Merge branch 'main' of https://github.com/drycc-addons/addons into main

Author: EamonZhang

addons/flink/1.17/chart/flink/templates/jobmanager/networkpolicy.yaml

@@ -73,6 +73,18 @@ spec:
         - podSelector:
             matchLabels:
               {{ template "flink.jobmanager.fullname" . }}-client: "true"
+        {{- if .Values.jobmanager.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.jobmanager.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.jobmanager.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:

addons/flink/1.17/chart/flink/templates/taskmanager/headless-service.yml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 

addons/flink/1.17/chart/flink/templates/taskmanager/networkpolicy.yaml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
@@ -49,6 +49,7 @@ spec:
     - ports:
         - port: {{ .Values.taskmanager.containerPorts.data }}
         - port: {{ .Values.taskmanager.containerPorts.rpc }}
+        - port: {{ .Values.taskmanager.containerPorts.internalMetrics }}
       to:
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
@@ -62,16 +63,25 @@ spec:
     {{- if eq .Values.taskmanager.service.type "LoadBalancer" }}
     - {}
     {{- else }}
-    - ports:
-        - port: {{ .Values.taskmanager.containerPorts.data }}
-        - port: {{ .Values.taskmanager.containerPorts.rpc }}
-      {{- if not .Values.taskmanager.networkPolicy.allowExternal }}
-      from:
+    - from:
+        {{- if not .Values.taskmanager.networkPolicy.allowExternal }}
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
         - podSelector:
             matchLabels:
               {{ template "flink.taskmanager.fullname" . }}-client: "true"
+        {{- if .Values.taskmanager.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.taskmanager.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.taskmanager.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:

addons/flink/1.17/chart/flink/templates/taskmanager/statefulset.yaml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 

addons/flink/1.17/chart/flink/values.yaml

@@ -303,10 +303,12 @@ jobmanager:
     ## on. When true, server will accept connections from any source
     ## (with the correct destination port).
     ##
-    allowExternal: true
+    allowExternal: false
     ## @param jobmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
     ##
     allowExternalEgress: true
+    allowCurrentNamespace: true
+    allowNamespaces: []
     ## @param jobmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
     ## e.g:
     ## extraIngress:
@@ -672,10 +674,12 @@ taskmanager:
     ## on. When true, server will accept connections from any source
     ## (with the correct destination port).
     ##
-    allowExternal: true
+    allowExternal: false
     ## @param taskmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
     ##
     allowExternalEgress: true
+    allowCurrentNamespace: true
+    allowNamespaces: []
     ## @param taskmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
     ## e.g:
     ## extraIngress:

addons/flink/1.17/meta.yaml

@@ -18,12 +18,18 @@ allow_parameters:
 - name: "jobmanager.service.type"
   required: false
   description: "jobmanager service type config for values.yaml"
+- name: "jobmanager.networkPolicy.allowNamespaces"
+  required: false
+  description: "jobmanager networkPolicy allowNamespaces config for values.yaml"
 - name: "jobmanager.extraEnvVars"
   required: false
   description: "jobmanager extraEnvVars config for values.yaml"
 - name: "taskmanager.service.type"
   required: false
   description: "taskmanager service type config for values.yaml"
+- name: "taskmanager.networkPolicy.allowNamespaces"
+  required: false
+  description: "taskmanager networkPolicy allowNamespaces config for values.yaml"
 - name: "taskmanager.extraEnvVars"
   required: false
   description: "taskmanager extraEnvVars config for values.yaml"

addons/kafka/3.6/chart/kafka/templates/_helpers.tpl

@@ -956,6 +956,7 @@ Init container definition for waiting for Kubernetes autodiscovery
   image: {{ include "kafka.externalAccess.autoDiscovery.image" .context }}
   imagePullPolicy: {{ .context.Values.externalAccess.autoDiscovery.image.pullPolicy | quote }}
   command:
+    - init-stack
     - /scripts/auto-discovery.sh
   env:
     - name: MY_POD_NAME

addons/kafka/3.6/chart/kafka/values.yaml

@@ -644,7 +644,7 @@ controller:
       drop: ["ALL"]
   ## @param controller.automountServiceAccountToken Mount Service Account token in pod
   ##
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
   ## @param controller.hostAliases Kafka pods host aliases
   ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
   ##
@@ -1053,7 +1053,7 @@ broker:
       drop: ["ALL"]
   ## @param broker.automountServiceAccountToken Mount Service Account token in pod
   ##
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
   ## @param broker.hostAliases Kafka pods host aliases
   ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
   ##
@@ -1381,7 +1381,7 @@ externalAccess:
   autoDiscovery:
     ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs/ports by querying the K8s API
     ##
-    enabled: false
+    enabled: true
     ## Bitnami Kubectl image
     ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/
     ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry
@@ -1728,7 +1728,7 @@ serviceAccount:
   ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
   ## Can be set to false if pods using this serviceAccount do not need to use K8s API
   ##
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
   ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
   ##
   annotations: {}
@@ -1740,7 +1740,7 @@ rbac:
   ## binding Kafka ServiceAccount to a role
   ## that allows Kafka pods querying the K8s API
   ##
-  create: false
+  create: true
 
