[FLINK-37911][Helm] Reorganize Helm chart templates
diff --git a/helm/flink-kubernetes-operator/templates/_helpers.tpl b/helm/flink-kubernetes-operator/templates/_helpers.tpl
index 3456ab4..f4673d1 100644
--- a/helm/flink-kubernetes-operator/templates/_helpers.tpl
+++ b/helm/flink-kubernetes-operator/templates/_helpers.tpl
@@ -1,20 +1,20 @@
-################################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
{{/*
Expand the name of the chart.
@@ -77,121 +77,3 @@
{{- .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
{{- end }}
{{- end }}
-
-{{/*
-Create the name of the operator role to use
-*/}}
-{{- define "flink-operator.roleName" -}}
-{{- if .Values.rbac.operatorRole.create }}
-{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }}
-{{- else }}
-{{- default "default" .Values.rbac.operatorRole.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the operator role binding to use
-*/}}
-{{- define "flink-operator.roleBindingName" -}}
-{{- if .Values.rbac.operatorRoleBinding.create }}
-{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }}
-{{- else }}
-{{- default "default" .Values.rbac.operatorRoleBinding.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the job role to use
-*/}}
-{{- define "flink-operator.jobRoleName" -}}
-{{- if .Values.rbac.jobRoleBinding.create }}
-{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }}
-{{- else }}
-{{- default "default" .Values.rbac.jobRole.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the job role to use
-*/}}
-{{- define "flink-operator.jobRoleBindingName" -}}
-{{- if .Values.rbac.jobRole.create }}
-{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }}
-{{- else }}
-{{- default "default" .Values.rbac.jobRoleBinding.name }}
-{{- end }}
-{{- end }}
-
-
-{{/*
-Create the name of the operator service account to use
-*/}}
-{{- define "flink-operator.serviceAccountName" -}}
-{{- if .Values.operatorServiceAccount.create }}
-{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }}
-{{- else }}
-{{- default "default" .Values.operatorServiceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the job service account to use
-*/}}
-{{- define "flink-operator.jobServiceAccountName" -}}
-{{- if .Values.jobServiceAccount.create }}
-{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }}
-{{- else }}
-{{- default "default" .Values.jobServiceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Determine role scope based on name
-*/}}
-{{- define "flink-operator.roleScope" -}}
-{{- if contains ":" .role }}
-{{- printf "ClusterRole" }}
-{{- else }}
-{{- printf "Role" }}
-{{- end }}
-{{- end }}
-
-{{- define "flink-operator.validating-webhook-enabled" -}}
-{{- if hasKey .Values.webhook "validator" }}
-{{- if .Values.webhook.validator.create }}
-{{- printf "true" }}
-{{- else }}
-{{- printf "false" }}
-{{- end }}
-{{- else }}
-{{- if or (.Values.webhook.create) }}
-{{- printf "true" }}
-{{- else }}
-{{- printf "false" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "flink-operator.mutating-webhook-enabled" -}}
-{{- if hasKey .Values.webhook "mutator" }}
-{{- if .Values.webhook.mutator.create }}
-{{- printf "true" }}
-{{- else }}
-{{- printf "false" }}
-{{- end }}
-{{- else }}
-{{- if or (.Values.webhook.create) }}
-{{- printf "true" }}
-{{- else }}
-{{- printf "false" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "flink-operator.webhook-enabled" -}}
-{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }}
-{{- printf "true" }}
-{{- else }}
-{{- printf "false" }}
-{{- end }}
-{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
new file mode 100644
index 0000000..a6acc43
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: flink-operator-serving-cert
+ namespace: {{ .Release.Namespace }}
+spec:
+ dnsNames:
+ - flink-operator-webhook-service.{{ .Release.Namespace }}.svc
+ - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+ keystores:
+ pkcs12:
+ create: true
+ passwordSecretRef:
+ {{- if .Values.webhook.keystore.useDefaultPassword }}
+ name: flink-operator-webhook-secret
+ key: password
+ {{- else }}
+ {{- with .Values.webhook.keystore.passwordSecretRef }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ issuerRef:
+ kind: Issuer
+ name: flink-operator-selfsigned-issuer
+ commonName: FlinkDeployment Validator
+ secretName: webhook-server-cert
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml b/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml
new file mode 100644
index 0000000..d2d9ecd
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/cert-manager/issuer.yaml
@@ -0,0 +1,27 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: flink-operator-selfsigned-issuer
+ namespace: {{ .Release.Namespace }}
+spec:
+ selfSigned: {}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/controller/configmap.yaml b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml
new file mode 100644
index 0000000..d869548
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/controller/configmap.yaml
@@ -0,0 +1,68 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.defaultConfiguration.create }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: flink-operator-config
