diff --git a/helm-charts/doris/Chart.yaml b/helm-charts/doris/Chart.yaml index 3a9baa55..a15eeb32 100644 --- a/helm-charts/doris/Chart.yaml +++ b/helm-charts/doris/Chart.yaml @@ -38,7 +38,7 @@ maintainers: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.6.1 +version: 1.6.2-rc.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm-charts/doris/templates/_helpers.tpl b/helm-charts/doris/templates/_helpers.tpl index fc2e04d8..314b1b58 100644 --- a/helm-charts/doris/templates/_helpers.tpl +++ b/helm-charts/doris/templates/_helpers.tpl @@ -264,4 +264,92 @@ doris cluster broker PVC - configMapName: {{ .configMapName }} mountPath: {{ .mountPath }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{/* Determine if cloud_sql is present */}} +{{- define "auth_proxy.has_cloud_sql" -}} +{{- $has_cloud_sql := false -}} +{{- range .Values.datasources -}} + {{- if and .auth_proxy (eq .auth_proxy "cloud_sql") -}} + {{- $has_cloud_sql = true -}} + {{- end -}} +{{- end -}} +{{- $has_cloud_sql -}} +{{- end -}} + +{{/* Determine if alloydb is present */}} +{{- define "auth_proxy.has_alloydb" -}} +{{- $has_alloydb := false -}} +{{- range .Values.datasources -}} + {{- if and .auth_proxy (eq .auth_proxy "alloydb") -}} + {{- $has_alloydb = true -}} + {{- end -}} +{{- end -}} +{{- $has_alloydb -}} +{{- end -}} + +{{/* cloud-sql-auth-proxy configuration */}} +{{- define "auth_proxy.cloud_sql" -}} +- name: cloud-sql-auth-proxy + image: asia.gcr.io/cloud-sql-connectors/cloud-sql-proxy:2 + args: + {{- if eq .Values.authProxy.publicDB false }} + - --private-ip + {{- end }} + {{- if eq .Values.authProxy.autoIAMAuthn true }} + - --auto-iam-authn + {{- end }} + {{- range $index, $element := .Values.datasources }} + {{- if and .auth_proxy (eq .auth_proxy "cloud_sql") }} + - {{ .instance_uri -}}?port={{- 10000 | add $index | add1 }} + {{- end }} + {{- end }} + restartPolicy: Always + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + {{ if .Values.authProxy.resources }} + resources: + {{- toYaml .Values.authProxy.resources | nindent 4 }} + {{- end }} +{{- end -}} + +{{/* alloydb-auth-proxy configuration */}} +{{- define "auth_proxy.alloydb" -}} +- name: alloydb-auth-proxy + image: asia.gcr.io/alloydb-connectors/alloydb-auth-proxy:1 + args: + {{- if eq .Values.authProxy.publicDB true }} + - --public-ip + {{- end }} + {{- if eq .Values.authProxy.autoIAMAuthn true }} + - --auto-iam-authn + {{- end }} + {{- range $index, $element := .Values.datasources }} + {{- if and .auth_proxy (eq .auth_proxy "alloydb") }} + - {{ .instance_uri -}}?port={{- 10000 | add $index | add1 }} + {{- end }} + {{- end }} + restartPolicy: Always + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + {{ if .Values.authProxy.resources }} + resources: + {{- toYaml .Values.authProxy.resources | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/helm-charts/doris/templates/doriscluster.yaml b/helm-charts/doris/templates/doriscluster.yaml index bf3842a3..1ee7c956 100644 --- a/helm-charts/doris/templates/doriscluster.yaml +++ b/helm-charts/doris/templates/doriscluster.yaml @@ -46,11 +46,18 @@ spec: podLabels: {{- toYaml .Values.feSpec.labels | nindent 6 }} {{- end }} + {{- if .Values.feSpec.annotations }} + annotations: + {{- toYaml .Values.feSpec.annotations | nindent 6 }} + {{- end }} image: {{ .Values.feSpec.image.repository }}:{{ .Values.feSpec.image.tag }} {{- if .Values.feSpec.image.