chore(clickhouse): update use keeper

Author: EamonZhang

addons/clickhouse/24/chart/clickhouse/templates/_helpers.tpl

@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{/*
 Return the proper ClickHouse image name
 */}}
@@ -94,6 +99,18 @@ Get the ClickHouse configuration configmap.
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Get the ClickHouse configuration users configmap.
+*/}}
+{{- define "clickhouse.usersExtraConfigmapName" -}}
+{{- if .Values.usersExtraOverridesConfigmap -}}
+    {{- .Values.usersExtraOverridesConfigmap -}}
+{{- else }}
+    {{- printf "%s-users-extra" (include "common.names.fullname" . ) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get the Clickhouse password secret name
 */}}
@@ -185,17 +202,18 @@ Compile all warnings into a single message.
 {{- end -}}
 {{- end -}}
 
-{{/* Validate values of ClickHouse - Zookeeper */}}
+{{/* Validate values of ClickHouse - [Zoo]keeper */}}
 {{- define "clickhouse.validateValues.zookeeper" -}}
-{{- if and .Values.zookeeper.enabled .Values.externalZookeeper.servers -}}
-clickhouse: Multiple Zookeeper
-    You can only use one zookeeper
-    Please choose installing a Zookeeper chart (--set zookeeper.enabled=true) or
+{{- if or (and .Values.keeper.enabled .Values.zookeeper.enabled) (and .Values.keeper.enabled .Values.externalZookeeper.servers) (and .Values.zookeeper.enabled .Values.externalZookeeper.servers) -}}
+clickhouse: Multiple [Zoo]keeper
+    You can only use one [zoo]keeper
+    Please choose use ClickHouse keeper or
+    installing a Zookeeper chart (--set zookeeper.enabled=true) or
     using an external instance (--set zookeeper.servers )
 {{- end -}}
-{{- if and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers) (ne (int .Values.shards) 1) (ne (int .Values.replicaCount) 1) -}}
-clickhouse: No Zookeeper
-    If you are deploying more than one ClickHouse instance, you need to enable Zookeeper. Please choose installing a Zookeeper chart (--set zookeeper.enabled=true) or
+{{- if and (not .Values.keeper.enabled) (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers) (ne (int .Values.shards) 1) (ne (int .Values.replicaCount) 1) -}}
+clickhouse: No [Zoo]keeper
+    If you are deploying more than one ClickHouse instance, you need to enable [Zoo]keeper. Please choose installing a [Zoo]keeper (--set keeper.enabled=true) or (--set zookeeper.enabled=true) or
     using an external instance (--set zookeeper.servers )
 {{- end -}}
 {{- end -}}

addons/clickhouse/24/chart/clickhouse/templates/configmap-extra.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if and .Values.extraOverrides (not .Values.extraOverridesConfigmap) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ printf "%s-extra" (include "common.names.fullname" .) }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/configmap-users-extra.yaml

@@ -0,0 +1,20 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.usersExtraOverrides (not .Values.usersExtraOverridesConfigmap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-users-extra" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: clickhouse
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  01_users_extra_overrides.xml: |
+    {{- include "common.tplvalues.render" (dict "value" .Values.usersExtraOverrides "context" $) | nindent 4 }}
+{{- end }}

addons/clickhouse/24/chart/clickhouse/templates/configmap.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if not .Values.existingOverridesConfigmap }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "common.names.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/extra-list.yaml

@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- range .Values.extraDeploy }}
 ---
 {{ include "common.tplvalues.render" (dict "value" . "context" $) }}

addons/clickhouse/24/chart/clickhouse/templates/ingress-tls-secrets.yaml

@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.ingress.enabled }}
 {{- if .Values.ingress.secrets }}
 {{- range .Values.ingress.secrets }}
@@ -6,12 +11,9 @@ kind: Secret
 metadata:
   name: {{ .name }}
   namespace: {{ $.Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" $ | nindent 4 }}
-    {{- if $.Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if $.Values.commonAnnotations }}
-  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}
 type: kubernetes.io/tls
 data:
@@ -21,24 +23,22 @@ data:
 {{- end }}
 {{- end }}
 {{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
 {{- $ca := genCA "clickhouse-ca" 365 }}
 {{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-tls" .Values.ingress.hostname }}
+  name: {{ $secretName }}
   namespace: {{ .Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ $cert.Cert | b64enc | quote }}
-  tls.key: {{ $cert.Key | b64enc | quote }}
-  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
 {{- end }}
 {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/ingress.yaml