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+data:
+ config.yaml: |+
+{{- if .Values.defaultConfiguration.append }}
+ {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}}
+{{- end }}
+{{- if hasKey (.Values.defaultConfiguration) "config.yaml" }}
+ {{- index (.Values.defaultConfiguration) "config.yaml" | nindent 4 -}}
+{{- end }}
+{{- if .Values.watchNamespaces }}
+ kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }}
+{{- end }}
+{{- if index .Values "operatorHealth" }}
+ kubernetes.operator.health.probe.enabled: true
+ kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }}
+{{- end }}
+ flink-conf.yaml: |+
+{{- if .Values.defaultConfiguration.append }}
+ {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}}
+{{- end }}
+{{- if hasKey (.Values.defaultConfiguration) "flink-conf.yaml" }}
+ {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}}
+{{- end }}
+{{- if .Values.watchNamespaces }}
+ kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }}
+{{- end }}
+{{- if index .Values "operatorHealth" }}
+ kubernetes.operator.health.probe.enabled: true
+ kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }}
+{{- end }}
+ log4j-operator.properties: |+
+{{- if .Values.defaultConfiguration.append }}
+ {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}}
+{{- end }}
+{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }}
+ {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}}
+{{- end }}
+ log4j-console.properties: |+
+{{- if .Values.defaultConfiguration.append }}
+ {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}}
+{{- end }}
+{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }}
+ {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/flink-operator.yaml b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml
similarity index 75%
rename from helm/flink-kubernetes-operator/templates/flink-operator.yaml
rename to helm/flink-kubernetes-operator/templates/controller/deployment.yaml
index 4fa0c66..85e6a46 100644
--- a/helm/flink-kubernetes-operator/templates/flink-operator.yaml
+++ b/helm/flink-kubernetes-operator/templates/controller/deployment.yaml
@@ -1,21 +1,19 @@
-################################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
----
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -273,56 +271,3 @@
secretName: {{ .Values.tls.secretName }}
optional: true
{{- end }}
----
-{{- if .Values.defaultConfiguration.create }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: flink-operator-config
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
-data:
- config.yaml: |+
-{{- if .Values.defaultConfiguration.append }}
- {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}}
-{{- end }}
-{{- if hasKey (.Values.defaultConfiguration) "config.yaml" }}
- {{- index (.Values.defaultConfiguration) "config.yaml" | nindent 4 -}}
-{{- end }}
-{{- if .Values.watchNamespaces }}
- kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }}
-{{- end }}
-{{- if index .Values "operatorHealth" }}
- kubernetes.operator.health.probe.enabled: true
- kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }}
-{{- end }}
- flink-conf.yaml: |+
-{{- if .Values.defaultConfiguration.append }}
- {{- $.Files.Get "conf/flink-conf.yaml" | nindent 4 -}}
-{{- end }}
-{{- if hasKey (.Values.defaultConfiguration) "flink-conf.yaml" }}
- {{- index (.Values.defaultConfiguration) "flink-conf.yaml" | nindent 4 -}}
-{{- end }}
-{{- if .Values.watchNamespaces }}
- kubernetes.operator.watched.namespaces: {{ join "," .Values.watchNamespaces }}
-{{- end }}
-{{- if index .Values "operatorHealth" }}
- kubernetes.operator.health.probe.enabled: true
- kubernetes.operator.health.probe.port: {{ .Values.operatorHealth.port }}
-{{- end }}
- log4j-operator.properties: |+
-{{- if .Values.defaultConfiguration.append }}
- {{- $.Files.Get "conf/log4j-operator.properties" | nindent 4 -}}
-{{- end }}
-{{- if index (.Values.defaultConfiguration) "log4j-operator.properties" }}
- {{- index (.Values.defaultConfiguration) "log4j-operator.properties" | nindent 4 -}}
-{{- end }}
- log4j-console.properties: |+
-{{- if .Values.defaultConfiguration.append }}
- {{- $.Files.Get "conf/log4j-console.properties" | nindent 4 -}}
-{{- end }}
-{{- if index (.Values.defaultConfiguration) "log4j-console.properties" }}
- {{- index (.Values.defaultConfiguration) "log4j-console.properties" | nindent 4 -}}
-{{- end }}
-{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl
new file mode 100644
index 0000000..386d26d
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/flink/_helpers.tpl
@@ -0,0 +1,50 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{/*
+Create the name of the job service account to use
+*/}}
+{{- define "flink-operator.jobServiceAccountName" -}}
+{{- if .Values.jobServiceAccount.create }}
+{{- default (include "flink-operator.fullname" .) .Values.jobServiceAccount.name }}
+{{- else }}
+{{- default "default" .Values.jobServiceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the job role to use
+*/}}
+{{- define "flink-operator.jobRoleName" -}}