 ## @section Metrics parameters
 ##
@@ -1920,7 +1920,7 @@ metrics:
         drop: ["ALL"]
     ## @param metrics.kafka.automountServiceAccountToken Mount Service Account token in pod
     ##
-    automountServiceAccountToken: false
+    automountServiceAccountToken: true
     ## @param metrics.kafka.hostAliases Kafka exporter pods host aliases
     ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
     ##
@@ -2063,7 +2063,7 @@ metrics:
       ## @param metrics.kafka.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
       ## Can be set to false if pods using this serviceAccount do not need to use K8s API
       ##
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
   ## Prometheus JMX exporter: exposes the majority of Kafka metrics
   ##
   jmx:

addons/kafka/3.6/meta.yaml

@@ -15,6 +15,18 @@ instances_retrievable: true
 bindings_retrievable: true
 plan_updateable: true
 allow_parameters:
+- name: "listeners.client.protocol"
+  required: false
+  description: "listeners client protocol config for values.yaml"
+- name: "listeners.controller.protocol"
+  required: false
+  description: "listeners controller protocol config for values.yaml"
+- name: "listeners.interbroker.protocol"
+  required: false
+  description: "listeners interbroker protocol config for values.yaml"
+- name: "listeners.external.protocol"
+  required: false
+  description: "listeners external protocol config for values.yaml"
 - name: "networkPolicy.allowNamespaces"
   required: false
   description: "networkPolicy allowNamespaces config for values.yaml"
@@ -24,4 +36,13 @@ allow_parameters:
 - name: "metrics.kafka.enabled"
   required: false
   description: "metrics kafka enabled or not config for values.yaml"
+- name: "externalAccess.enabled"
+  required: false
+  description: "externalAccess enabled or not config for values.yaml"
+- name: "listeners.advertisedListeners"
+  required: false
+  description: "listeners advertisedListeners or not config for values.yaml"
+- name: "metrics.kafka.enabled"
+  required: false
+  description: "metrics kafka enabled or not config for values.yaml"
 archive: false

addons/opensearch/2.10/plans/standard-8c32g2048/bind.yaml

@@ -0,0 +1,68 @@
+credential:
+  {{- if (eq .Values.service.type "LoadBalancer") }}
+  - name: EXTERNAL_OPENSEARCH_HOST
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.service.name" . }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  {{- end }}
+
+  - name: OPENSEARCH_HOST
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.service.name" . }}
+        jsonpath: '{ .spec.clusterIP }'
+  
+  - name: OPENSEARCH_TCP_REST_API_PORT
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.service.name" . }}
+        jsonpath: '{ .spec.ports[?(@.name=="tcp-rest-api")].port }'
+
+  - name: OPENSEARCH_TCP_TRANSPORT_PORT
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.service.name" . }}
+        jsonpath: '{ .spec.ports[?(@.name=="tcp-transport")].port }'
+
+  {{- if .Values.dashboards.enabled }}
+  {{ if (eq .Values.dashboards.service.type "LoadBalancer") }}
+  - name: EXTERNAL_OPENSEARCH_DASHBOARDS_HOST
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.dashboards.servicename" . }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  {{- end }}
+
+  - name: OPENSEARCH_DASHBOARDS_HOST
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.dashboards.servicename" . }}
+        jsonpath: '{ .spec.clusterIP }'
+
+  - name: OPENSEARCH_DASHBOARDS_PORT
+    valueFrom:
+      serviceRef:
+        name: {{ include "opensearch.dashboards.servicename" . }}
+        jsonpath: '{ .spec.ports[?(@.name=="http")].port }'
+  {{- end }}
+
+  {{- if .Values.security.enabled }}
+  - name: OPENSEARCH_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .data.opensearch-password }'
+
+  - name: OPENSEARCH_DASHBOARDS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .data.opensearch-dashboards-password }'
+
+  - name: LOGSTASH_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .data.logstash-password }'
+  {{- end }}