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.feSpec.image.imagePullSecrets | nindent 4 }} {{- end }} + {{- if .Values.feSpec.serviceAccount }} + serviceAccount: {{ .Values.feSpec.serviceAccount }} + {{- end }} {{- if .Values.feSpec.service }} service: @@ -122,17 +129,33 @@ spec: command: {{ .Values.feSpec.systemInitialization.command }} {{- end }} {{- end }} + {{- if or (eq (include "auth_proxy.has_cloud_sql" .) "true") (eq (include "auth_proxy.has_alloydb" .) "true") }} + initContainers: + {{- if eq (include "auth_proxy.has_cloud_sql" .) "true" }} + {{- include "auth_proxy.cloud_sql" . | nindent 6 }} + {{- end }} + {{- if eq (include "auth_proxy.has_alloydb" .) "true" }} + {{- include "auth_proxy.alloydb" . | nindent 6 }} + {{- end }} + {{- end }} beSpec: replicas: {{ .Values.beSpec.replicas }} {{- if .Values.beSpec.labels }} podLabels: {{- toYaml .Values.beSpec.labels | nindent 6 }} {{- end }} + {{- if .Values.beSpec.annotations }} + annotations: + {{- toYaml .Values.beSpec.annotations | nindent 6 }} + {{- end }} image: {{ .Values.beSpec.image.repository }}:{{ .Values.beSpec.image.tag }} {{- if .Values.beSpec.image.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.beSpec.image.imagePullSecrets | nindent 4 }} {{- end }} + {{- if .Values.beSpec.serviceAccount }} + serviceAccount: {{ .Values.beSpec.serviceAccount }} + {{- end }} {{- if .Values.beSpec.service }} service: @@ -204,6 +227,15 @@ spec: command: {{ .Values.beSpec.systemInitialization.command }} {{- end }} {{- end }} + {{- if or (eq (include "auth_proxy.has_cloud_sql" .) "true") (eq (include "auth_proxy.has_alloydb" .) "true") }} + initContainers: + {{- if eq (include "auth_proxy.has_cloud_sql" .) "true" }} + {{- include "auth_proxy.cloud_sql" . | nindent 6 }} + {{- end }} + {{- if eq (include "auth_proxy.has_alloydb" .) "true" }} + {{- include "auth_proxy.alloydb" . | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.dorisCluster.enabledCn }} cnSpec: replicas: {{ .Values.cnSpec.replicas }} @@ -212,11 +244,18 @@ spec: podLabels: {{- toYaml .Values.cnSpec.labels | nindent 6 }} {{- end }} + {{- if .Values.cnSpec.annotations }} + annotations: + {{- toYaml .Values.cnSpec.annotations | nindent 6 }} + {{- end }} image: {{ .Values.cnSpec.image.repository }}:{{ .Values.cnSpec.image.tag }} {{- if .Values.cnSpec.image.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.cnSpec.image.imagePullSecrets | nindent 4 }} {{- end }} + {{- if .Values.cnSpec.serviceAccount }} + serviceAccount: {{ .Values.cnSpec.serviceAccount }} + {{- end }} {{- if .Values.cnSpec.service }} service: @@ -288,6 +327,15 @@ spec: command: {{ .Values.cnSpec.systemInitialization.command }} {{- end }} {{- end }} + {{- if or (eq (include "auth_proxy.has_cloud_sql" .) "true") (eq (include "auth_proxy.has_alloydb" .) "true") }} + initContainers: + {{- if eq (include "auth_proxy.has_cloud_sql" .) "true" }} + {{- include "auth_proxy.cloud_sql" . | nindent 6 }} + {{- end }} + {{- if eq (include "auth_proxy.has_alloydb" .) "true" }} + {{- include "auth_proxy.alloydb" . | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.cnSpec.autoScalingPolicy.enable }} autoScalingPolicy: version: {{default ( include "doriscluster.default.autoScalerVersion" . ) .Values.cnSpec.autoScalingPolicy.version }} @@ -306,11 +354,18 @@ spec: podLabels: {{- toYaml .Values.brokerSpec.labels | nindent 6 }} {{- end }} + {{- if .Values.brokerSpec.annotations }} + annotations: + {{- toYaml .Values.brokerSpec.annotations | nindent 6 }} + {{- end }} image: {{ .Values.brokerSpec.image.repository }}:{{ .Values.brokerSpec.image.tag }} {{- if .Values.brokerSpec.image.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.brokerSpec.image.imagePullSecrets | nindent 4 }} {{- end }} + {{- if .Values.brokerSpec.serviceAccount }} + serviceAccount: {{ .Values.brokerSpec.serviceAccount }} + {{- end }} {{- if .Values.brokerSpec.configMap }} configMapInfo: diff --git a/helm-charts/doris/templates/dorismanager.yaml b/helm-charts/doris/templates/dorismanager.yaml new file mode 100644 index 00000000..4e97ea8a --- /dev/null +++ b/helm-charts/doris/templates/dorismanager.yaml @@ -0,0 +1,34 @@ +{{- if and .Values.dorisManager.enabled .Values.dorisCluster.authSecret }} +apiVersion: mysql.nakamasato.com/v1alpha1 +kind: MySQL +metadata: + name: {{ template "doriscluster.name" . }} + namespace: {{ template "doriscluster.namespace" . }} +spec: + host: {{ template "doriscluster.name" . }}-fe-service + port: {{ .Values.dorisManager.port }} + adminUser: + name: {{ template "doriscluster.name" . }}-admin-user + type: k8s + adminPassword: + name: {{ template "doriscluster.name" . }}-admin-password + type: k8s +{{- range .Values.dorisManager.users }} +--- +apiVersion: mysql.nakamasato.com/v1alpha1 +kind: MySQLUser +metadata: + name: {{ .username | replace "_" "-" }} + namespace: {{ template "doriscluster.namespace" $ }} +spec: + clusterName: {{ template "doriscluster.name" $ }} + username: {{ .username }} + secretRef: + name: {{ template "doriscluster.name" $ }}-user-credentials + key: {{ .username }} + {{- if .grants }} + grants: + {{- toYaml .grants | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm-charts/doris/templates/secret.yaml b/helm-charts/doris/templates/secret.yaml index baa4e18e..c0e8a97c 100644 --- a/helm-charts/doris/templates/secret.yaml +++ b/helm-charts/doris/templates/secret.yaml @@ -25,7 +25,78 @@ metadata: app.kubernetes.io/name: doriscluster app.kubernetes.io/instance: {{ template "doriscluster.name" . }} app.kubernetes.io/part-of: {{ template "kube-control.name" . }} -type: kubernetes.io/basic-auth -data: - {{- toYaml .Values.dorisCluster.authSecret | nindent 2}} -{{- end }} \ No newline at end of file + {{- if .Values.secretLabels }} + {{- toYaml .Values.secretLabels | nindent 4}} + {{- end }} + annotations: + {{- if .Values.secretAnnotations }} + {{- toYaml .Values.secretAnnotations | nindent 4}} + {{- end }} +type: Opaque +stringData: + {{- toYaml .Values.dorisCluster.authSecret | nindent 2 }} +{{- end }} + +{{- if and .Values.dorisManager.enabled .Values.dorisCluster.authSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "doriscluster.name" . }}-admin-user + namespace: {{ template "doriscluster.namespace" . }} + labels: + app.kubernetes.io/name: doriscluster + app.kubernetes.io/instance: {{ template "doriscluster.name" . }} + app.kubernetes.io/part-of: {{ template "kube-control.name" . }} + {{- if .Values.secretLabels }} + {{- toYaml .Values.secretLabels | nindent 4}} + {{- end }} + {{- if .Values.secretAnnotations }} + annotations: {{- toYaml .Values.secretAnnotations | nindent 4}} + {{- end }} +type: Opaque +stringData: + key: {{ .Values.dorisCluster.authSecret.username | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "doriscluster.name" . }}-admin-password + namespace: {{ template "doriscluster.namespace" . }} + labels: + app.kubernetes.io/name: doriscluster + app.kubernetes.io/instance: {{ template "doriscluster.name" . }} + app.kubernetes.io/part-of: {{ template "kube-control.name" . }} + {{- if .Values.secretLabels }} + {{- toYaml .Values.secretLabels | nindent 4}} + {{- end }} + {{- if .Values.secretAnnotations }} + annotations: {{- toYaml .Values.secretAnnotations | nindent 4}} + {{- end }} +type: Opaque +stringData: + key: {{ .Values.dorisCluster.authSecret.password | quote }} +{{- if .Values.dorisManager.users }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "doriscluster.name" . }}-user-credentials + namespace: {{ template "doriscluster.namespace" . }} + labels: + app.kubernetes.io/name: doriscluster + app.kubernetes.io/instance: {{ template "doriscluster.name" . }} + app.kubernetes.io/part-of: {{ template "kube-control.name" . }} + {{- if .Values.secretLabels }} + {{- toYaml .Values.secretLabels | nindent 4}} + {{- end }} + {{- if .Values.secretAnnotations }} + annotations: {{- toYaml .Values.secretAnnotations | nindent 4}} + {{- end }} +type: Opaque +stringData: + {{- range .Values.dorisManager.users }} + {{ .username | quote }}: {{ .password | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm-charts/doris/values.yaml b/helm-charts/doris/values.yaml index 07f97ab2..cc02f2ab 100644 --- a/helm-charts/doris/values.yaml +++ b/helm-charts/doris/values.yaml @@ -15,6 +15,45 @@ # specific language governing permissions and limitations # under the License. +# Auth Proxy for JDBC Catalog +authProxy: + publicDB: false + autoIAMAuthn: false + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 10m + memory: 32Mi +# Datasource for JDBC Catalog +datasources: [] +# datasources: +# - name: cake-mysql-stage +# auth_proxy: cloud_sql +# instance_uri: bef-cake-sandbox:asia-southeast1:cake-mysql8-stage +# - name: cake-alloydb-stage +# auth_proxy: alloydb +# instance_uri: projects/bef-cake-sandbox/locations/asia-southeast1/clusters/cake-alloydb-stage-cluster/instances/cake-alloydb-stage + +# Doris Manager for the cluster +dorisManager: + enabled: false + port: 9030 + users: [] + # users: + # - username: test_user + # password: test_password + # grants: + # - privileges: + # [SELECT_PRIV, LOAD_PRIV, ALTER_PRIV, CREATE_PRIV, DROP_PRIV] + # target: internal.*.* + # - privileges: [USAGE_PRIV] + # target: WORKLOAD GROUP 'normal' + +secretLabels: {} +secretAnnotations: {} + # deploy a doris cluster dorisCluster: # the name of doriscluster, if not set, the chart name will be used. @@ -31,17 +70,15 @@ dorisCluster: # 1. Start dorisclusert without adminUser # 2. Run 'CREATE USER ...' or 'SET PASSWORD ...' in mysql client # 3. Add the name and password added in the previous step to adminUser and execute helm + # !DEPRECATED. Use authSecret instead adminUser: {} # name: root # password: "12345" # use authSecret can encrypt and save passwords, recommend this method - # 1. run shell: echo -n '{your_password}' | base64 to get password base64 string - # 2. run shell: echo -n '{your_user}' | base64 to get user base64 string - # 3. Fill the encrypted string into the corresponding position - # as follow, username is 'root' , password is 't0p-Secret' + # !This must be set for Doris Manager to work authSecret: {} - # username: cm9vdA== - # password: dDBwLVNlY3JldA== + # username: root + # password: t0p-Secret feSpec: replicas: 3 @@ -50,6 +87,8 @@ feSpec: # the pod labels for user select or classify pods. labels: {} # selectdb.app.classify: "classify-1" + annotations: + selectdb.com.doris/runmode: production image: repository: selectdb/doris.fe-ubuntu tag: 2.0.3 @@ -208,12 +247,17 @@ feSpec: systemInitialization: {} # initImage: "selectdb/alpine:latest" # command: [ "/sbin/sysctl", "-w", "vm.max_map_count=2000000" ] + initContainers: [] + # - name: native-sidecar + # image: alpine:latest + # restartPolicy: Always beSpec: replicas: 3 # the pod labels for user select or classify pods. labels: {} # selectdb.app.classify: "classify-1" + annotations: {} image: repository: selectdb/doris.be-ubuntu tag: 2.0.3 @@ -373,12 +417,17 @@ beSpec: systemInitialization: {} # initImage: "selectdb/alpine:latest" # command: [ "/sbin/sysctl", "-w", "vm.max_map_count=2000000" ] + initContainers: [] + # - name: native-sidecar + # image: alpine:latest + # restartPolicy: Always cnSpec: replicas: 3 # the pod labels for user select or classify pods. labels: {} # selectdb.app.classify: "classify-1" + annotations: {} image: repository: selectdb/doris.be-ubuntu tag: 2.0.3 @@ -539,6 +588,10 @@ cnSpec: systemInitialization: {} # initImage: "selectdb/alpine:latest" # command: [ "/sbin/sysctl", "-w", "vm.max_map_count=2000000" ] + initContainers: [] + # - name: native-sidecar + # image: alpine:latest + # restartPolicy: Always # specific cn auto scale policy autoScalingPolicy: enable: true @@ -560,6 +613,7 @@ brokerSpec: # the pod labels for user select or classify pods. labels: {} # selectdb.app.classify: "classify-1" + annotations: {} image: repository: selectdb/doris.broker-ubuntu tag: 2.0.3 @@ -693,5 +747,7 @@ brokerSpec: systemInitialization: {} # initImage: "selectdb/alpine:latest" # command: [ "/sbin/sysctl", "-w", "vm.max_map_count=2000000" ] - - + initContainers: [] + # - name: native-sidecar + # image: alpine:latest + # restartPolicy: Always