+{{- if .Values.rbac.jobRoleBinding.create }}
+{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRole.name }}
+{{- else }}
+{{- default "default" .Values.rbac.jobRole.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the job role to use
+*/}}
+{{- define "flink-operator.jobRoleBindingName" -}}
+{{- if .Values.rbac.jobRole.create }}
+{{- default (include "flink-operator.fullname" .) .Values.rbac.jobRoleBinding.name }}
+{{- else }}
+{{- default "default" .Values.rbac.jobRoleBinding.name }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/flink/role.yaml b/helm/flink-kubernetes-operator/templates/flink/role.yaml
new file mode 100644
index 0000000..acdfd88
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/flink/role.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.jobRole.create }}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "flink-operator.jobRoleName" $ }}
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+{{- template "flink-operator.jobRbacRules" $ }}
+{{- end }}
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "flink-operator.jobRoleName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+{{- template "flink-operator.jobRbacRules" $ }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml
new file mode 100644
index 0000000..56f8427
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/flink/role_binding.yaml
@@ -0,0 +1,60 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.jobRoleBinding.create }}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "flink-operator.jobRoleBindingName" $ }}
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+roleRef:
+ kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}}
+ name: {{ include "flink-operator.jobRoleName" $ }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
+ namespace: {{ . }}
+{{- end }}
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "flink-operator.jobRoleBindingName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/resource-policy": keep
+roleRef:
+ kind: Role
+ name: {{ include "flink-operator.jobRoleName" $ }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.jobServiceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/flink/service_account.yaml b/helm/flink-kubernetes-operator/templates/flink/service_account.yaml
new file mode 100644
index 0000000..f5dd54a
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/flink/service_account.yaml
@@ -0,0 +1,53 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.jobServiceAccount.create -}}
+{{- /* Create job service accounts for all watched namespaces. */ -}}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ {{- with $.Values.jobServiceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+---
+{{- end }}
+{{- /*
+Create the job service account for the operator namespace, it is to be added for other namespaces manually
+(or via specifying them in watchNamespaces).
+*/ -}}
+{{- else }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "flink-operator.jobServiceAccountName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+ {{- with .Values.jobServiceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac.yaml b/helm/flink-kubernetes-operator/templates/rbac.yaml
deleted file mode 100644
index ecc4c21..0000000
--- a/helm/flink-kubernetes-operator/templates/rbac.yaml
+++ /dev/null
@@ -1,351 +0,0 @@
-################################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
-
-{{/*
-RBAC rules used to create the operator (cluster)role based on the scope
-*/}}
-{{- define "flink-operator.rbacRules" }}
-rules:
- - apiGroups:
- - ""
- resources:
- - pods
- - services
- - events
- - configmaps
- - secrets
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - deletecollection
-{{- if .Values.rbac.nodesRule.create }}
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - list
-{{- end }}
- - apiGroups:
- - apps
- resources:
- - deployments
- - deployments/finalizers
- - replicasets
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - apps
- resources:
- - deployments/scale
- verbs:
- - get
- - update
- - patch
- - apiGroups:
- - extensions
- resources:
- - deployments
- - ingresses
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - flink.apache.org
- resources:
- - flinkdeployments
- - flinkdeployments/finalizers
- - flinksessionjobs
- - flinksessionjobs/finalizers
- - flinkstatesnapshots
- - flinkstatesnapshots/finalizers
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - flink.apache.org
- resources:
- - flinkdeployments/status
- - flinksessionjobs/status
- - flinkstatesnapshots/status
- verbs:
- - get
- - update
- - patch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-{{- end }}
-
-{{/*
-RBAC rules used to create the job (cluster)role based on the scope
-*/}}
-{{- define "flink-operator.jobRbacRules" }}
-rules:
- - apiGroups:
- - ""
- resources:
- - pods
- - configmaps
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - apps
- resources:
- - deployments
- - deployments/finalizers
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-{{- end }}
-
----
-{{- if .Values.rbac.create }}
----
-{{/*
-Namespaced scoped RBAC.