@@ -1,20 +1,19 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.ingress.enabled }}
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ include "common.names.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
-  annotations:
-    {{- if .Values.ingress.annotations }}
-    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
-    {{- end }}
-    {{- if .Values.commonAnnotations }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
-    {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
 spec:
   {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

addons/clickhouse/24/chart/clickhouse/templates/init-scripts-secret.yaml

@@ -1,14 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if and .Values.initdbScripts (not .Values.initdbScriptsSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ printf "%s-init-scripts" (include "common.names.fullname" .) }}
   namespace: {{ include "common.names.namespace" . | quote }}
-  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: clickhouse
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}

addons/clickhouse/24/chart/clickhouse/templates/networkpolicy.yaml

@@ -0,0 +1,135 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: clickhouse
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: clickhouse
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow outbound connections to other cluster pods
+    - ports:
+        - port: {{ .Values.service.ports.http }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.https }}
+        {{- end }}
+        - port: {{ .Values.service.ports.tcp }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.tcpSecure }}
+        {{- end }}
+        {{- if .Values.keeper.enabled }}
+        - port: {{ .Values.service.ports.keeper }}
+        - port: {{ .Values.service.ports.keeperInter }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.service.ports.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        - port: {{ .Values.service.ports.mysql }}
+        - port: {{ .Values.service.ports.postgresql }}
+        - port: {{ .Values.service.ports.interserver }}
+        {{- if .Values.metrics.enabled }}
+        - port: {{ .Values.service.ports.metrics }}
+        {{- end }}
+      {{- if $.Values.externalAccess.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.http }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.https }}
+        {{- end }}
+        {{- if $.Values.metrics.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.metrics }}
+        {{- end }}
+        - port: {{ $.Values.externalAccess.service.ports.tcp }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.tcpSecure }}
+        {{- end }}
+        {{- if $.Values.keeper.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.keeper }}
+        - port: {{ $.Values.externalAccess.service.ports.keeperInter }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.externalAccess.service.ports.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        - port: {{ $.Values.externalAccess.service.ports.mysql }}
+        - port: {{ $.Values.externalAccess.service.ports.postgresql }}
+        - port: {{ $.Values.externalAccess.service.ports.interserver }}
+      {{- end }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+    {{- if .Values.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if eq $.Values.service.type "ClusterIP" }}
+  ingress:
+    - ports:
+        - port: {{ $.Values.containerPorts.http }}
+        - port: {{ $.Values.containerPorts.tcp }}
+        - port: {{ $.Values.containerPorts.mysql }}
+        - port: {{ $.Values.containerPorts.postgresql }}
+        - port: {{ $.Values.containerPorts.interserver }}
+        {{- if $.Values.tls.enabled }}
+        - port: {{ $.Values.containerPorts.tcpSecure }}
+        - port: {{ $.Values.containerPorts.https }}
+        {{- end }}
+        {{- if $.Values.keeper.enabled }}
+        - port: {{ $.Values.containerPorts.keeper }}
+        - port: {{ $.Values.containerPorts.keeperInter }}
+        {{- if $.Values.tls.enabled }}
+        - port : {{ $.Values.containerPorts.keeperSecure }}
+        {{- end }}
+        {{- end }}
+        {{- if $.Values.metrics.enabled }}
+        - port: {{ $.Values.containerPorts.metrics }}
+        {{- end }}
+     
+      {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+      from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if eq $.Values.service.type "LoadBalancer" }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end }}