Shared sha

trifork · Aug 8, 2023 · 0d83fbb · 0d83fbb
1 parent 8396322
commit 0d83fbb
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 6 deletions.
diff --git a/charts/flink-job/ci/test.yaml b/charts/flink-job/ci/test.yaml
@@ -0,0 +1,72 @@
+imagePullSecrets:
+      - name: pullsecret-ghcr-io
+image:
+  repository: ghcr.io/trifork/idmappingpoc-flinkjobs
+  tag: "1.0.4"
+storage:
+  scheme: s3
+  baseDir: flink
+flinkConfiguration:
+  s3.endpoint: http://minio.minio.svc.cluster.local:9000
+  s3.path-style-access: "true"
+  high-availability: org.apache.flink.kubernetes.highavailability.KubernetesHaServicesFactory
+  high-availability.storageDir: s3://flink/infocode-mapping/ha
+  kubernetes.jobmanager.cpu.limit-factor: "5.0"
+  kubernetes.taskmanager.cpu.limit-factor: "5.0"
+  kubernetes.jobmanager.memory.limit-factor: "2.0"
+  kubernetes.taskmanager.memory.limit-factor: "2.0"
+  taskmanager.numberOfTaskSlots: "1"
+env:
+  - name: AWS_ACCESS_KEY
+    value: vault:secret/data/global/flink/s3/cheetah-flink#accessKey
+  - name: AWS_SECRET_KEY
+    value: vault:secret/data/global/flink/s3/cheetah-flink#secretKey
+  - name: INPUT_KAFKA_CLIENT_ID
+    value: vault:secret/data/global/guidedtour#kafka-client-id
+  - name: INPUT_KAFKA_CLIENT_SECRET
+    value: vault:secret/data/global/guidedtour#kafka-client-secret
+  - name: INPUT_KAFKA_TOKEN_URL
+    value: http://oauthsimulator-cheetah-application.oauthsimulator.svc:8000/oauth2/token
+  - name: OUTPUT_KAFKA_CLIENT_ID
+    value: vault:secret/data/global/guidedtour#kafka-client-id
+  - name: OUTPUT_KAFKA_CLIENT_SECRET
+    value: vault:secret/data/global/guidedtour#kafka-client-secret
+  - name: OUTPUT_KAFKA_TOKEN_URL
+    value: http://oauthsimulator-cheetah-application.oauthsimulator.svc:8000/oauth2/token            
+job:
+  jarURI: local:///opt/flink/usrlib/artifacts/device-id-mapping-1.0-SNAPSHOT.jar
+  entryClass: com.trifork.cheetah.job.DeviceIdMapperJob
+  name: DeviceIdMapperJob
+  args:
+  - --input-kafka-bootstrap-servers
+  - cheetah-kafka-kafka-brokers.kafka:9092
+  - --output-kafka-bootstrap-servers
+  - cheetah-kafka-kafka-brokers.kafka:9092
+  - --input-kafka-group-id
+  - id-mapping
+  - --id-service-url
+  - http://idservice-cheetah-application.idmapping:80/api/v1/idmapping/
+  state: running
+  upgradeMode: "stateless"
+  allowNonRestoredState: false
+  parallelism: 1
+  topics:
+    - arg: input-kafka-topic
+      name: ExternalIdReadings
+      type: input
+    - arg: output-kafka-topic
+      name: InternalIdReadings
+      type: output
+podAnnotations:
+  vault.security.banzaicloud.io/vault-role: default
+  vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+jobManager:
+  replicas: 1
+  resource:
+    cpu: 0.1
+    memory: 1Gb
+taskManager:
+  replicas: 1
+  resource:
+    cpu: 0.1
+    memory: 1Gb
diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl
@@ -195,18 +195,19 @@ Add necessary ssl configuration
 */}}
 {{- define "flink-job.sslConfiguration" -}}
   {{- $configs := .configs -}}
-  {{- $password := sha1sum (toYaml .global) }}
+  {{- $password := sha1sum (nospace (toString .global.image)) }}
   {{- if .global.internalSsl.enabled -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore" (toString .global.internalSsl.configuration.keystore))) -}}
-    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" (toString .global.internalSsl.configuration.keystore))) -}}
+    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" (toString .global.internalSsl.configuration.truststore))) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore-password" (toString $password))) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore-password" (toString $password))) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.key-password" (toString $password))) -}}
   {{- end -}}
   {{- $configs | toJson -}}
 {{- end -}}
 
+
 {{/*
 Add necessary istio configuration
 */}}

diff --git a/charts/flink-job/templates/cert.yaml b/charts/flink-job/templates/cert.yaml
@@ -6,12 +6,13 @@ metadata:
 spec:
   selfSigned: {}
 ---
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ printf "%s-mtls-crt" ( include "flink-job.name" . ) | quote }}
 spec:
   secretName: {{ printf "%s-mtls-secret" ( include "flink-job.name" . ) | quote }}
+  commonName: {{ printf "%s-mtls-crt" ( include "flink-job.name" . ) | quote }}
   issuerRef:
     name: {{ printf "%s-mtls-issuer" ( include "flink-job.name" . ) | quote }}
   keystores:

diff --git a/charts/flink-job/templates/secret.yaml b/charts/flink-job/templates/secret.yaml
@@ -21,5 +21,5 @@ kind: Secret
 metadata:
   name: {{ printf "%s-mtls-password" ( include "flink-job.name" . ) | quote }}
 stringData:
-  password: {{ sha1sum (toYaml .Values) | quote }}
+  password: {{ sha1sum (nospace (toString .Values.image)) }}
 {{- end -}}
diff --git a/charts/flink-job/values.yaml b/charts/flink-job/values.yaml
@@ -30,11 +30,12 @@ internalSsl:
   # -- Set up SSL authentication/encryption using an init-container for creating the certificate
   enabled: true
   configuration:
-    keystore: /flinkkeystore/truststore.jks
+    keystore: /flinkkeystore/keystore.jks
+    truststore: /flinkkeystore/truststore.jks
   podVolumes:
     - name: truststore
       secret:
-        secretName: truststore.jks
+        secretName: "flink-job-mtls-secret"
   podVolumeMounts:
     - name: truststore
       mountPath: /flinkkeystore