-*/}}
-{{- if .Values.watchNamespaces }}
-{{- range .Values.watchNamespaces }}
-{{- if $.Values.rbac.operatorRole.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "flink-operator.roleName" $ }}
- namespace: {{ . }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
-{{- template "flink-operator.rbacRules" $ }}
-{{- end }}
----
-{{- if $.Values.rbac.jobRole.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "flink-operator.jobRoleName" $ }}
- namespace: {{ . }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
- annotations:
- "helm.sh/resource-policy": keep
-{{- template "flink-operator.jobRbacRules" $ }}
-{{- end }}
----
-{{- if $.Values.rbac.operatorRoleBinding.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "flink-operator.roleBindingName" $ }}
- namespace: {{ . }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
-roleRef:
- kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}}
- name: {{ include "flink-operator.roleName" $ }}
- apiGroup: rbac.authorization.k8s.io
-subjects:
- - kind: ServiceAccount
- name: {{ include "flink-operator.serviceAccountName" $ }}
- namespace: {{ $.Release.Namespace }}
-{{- end }}
----
-{{- if $.Values.rbac.jobRoleBinding.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "flink-operator.jobRoleBindingName" $ }}
- namespace: {{ . }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
- annotations:
- "helm.sh/resource-policy": keep
-roleRef:
- kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}}
- name: {{ include "flink-operator.jobRoleName" $ }}
- apiGroup: rbac.authorization.k8s.io
-subjects:
- - kind: ServiceAccount
- name: {{ include "flink-operator.jobServiceAccountName" $ }}
- namespace: {{ . }}
-{{- end }}
----
-{{- end }}
-{{/*
-Give operator the ability to operate on leases in the release namespace
-*/}}
-{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "flink-operator.roleName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
-rules:
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-{{- end }}
----
-{{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "flink-operator.roleBindingName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
-roleRef:
- kind: Role
- name: {{ include "flink-operator.roleName" $ }}
- apiGroup: rbac.authorization.k8s.io
-subjects:
- - kind: ServiceAccount
- name: {{ include "flink-operator.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end }}
-{{ else }}
-{{/*
-Cluster scoped RBAC.
-*/}}
----
-{{- if .Values.rbac.operatorRole.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: {{ include "flink-operator.roleName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
-{{- template "flink-operator.rbacRules" $ }}
-{{- end }}
----
-{{- if .Values.rbac.jobRole.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "flink-operator.jobRoleName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
- annotations:
- "helm.sh/resource-policy": keep
-{{- template "flink-operator.jobRbacRules" $ }}
-{{- end }}
----
-{{- if .Values.rbac.operatorRoleBinding.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "flink-operator.roleBindingName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
-roleRef:
- kind: ClusterRole
- name: {{ include "flink-operator.roleName" $ }}
- apiGroup: rbac.authorization.k8s.io
-subjects:
- - kind: ServiceAccount
- name: {{ include "flink-operator.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end }}
----
-{{- if .Values.rbac.jobRoleBinding.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "flink-operator.jobRoleBindingName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
- annotations:
- "helm.sh/resource-policy": keep
-roleRef:
- kind: Role
- name: {{ include "flink-operator.jobRoleName" $ }}
- apiGroup: rbac.authorization.k8s.io
-subjects:
- - kind: ServiceAccount
- name: {{ include "flink-operator.jobServiceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl
new file mode 100644
index 0000000..44d1d7e
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl
@@ -0,0 +1,212 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{/*
+Create the name of the operator service account to use
+*/}}
+{{- define "flink-operator.serviceAccountName" -}}
+{{- if .Values.operatorServiceAccount.create }}
+{{- default (include "flink-operator.fullname" .) .Values.operatorServiceAccount.name }}
+{{- else }}
+{{- default "default" .Values.operatorServiceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Determine role scope based on name
+*/}}
+{{- define "flink-operator.roleScope" -}}
+{{- if contains ":" .role }}
+{{- printf "ClusterRole" }}
+{{- else }}
+{{- printf "Role" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the operator role to use
+*/}}
+{{- define "flink-operator.roleName" -}}
+{{- if .Values.rbac.operatorRole.create }}
+{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRole.name }}
+{{- else }}
+{{- default "default" .Values.rbac.operatorRole.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the operator role binding to use
+*/}}
+{{- define "flink-operator.roleBindingName" -}}
+{{- if .Values.rbac.operatorRoleBinding.create }}
+{{- default (include "flink-operator.fullname" .) .Values.rbac.operatorRoleBinding.name }}
+{{- else }}
+{{- default "default" .Values.rbac.operatorRoleBinding.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+RBAC rules used to create the operator (cluster)role based on the scope
+*/}}
