 | `jobmanager.replicaCount`                | Taskmanager count context                                                                                                                                                | `1`                    |
-| `taskmanager.numberOfTaskSlots`                   | Number of Taskmanager taskSlots resources                                                                                                                                                     | `1`                 |
-| `taskmanager.resources`                   | Taskmanager resources                                                                                                                                                     | `{}`                 |
-| `zookeeper.enabled`                      | If True, installs Zookeeper Chart                                                                                                                                        | `false`                 |
+| `taskmanager.numberOfTaskSlots`          | Number of Taskmanager taskSlots resources                                                                                                                                | `1`                    |
+| `taskmanager.resources`                  | Taskmanager resources                                                                                                                                                    | `{}`                   |
+| `zookeeper.enabled`                      | If True, installs Zookeeper Chart                                                                                                                                        | `false`                |
 | `zookeeper.resources`                    | Zookeeper resource requests and limits                                                                                                                                   | `{}`                   |
 | `zookeeper.env`                          | Environmental variables provided to Zookeeper Zookeeper                                                                                                                  | `{ZK_HEAP_SIZE: "1G"}` |
 | `zookeeper.storage`                      | Zookeeper Persistent volume size                                                                                                                                         | `2Gi`                  |
@@ -79,6 +79,7 @@ following configurable parameters(other parameters can be found in values.yaml):
 | `zookeeper.port`                         | Port of Zookeeper Cluster                                                                                                                                                | `2181`                 |
 | `zookeeper.affinity`                     | Defines affinities and anti-affinities for pods as defined in: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity preferences | `{}`                   |
 | `zookeeper.nodeSelector`                 | Node labels for pod assignment                                                                                                                                           | `{}`                   |
+| `secrets.bitnamiSealedSecrets.enabled`   | Enables creation of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)                                                                                     | `false`                |
 
 ### Install with HA
 

+ 41 - 0
flink/templates/jobmanager.yaml

@@ -76,6 +76,11 @@ spec:
           {{- if .Values.jobmanager.extraEnvs }}
           {{- toYaml .Values.jobmanager.extraEnvs | nindent 12 }}
           {{- end }}
+          envFrom:
+          {{- if and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvs }}
+            - secretRef:
+                name: {{ .Release.Name }}-secretenvs
+          {{- end }}
           ports:
           {{- range $name, $port := .Values.jobmanager.ports }}
             - containerPort: {{ $port }}
@@ -118,10 +123,33 @@ spec:
               mountPath: {{ .Values.flink.workDir }}/conf/masters
               subPath: masters
               {{- end }}
+          {{- range $secret := .Values.secrets.kubernetesSecrets }}
+            {{- if $secret.mountPath }}
+              {{- if $secret.keys }}
+                {{- range $key := $secret.keys }}
+            - name: {{ include "flink.fullname" $ }}-{{ $secret.name }}
+              mountPath: {{ $secret.mountPath }}/{{ $key }}
+              subPath: {{ $key }}
+              readOnly: true
+                {{- end }}
+              {{- else }}
+            - name: {{ include "flink.fullname" $ }}-{{ $secret.name }}
+              mountPath: {{ $secret.mountPath }}
+              readOnly: true
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.jobmanager.extraVolumeMounts -}}
+            {{ toYaml .Values.jobmanager.extraVolumeMounts | nindent 12 }}
+          {{- end }}
           {{- if and .Values.jobmanager.persistent.enabled .Values.jobmanager.statefulset }}
             - name: jobmanager-data
               mountPath: {{ .Values.jobmanager.persistent.mountPath }}
           {{- end }}
+          {{- if and (and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles) .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+            - name: sealed-secret-files
+              mountPath: {{ .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+          {{- end }}
           resources:
             {{- toYaml .Values.jobmanager.resources | nindent 12 }}
 
@@ -140,6 +168,19 @@ spec:
               - key: masters
                 path: masters
               {{- end }}
+      {{- range .Values.secrets.kubernetesSecrets }}
+        - name: {{ include "flink.fullname" $ }}-{{ .name }}
+          secret:
+            secretName: {{ .name }}
+      {{- end }}
+      {{- if .Values.jobmanager.extraVolumes -}}
+        {{ toYaml .Values.jobmanager.extraVolumes | nindent 8 }}
+      {{- end }}
+      {{- if and (and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles) .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+        - name: sealed-secret-files
+          secret:
+            secretName: {{ .Release.Name }}-secretfiles
+      {{- end }}
 
       {{- with .Values.jobmanager.nodeSelector }}
       nodeSelector:

