Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE #184 #192] support plain acl configration #200

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[ISSUE #184 #192] support plain acl configration #200

wants to merge 1 commit into from

Conversation

drivebyer
Copy link
Contributor

@drivebyer drivebyer commented Dec 6, 2023
edited
Loading

What is the purpose of the change

#192 #184

Brief changelog

Verifying this change

  1. apply follow yaml:
apiVersion: v1
kind: ConfigMap
metadata:
  name: broker-config
data:
  # BROKER_MEM sets the broker JVM, if set to "" then Xms = Xmx = max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
  BROKER_MEM: " -Xms2g -Xmx2g -Xmn1g "
  broker-common.conf: |
    # brokerClusterName, brokerName, brokerId are automatically generated by the operator and do not set it manually!!!
    deleteWhen=04
    fileReservedTime=48
    flushDiskType=ASYNC_FLUSH
    # set brokerRole to ASYNC_MASTER or SYNC_MASTER. DO NOT set to SLAVE because the replica instance will automatically be set!!!
    brokerRole=ASYNC_MASTER
    # set aclEnable to true to enable ACL, and set plain_acl.yml to configure ACL
    aclEnable=true

  plain_acl.yml: |
    globalWhiteRemoteAddresses:
    accounts:
      - accessKey: RocketMQ
        secretKey: 12345678
        whiteRemoteAddress:
        admin: false
        defaultTopicPerm: DENY
        defaultGroupPerm: SUB
        topicPerms:
          - TopicTest=PUB
        groupPerms:
          # the group should convert to retry topic
          - oms_consumer_group=DENY

---
apiVersion: rocketmq.apache.org/v1alpha1
kind: Broker
metadata:
  # name of broker cluster
  name: broker
spec:
  clusterMode: CONTROLLER
  # size is the number of the broker cluster, each broker cluster contains a master broker and [replicaPerGroup] replica brokers.
  size: 1
  # nameServers is the [ip:port] list of name service
  nameServers: ""
  # replicaPerGroup is the number of each broker cluster
  replicaPerGroup: 1
  # brokerImage is the customized docker image repo of the RocketMQ broker
  brokerImage: ghcr.m.daocloud.io/ksmartdata/rocketmq-broker:v5.1.4
  # imagePullPolicy is the image pull policy
  imagePullPolicy: Always
  # resources describes the compute resource requirements and limits
  resources:
    requests:
      memory: "2048Mi"
      cpu: "250m"
    limits:
      memory: "12288Mi"
      cpu: "500m"
  # allowRestart defines whether allow pod restart
  allowRestart: true
  # storageMode can be EmptyDir, HostPath, StorageClass
  storageMode: StorageClass
  # hostPath is the local path to store data
  hostPath: /data/rocketmq/broker
  # scalePodName is [Broker name]-[broker group number]-master-0
  scalePodName: broker-0-0-0
  # env defines custom env, e.g. BROKER_MEM
  env:
    - name: BROKER_MEM
      valueFrom:
        configMapKeyRef:
          name: broker-config
          key: BROKER_MEM
  # volumes defines the broker.conf
  volumes:
    - name: broker-config
      configMap:
        name: broker-config
        items:
          - key: broker-common.conf
            path: broker-common.conf
    - name: plain-acl
      configMap:
        name: broker-config
        items:
          - key: plain_acl.yml
            path: plain_acl.yml

  # volumeClaimTemplates defines the storageClass
  volumeClaimTemplates:
    - metadata:
        name: broker-storage
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
---
apiVersion: rocketmq.apache.org/v1alpha1
kind: NameService
metadata:
  name: name-service
spec:
  # size is the the name service instance number of the name service cluster
  size: 1
  # nameServiceImage is the customized docker image repo of the RocketMQ name service
  nameServiceImage: ghcr.m.daocloud.io/ksmartdata/rocketmq-nameserver:v5.1.4
  # imagePullPolicy is the image pull policy
  imagePullPolicy: Always
  # hostNetwork can be true or false
  hostNetwork: false
  #  Set DNS policy for the pod.
  #  Defaults to "ClusterFirst".
  #  Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'.
  #  DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
  #  To have DNS options set along with hostNetwork, you have to specify DNS policy
  #  explicitly to 'ClusterFirstWithHostNet'.
  dnsPolicy: ClusterFirstWithHostNet
  # resources describes the compute resource requirements and limits
  resources:
    requests:
      memory: "512Mi"
      cpu: "250m"
    limits:
      memory: "1024Mi"
      cpu: "500m"
  # storageMode can be EmptyDir, HostPath, StorageClass
  storageMode: EmptyDir
  # hostPath is the local path to store data
  hostPath: /data/rocketmq/nameserver
  # volumeClaimTemplates defines the storageClass
  volumeClaimTemplates:
    - metadata:
        name: namesrv-storage
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
---
apiVersion: rocketmq.apache.org/v1alpha1
kind: Controller
metadata:
  # name of controller cluster
  name: controller
spec:
  # size is the number of controllers.
  size: 1
  # controllerImage is the customized docker image repo of the RocketMQ Controller
  controllerImage: ghcr.m.daocloud.io/ksmartdata/rocketmq-controller:v5.1.4
  # imagePullPolicy is the image pull policy
  imagePullPolicy: IfNotPresent
  # resources describes the compute resource requirements and limits
  resources:
    requests:
      memory: "0.5Gi"
    limits:
      memory: "2Gi"
  # storageMode can be EmptyDir, HostPath, StorageClass
  storageMode: StorageClass
  # hostPath is the local path to store data
  hostPath: /data/rocketmq/controller
  # volumeClaimTemplates defines the storageClass
  volumeClaimTemplates:
    - metadata:
        name: controller-storage
      spec:
        accessModes: [ "ReadWriteOnce" ]
        resources:
          requests:
            storage: 1Gi
  1. execute command on nameserver
截屏2024-03-13 15 03 37
  1. modify the tools.yaml
截屏2024-03-13 15 06 04
  1. execute the same command on nameserver
截屏2024-03-13 15 06 40

@drivebyer
Copy link
Contributor Author

PTAL @caigy

@drivebyer drivebyer marked this pull request as draft March 13, 2024 04:57
@caigy caigy mentioned this pull request Mar 13, 2024
Open
@drivebyer drivebyer changed the title [ISSUE #184 #192] support custom volume mount [ISSUE #184 #192] support plain acl configration Mar 13, 2024
@drivebyer drivebyer marked this pull request as ready for review March 13, 2024 07:49
@drivebyer drivebyer requested a review from caigy March 13, 2024 07:49
caigy
caigy reviewed Mar 19, 2024
View reviewed changes
pkg/controller/broker/broker_controller.go
@@ -512,6 +500,30 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker *rocketmqv1alpha1.Broker,

}

func getVolumeMounts(broker *rocketmqv1alpha1.Broker, brokerGroupIndex int, replicaIndex int) []corev1.VolumeMount {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems a bit complicated. I'd prefer separating ACL related configs from other broker configs, and let user provide the name of configmap/secret of ACL.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your point, but it seems that there isn’t much difference with this method. If users specify ACL configurations in a separate YAML file, they would still need to maintain common configurations and ACL configurations in two separate files, even though both are for the broker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caigy caigy caigy left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drivebyer @caigy