+{{- define "flink-operator.rbacRules" }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ - events
+ - configmaps
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - deletecollection
+{{- if .Values.rbac.nodesRule.create }}
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+{{- end }}
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ - deployments/finalizers
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - apps
+ resources:
+ - deployments/scale
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - extensions
+ resources:
+ - deployments
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - flink.apache.org
+ resources:
+ - flinkdeployments
+ - flinkdeployments/finalizers
+ - flinksessionjobs
+ - flinksessionjobs/finalizers
+ - flinkstatesnapshots
+ - flinkstatesnapshots/finalizers
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - flink.apache.org
+ resources:
+ - flinkdeployments/status
+ - flinksessionjobs/status
+ - flinkstatesnapshots/status
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+{{- end }}
+
+{{/*
+RBAC rules used to create the job (cluster)role based on the scope
+*/}}
+{{- define "flink-operator.jobRbacRules" }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ - deployments/finalizers
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml
new file mode 100644
index 0000000..d101037
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml
@@ -0,0 +1,30 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.operatorRole.create }}
+{{- if not .Values.watchNamespaces }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "flink-operator.roleName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+{{- template "flink-operator.rbacRules" $ }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml
new file mode 100644
index 0000000..d4ee141
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role_binding.yaml
@@ -0,0 +1,37 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.operatorRoleBinding.create }}
+{{- if not .Values.watchNamespaces }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "flink-operator.roleBindingName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+roleRef:
+ kind: ClusterRole
+ name: {{ include "flink-operator.roleName" $ }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/role.yaml b/helm/flink-kubernetes-operator/templates/rbac/role.yaml
new file mode 100644
index 0000000..e9653f5
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/role.yaml
@@ -0,0 +1,58 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.operatorRole.create }}
+{{- /* Namespaced scoped RBAC. */ -}}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "flink-operator.roleName" $ }}
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+{{- template "flink-operator.rbacRules" $ }}
+{{- end }}
+{{- /* Give operator the ability to operate on leases in the release namespace */ -}}
+{{- if not (has .Release.Namespace .Values.watchNamespaces) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "flink-operator.roleName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml
new file mode 100644
index 0000000..e606c19
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/role_binding.yaml
@@ -0,0 +1,60 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if and .Values.rbac.create .Values.rbac.operatorRoleBinding.create }}
+{{- /* Namespaced scoped RBAC. */ -}}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "flink-operator.roleBindingName" $ }}
+ namespace: {{ . }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+roleRef:
+ kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}}
+ name: {{ include "flink-operator.roleName" $ }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.serviceAccountName" $ }}
+ namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- /* Give operator the ability to operate on leases in the release namespace */ -}}
+{{- if not (has .Release.Namespace .Values.watchNamespaces) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "flink-operator.roleBindingName" $ }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" $ | nindent 4 }}
+roleRef:
+ kind: Role
+ name: {{ include "flink-operator.roleName" $ }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "flink-operator.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml
new file mode 100644
index 0000000..b3a0fb8
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/rbac/service_account.yaml
@@ -0,0 +1,29 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.operatorServiceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "flink-operator.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "flink-operator.labels" . | nindent 4 }}
+ {{- with .Values.operatorServiceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml b/helm/flink-kubernetes-operator/templates/serviceaccount.yaml
deleted file mode 100644
index a0179ec..0000000
--- a/helm/flink-kubernetes-operator/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,70 +0,0 @@
-################################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
-
----
-{{- if .Values.operatorServiceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "flink-operator.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" . | nindent 4 }}
- {{- with .Values.operatorServiceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
----
-{{- if .Values.jobServiceAccount.create -}}
-{{/*
-Create job service accounts for all watched namespaces.