+ 18 - 0
flink/templates/sealedsecretenvs.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvs }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  {{- if .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvsAnnotations }}
+  annotations:
+    {{- range $key, $val := .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvsAnnotations }}
+    {{ $key }}: {{ $val | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ .Release.Name }}-secretenvs
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  encryptedData:
+    {{- range $key, $val := .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvs }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+{{- end }}

+ 18 - 0
flink/templates/sealedsecretfiles.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  {{- if .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesAnnotations }}
+  annotations:
+    {{- range $key, $val := .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesAnnotations }}
+    {{ $key }}: {{ $val | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ .Release.Name }}-secretfiles
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  encryptedData:
+    {{- range $key, $val := .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+{{- end }}

+ 41 - 0
flink/templates/taskmanager.yaml

@@ -72,6 +72,11 @@ spec:
           {{- if .Values.jobmanager.extraEnvs }}
           {{- toYaml .Values.taskmanager.extraEnvs | nindent 12 }}
           {{- end }}
+          envFrom:
+          {{- if and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretEnvs }}
+            - secretRef:
+                name: {{ .Release.Name }}-secretenvs
+          {{- end }}
           ports:
           {{- range $name, $port := .Values.taskmanager.ports }}
             - containerPort: {{ $port }}
@@ -93,6 +98,29 @@ spec:
             - name: taskmanager-data
               mountPath: {{ .Values.taskmanager.persistent.mountPath }}
           {{- end }}
+          {{- range $secret := .Values.secrets.kubernetesSecrets }}
+            {{- if $secret.mountPath }}
+              {{- if $secret.keys }}
+                {{- range $key := $secret.keys }}
+            - name: {{ include "flink.fullname" $ }}-{{ $secret.name }}
+              mountPath: {{ $secret.mountPath }}/{{ $key }}
+              subPath: {{ $key }}
+              readOnly: true
+                {{- end }}
+              {{- else }}
+            - name: {{ include "flink.fullname" $ }}-{{ $secret.name }}
+              mountPath: {{ $secret.mountPath }}
+              readOnly: true
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.taskmanager.extraVolumeMounts -}}
+            {{ toYaml .Values.taskmanager.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+          {{- if and (and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles) .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+            - name: sealed-secret-files
+              mountPath: {{ .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+          {{- end }}
           resources:
             {{- toYaml .Values.taskmanager.resources | nindent 12 }}
 
@@ -111,6 +139,19 @@ spec:
               - key: masters
                 path: masters
               {{- end }}
+      {{- range .Values.secrets.kubernetesSecrets }}
+        - name: {{ include "flink.fullname" $ }}-{{ .name }}
+          secret:
+            secretName: {{ .name }}
+      {{- end }}
+      {{- if .Values.taskmanager.extraVolumes -}}
+        {{ toYaml .Values.taskmanager.extraVolumes | nindent 8 }}
+      {{- end }}
+      {{- if and (and .Values.secrets.bitnamiSealedSecrets.enabled .Values.secrets.bitnamiSealedSecrets.sealedSecretFiles) .Values.secrets.bitnamiSealedSecrets.sealedSecretFilesPath }}
+        - name: sealed-secret-files
+          secret:
+            secretName: {{ .Release.Name }}-secretfiles
+      {{- end }}
 
       {{- with .Values.taskmanager.nodeSelector }}
       nodeSelector:

+ 23 - 0
flink/values.yaml

@@ -287,3 +287,26 @@ zookeeper:
       memory: 1256Mi
   persistence:
     enabled: true
+
+secrets:
+#  Plain predefined secrets example
+#  kubernetesSecrets:
+#    - name: kerberos
+#      mountPath: /kerberos
+  bitnamiSealedSecrets:
+    enabled: false
+    # The encrypted raw file sealed secrets generated for example with
+    # kubeseal --raw --from-file=... --controller-name sealed-secrets --scope namespace-wide
+    sealedSecretFiles: {}
+    # file1: encypted_file1
+    # file2: encypted_file2
+    sealedSecretFilesPath: /etc/sealed
+    sealedSecretFilesAnnotations:
+      sealedsecrets.bitnami.com/namespace-wide: true
+    # The encrypted raw env sealed secrets generated for example with
+    # echo -n password | kubeseal --raw --from-file=/dev/stdin --controller-name sealed-secrets --scope namespace-wide
+    sealedSecretEnvs: {}
+    # env1: encypted_env1
+    # env2: encypted_env2
+    sealedSecretEnvsAnnotations:
+      sealedsecrets.bitnami.com/namespace-wide: true