diff --git a/charts/flink-job/ci/test.yaml b/charts/flink-job/ci/test.yaml new file mode 100644 index 00000000..7f96e862 --- /dev/null +++ b/charts/flink-job/ci/test.yaml @@ -0,0 +1,72 @@ +imagePullSecrets: + - name: pullsecret-ghcr-io +image: + repository: ghcr.io/trifork/idmappingpoc-flinkjobs + tag: "1.0.4" +storage: + scheme: s3 + baseDir: flink +flinkConfiguration: + s3.endpoint: http://minio.minio.svc.cluster.local:9000 + s3.path-style-access: "true" + high-availability: org.apache.flink.kubernetes.highavailability.KubernetesHaServicesFactory + high-availability.storageDir: s3://flink/infocode-mapping/ha + kubernetes.jobmanager.cpu.limit-factor: "5.0" + kubernetes.taskmanager.cpu.limit-factor: "5.0" + kubernetes.jobmanager.memory.limit-factor: "2.0" + kubernetes.taskmanager.memory.limit-factor: "2.0" + taskmanager.numberOfTaskSlots: "1" +env: + - name: AWS_ACCESS_KEY + value: vault:secret/data/global/flink/s3/cheetah-flink#accessKey + - name: AWS_SECRET_KEY + value: vault:secret/data/global/flink/s3/cheetah-flink#secretKey + - name: INPUT_KAFKA_CLIENT_ID + value: vault:secret/data/global/guidedtour#kafka-client-id + - name: INPUT_KAFKA_CLIENT_SECRET + value: vault:secret/data/global/guidedtour#kafka-client-secret + - name: INPUT_KAFKA_TOKEN_URL + value: http://oauthsimulator-cheetah-application.oauthsimulator.svc:8000/oauth2/token + - name: OUTPUT_KAFKA_CLIENT_ID + value: vault:secret/data/global/guidedtour#kafka-client-id + - name: OUTPUT_KAFKA_CLIENT_SECRET + value: vault:secret/data/global/guidedtour#kafka-client-secret + - name: OUTPUT_KAFKA_TOKEN_URL + value: http://oauthsimulator-cheetah-application.oauthsimulator.svc:8000/oauth2/token +job: + jarURI: local:///opt/flink/usrlib/artifacts/device-id-mapping-1.0-SNAPSHOT.jar + entryClass: com.trifork.cheetah.job.DeviceIdMapperJob + name: DeviceIdMapperJob + args: + - --input-kafka-bootstrap-servers + - cheetah-kafka-kafka-brokers.kafka:9092 + - --output-kafka-bootstrap-servers + - cheetah-kafka-kafka-brokers.kafka:9092 + - --input-kafka-group-id + - id-mapping + - --id-service-url + - http://idservice-cheetah-application.idmapping:80/api/v1/idmapping/ + state: running + upgradeMode: "stateless" + allowNonRestoredState: false + parallelism: 1 + topics: + - arg: input-kafka-topic + name: ExternalIdReadings + type: input + - arg: output-kafka-topic + name: InternalIdReadings + type: output +podAnnotations: + vault.security.banzaicloud.io/vault-role: default + vault.security.banzaicloud.io/vault-tls-secret: vault-tls +jobManager: + replicas: 1 + resource: + cpu: 0.1 + memory: 1Gb +taskManager: + replicas: 1 + resource: + cpu: 0.1 + memory: 1Gb diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl index 75ff326d..db6be9b6 100644 --- a/charts/flink-job/templates/_helpers.tpl +++ b/charts/flink-job/templates/_helpers.tpl @@ -195,11 +195,11 @@ Add necessary ssl configuration */}} {{- define "flink-job.sslConfiguration" -}} {{- $configs := .configs -}} - {{- $password := sha1sum (toYaml .global) }} + {{- $password := sha1sum (nospace (toString .global.image)) }} {{- if .global.internalSsl.enabled -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore" (toString .global.internalSsl.configuration.keystore))) -}} - {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" (toString .global.internalSsl.configuration.keystore))) -}} + {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" (toString .global.internalSsl.configuration.truststore))) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore-password" (toString $password))) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore-password" (toString $password))) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.key-password" (toString $password))) -}} @@ -207,6 +207,7 @@ Add necessary ssl configuration {{- $configs | toJson -}} {{- end -}} + {{/* Add necessary istio configuration */}} diff --git a/charts/flink-job/templates/cert.yaml b/charts/flink-job/templates/cert.yaml index 244cf7ae..45d45ea8 100644 --- a/charts/flink-job/templates/cert.yaml +++ b/charts/flink-job/templates/cert.yaml @@ -6,12 +6,13 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ printf "%s-mtls-crt" ( include "flink-job.name" . ) | quote }} spec: secretName: {{ printf "%s-mtls-secret" ( include "flink-job.name" . ) | quote }} + commonName: {{ printf "%s-mtls-crt" ( include "flink-job.name" . ) | quote }} issuerRef: name: {{ printf "%s-mtls-issuer" ( include "flink-job.name" . ) | quote }} keystores: diff --git a/charts/flink-job/templates/secret.yaml b/charts/flink-job/templates/secret.yaml index d136d0ad..f8fc5c5c 100644 --- a/charts/flink-job/templates/secret.yaml +++ b/charts/flink-job/templates/secret.yaml @@ -21,5 +21,5 @@ kind: Secret metadata: name: {{ printf "%s-mtls-password" ( include "flink-job.name" . ) | quote }} stringData: - password: {{ sha1sum (toYaml .Values) | quote }} + password: {{ sha1sum (nospace (toString .Values.image)) }} {{- end -}} \ No newline at end of file diff --git a/charts/flink-job/values.yaml b/charts/flink-job/values.yaml index 995183a9..dd40118f 100644 --- a/charts/flink-job/values.yaml +++ b/charts/flink-job/values.yaml @@ -30,11 +30,12 @@ internalSsl: # -- Set up SSL authentication/encryption using an init-container for creating the certificate enabled: true configuration: - keystore: /flinkkeystore/truststore.jks + keystore: /flinkkeystore/keystore.jks + truststore: /flinkkeystore/truststore.jks podVolumes: - name: truststore secret: - secretName: truststore.jks + secretName: "flink-job-mtls-secret" podVolumeMounts: - name: truststore mountPath: /flinkkeystore