-*/}}
-{{- if .Values.watchNamespaces }}
-{{- range .Values.watchNamespaces }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "flink-operator.jobServiceAccountName" $ }}
- namespace: {{ . }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
- {{- with $.Values.jobServiceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
----
-{{- end }}
-{{/*
-Create the job service account for the operator namespace, it is to be added for other namespaces manually
-(or via specifying them in watchNamespaces).
-*/}}
-{{- else}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "flink-operator.jobServiceAccountName" $ }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "flink-operator.labels" $ | nindent 4 }}
- {{- with .Values.jobServiceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
-{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook.yaml b/helm/flink-kubernetes-operator/templates/webhook.yaml
deleted file mode 100644
index cfe64aa..0000000
--- a/helm/flink-kubernetes-operator/templates/webhook.yaml
+++ /dev/null
@@ -1,157 +0,0 @@
-################################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
----
-{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: flink-operator-webhook-service
- namespace: {{ .Release.Namespace }}
- {{- if .Values.webhook.serviceLabels }}
- labels:
- {{- range $key, $value := .Values.webhook.serviceLabels }}
- {{ $key }}: {{ $value }}
- {{- end }}
- {{- end }}
-spec:
- ports:
- - port: 443
- targetPort: 9443
- selector:
- app.kubernetes.io/name: {{ include "flink-operator.name" . }}
----
-{{- if .Values.webhook.keystore.useDefaultPassword }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: flink-operator-webhook-secret
- namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
- password: cGFzc3dvcmQxMjM0
-{{- end }}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: flink-operator-serving-cert
- namespace: {{ .Release.Namespace }}
-spec:
- dnsNames:
- - flink-operator-webhook-service.{{ .Release.Namespace }}.svc
- - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
- keystores:
- pkcs12:
- create: true
- passwordSecretRef:
- {{- if .Values.webhook.keystore.useDefaultPassword }}
- name: flink-operator-webhook-secret
- key: password
- {{- else }}
- {{- with .Values.webhook.keystore.passwordSecretRef }}
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- end }}
- issuerRef:
- kind: Issuer
- name: flink-operator-selfsigned-issuer
- commonName: FlinkDeployment Validator
- secretName: webhook-server-cert
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: flink-operator-selfsigned-issuer
- namespace: {{ .Release.Namespace }}
-spec:
- selfSigned: {}
-{{- end }}
-{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }}
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
- name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
-webhooks:
-- name: validationwebhook.flink.apache.org
- admissionReviewVersions: ["v1"]
- clientConfig:
- service:
- name: flink-operator-webhook-service
- namespace: {{ .Release.Namespace }}
- path: /validate
- failurePolicy: Fail
- rules:
- - apiGroups: ["flink.apache.org"]
- apiVersions: ["*"]
- scope: "Namespaced"
- operations:
- - CREATE
- - UPDATE
- resources:
- - flinkdeployments
- - flinksessionjobs
- - flinkstatesnapshots
- sideEffects: None
- {{- if .Values.watchNamespaces }}
- namespaceSelector:
- matchExpressions:
- - key: kubernetes.io/metadata.name
- operator: In
- values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
- {{- end }}
-{{- end }}
-{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }}
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
- name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
-webhooks:
- - name: mutationwebhook.flink.apache.org
- admissionReviewVersions: ["v1"]
- clientConfig:
- service:
- name: flink-operator-webhook-service
- namespace: {{ .Release.Namespace }}
- path: /mutate
- failurePolicy: Fail
- rules:
- - apiGroups: ["flink.apache.org"]
- apiVersions: ["*"]
- scope: "Namespaced"
- operations:
- - CREATE
- - UPDATE
- resources:
- - flinksessionjobs
- - flinkdeployments
- sideEffects: None
- {{- if .Values.watchNamespaces }}
- namespaceSelector:
- matchExpressions:
- - key: kubernetes.io/metadata.name
- operator: In
- values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
- {{- end }}
-{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl
new file mode 100644
index 0000000..d92d5d3
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/webhook/_helpers.tpl
@@ -0,0 +1,57 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- define "flink-operator.webhook-enabled" -}}
+{{- if or (eq (include "flink-operator.validating-webhook-enabled" .) "true") (eq (include "flink-operator.mutating-webhook-enabled" .) "true") }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{- define "flink-operator.validating-webhook-enabled" -}}
+{{- if hasKey .Values.webhook "validator" }}
+{{- if .Values.webhook.validator.create }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- else }}
+{{- if or (.Values.webhook.create) }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "flink-operator.mutating-webhook-enabled" -}}
+{{- if hasKey .Values.webhook "mutator" }}
+{{- if .Values.webhook.mutator.create }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- else }}
+{{- if or (.Values.webhook.create) }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml
new file mode 100644
index 0000000..542ccc3
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/webhook/mutating_webhook_configuration.yaml
@@ -0,0 +1,55 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
+ name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
+webhooks:
+ - name: mutationwebhook.flink.apache.org
+ admissionReviewVersions: ["v1"]
+ clientConfig:
+ service:
+ name: flink-operator-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /mutate
+ failurePolicy: Fail
+ rules:
+ - apiGroups: ["flink.apache.org"]
+ apiVersions: ["*"]
+ scope: "Namespaced"
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - flinksessionjobs
+ - flinkdeployments
+ sideEffects: None
+ {{- if .Values.watchNamespaces }}
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook/secret.yaml b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml
new file mode 100644
index 0000000..2971100
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/webhook/secret.yaml
@@ -0,0 +1,30 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+{{- if .Values.webhook.keystore.useDefaultPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: flink-operator-webhook-secret
+ namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+ password: cGFzc3dvcmQxMjM0
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook/service.yaml b/helm/flink-kubernetes-operator/templates/webhook/service.yaml
new file mode 100644
index 0000000..16b6762
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/webhook/service.yaml
@@ -0,0 +1,37 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: flink-operator-webhook-service
+ namespace: {{ .Release.Namespace }}
+ {{- if .Values.webhook.serviceLabels }}
+ labels:
+ {{- range $key, $value := .Values.webhook.serviceLabels }}
+ {{ $key }}: {{ $value }}
+ {{- end }}
+ {{- end }}
+spec:
+ ports:
+ - port: 443
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/name: {{ include "flink-operator.name" . }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml
new file mode 100644
index 0000000..58a6740
--- /dev/null
+++ b/helm/flink-kubernetes-operator/templates/webhook/validating_webhook_configuration.yaml
@@ -0,0 +1,56 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
+{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
+ name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
+webhooks:
+- name: validationwebhook.flink.apache.org
+ admissionReviewVersions: ["v1"]
+ clientConfig:
+ service:
+ name: flink-operator-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /validate
+ failurePolicy: Fail
+ rules:
+ - apiGroups: ["flink.apache.org"]
+ apiVersions: ["*"]
+ scope: "Namespaced"
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - flinkdeployments
+ - flinksessionjobs
+ - flinkstatesnapshots
+ sideEffects: None
+ {{- if .Values.watchNamespaces }}
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/values.yaml b/helm/flink-kubernetes-operator/values.yaml
index 42843b8..00fb5db 100644
--- a/helm/flink-kubernetes-operator/values.yaml
+++ b/helm/flink-kubernetes-operator/values.yaml
@@ -20,14 +20,15 @@
# List of kubernetes namespaces to watch for FlinkDeployment changes, empty means all namespaces.
# When enabled RBAC is only created for said namespaces, otherwise it is done for the cluster scope.
-# watchNamespaces: ["flink"]
+watchNamespaces: []
+# - flink
image:
repository: ghcr.io/apache/flink-kubernetes-operator
pullPolicy: IfNotPresent
tag: latest
# If image digest is set then it takes precedence and the image tag will be ignored
- # digest: ""
+ digest: ""
imagePullSecrets: []
@@ -72,8 +73,8 @@
# configMapKeyRef:
# name: ""
# key: ""
- # dnsPolicy: ""
- # dnsConfig: {}
+ dnsPolicy: ""
+ dnsConfig: {}
# Node labels and affinity for operator pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
envFrom:
@@ -153,9 +154,9 @@
# create: true
keystore:
useDefaultPassword: true
- # passwordSecretRef:
- # name: jks-password-secret
- # key: password-key
+ passwordSecretRef:
+ # name: jks-password-secret
+ # key: password-key
serviceLabels: {}
defaultConfiguration:
