Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to configure service account for clickhouse instance #463

Open
Legion2 opened this issue Jun 30, 2022 · 3 comments
Open

Allow to configure service account for clickhouse instance #463

Legion2 opened this issue Jun 30, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@Legion2
Copy link

Legion2 commented Jun 30, 2022

Proposed change

Allow to configure service account for clickhouse instance, to be able to add eks.amazonaws.com/role-arn annotation and use IAM roles for service accounts, which is useful for creating backups in S3.

Alternative options

IAM roles for service accounts can not be used and aws access key credentials must be used instead.

@Legion2 Legion2 added the enhancement New feature or request label Jun 30, 2022
@guidoiaquinti
Copy link
Contributor

👋 Hey @Legion2, the service account is coming from the upstream clickhouse-operator and we render it via

#!/usr/bin/env bash
#
# This tool fetches and formats 'Altinity/clickhouse-operator'
# k8s resource definitions into our chart.
#
# Why do we need this? The 'clickhouse-operator' doesn't expose a Helm
# package so we need to collect and bundle the resources by our own.
#
set -e
set -u
set -o pipefail
CURRENT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd -P)"
CHART_PATH_RAW="${CURRENT_DIR}/../charts/posthog"
CHART_PATH=$(cd "$CHART_PATH_RAW" 2> /dev/null && pwd -P)
TMP_FOLDER="$(mktemp -d)"
trap 'rm -rf -- "$TMP_FOLDER"' EXIT
OPERATOR_NAMESPACE="posthog"
CLICKHOUSE_OPERATOR_TAG="0.18.4"
URL="https://raw.githubusercontent.com/Altinity/clickhouse-operator/${CLICKHOUSE_OPERATOR_TAG}/deploy/operator/clickhouse-operator-install-template.yaml"
#
# Download the 'altinity/clickhouse-operator' definition and save it as temporary file.
#
# see: https://github.com/Altinity/clickhouse-operator/blob/master/docs/quick_start.md#in-case-you-can-not-run-scripts-from-internet-in-your-protected-environment
#
OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE:-test-clickhouse-operator}"
METRICS_EXPORTER_NAMESPACE="${OPERATOR_NAMESPACE}"
# NOTE: we pin to 0.19.0 here which is different to the 0.16.1 manifest version.
# Prior to pinning we were specifying latest, so to ensure that the version
# doesn't change on existing installs we pin to latest as of writing, thereby
# mitigating the possibility that chart will unexpectedly update, while also
# maintaining current functionality.
OPERATOR_IMAGE="${OPERATOR_IMAGE:-altinity/clickhouse-operator:0.19.0}"
METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE:-altinity/metrics-exporter:latest}"
curl -s "${URL}" | \
OPERATOR_IMAGE="${OPERATOR_IMAGE}" \
OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE}" \
METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE}" \
METRICS_EXPORTER_NAMESPACE="${METRICS_EXPORTER_NAMESPACE}" \
envsubst > "$TMP_FOLDER/clickhouse-operator.yaml"
#
# Use 'altinity/clickhouse-operator' definition file we fetched and parsed and slice it
# in different files, based on the resource kind
#
go install github.com/patrickdappollonio/[email protected]
rm -rf "${CHART_PATH}/templates/clickhouse-operator"
mkdir -p "${CHART_PATH}/templates/clickhouse-operator"
kubectl-slice -f "$TMP_FOLDER/clickhouse-operator.yaml" -o "${CHART_PATH}/crds" --include-kind CustomResourceDefinition --template '{{.metadata.name}}.yaml'
kubectl-slice -f "$TMP_FOLDER/clickhouse-operator.yaml" -o "${CHART_PATH}/templates/clickhouse-operator" --exclude-kind CustomResourceDefinition --template '{{.kind | lower}}.yaml'
#
# Add a {{- if .Values.clickhouse.enabled }} and {{- end }} at the end of each non-crds resource.
# Also replace 'namespace: posthog' and '#namespace: posthog' with
# {{ .Values.clickhouse.namespace | default .Release.Namespace }} so we can keep customizing where the operator is installed
#
FILES="${CHART_PATH}/templates/clickhouse-operator/*"
for f in $FILES
do
# NOTE: previously we were using sed with the `-i` option to specify that we
# should to the modifications in place. The option behaviour between GNU and
# BSD versions, hence here we opt for using perl instead.
perl -pi -e 'print "{{- if .Values.clickhouse.enabled }}\n" if $. == 1' "$f"
echo "{{- end }}" >> "$f"
perl -pi -e 's/#namespace: posthog$/namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}/g' "$f"
perl -pi -e 's/namespace: posthog$/namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}/g' "$f"
done
as they currently do not offer a Helm chart.

My suggestion is to open a PR upstream to either:

  • change the operator to allow custom annotations for the service account
  • support a proper Helm chart we can then import in this one

Feedback are welcome. Thank you!

@Legion2
Copy link
Author

Legion2 commented Jun 30, 2022

Looks like it is already supported in the ClickHouseInstallation CRD you can specific podTemplates which include serviceAccountName. So the Service Account itself must be created separately and only the name must be set in the ClickHouseInstallation CR, which should be possible via this helm chart. I will try this and report back.

@Legion2
Copy link
Author

Legion2 commented Jul 1, 2022

Here an option to configure the serviceAccountName must be added:

- name: pod-template
{{- if .Values.clickhouse.podAnnotations }}
metadata:
annotations: {{ toYaml .Values.clickhouse.podAnnotations | nindent 12 }}
{{- end }}
spec:
{{- if .Values.clickhouse.affinity }}
affinity: {{ toYaml .Values.clickhouse.affinity | nindent 12 }}
{{- end }}
{{- if .Values.clickhouse.tolerations }}
tolerations: {{ toYaml .Values.clickhouse.tolerations | nindent 12 }}
{{- end }}
{{- if .Values.clickhouse.nodeSelector }}
nodeSelector: {{ toYaml .Values.clickhouse.nodeSelector | nindent 12 }}
{{- end }}
{{- if .Values.clickhouse.persistence.enabled }}
volumes:
{{- if .Values.clickhouse.persistence.existingClaim }}
- name: existing-volumeclaim
persistentVolumeClaim:
claimName: {{ .Values.clickhouse.persistence.existingClaim }}
{{- else }}
- name: data-volumeclaim-template
persistentVolumeClaim:
claimName: data-volumeclaim-template
{{- end }}
{{- end }}
{{- if .Values.clickhouse.securityContext.enabled }}
securityContext: {{- omit .Values.clickhouse.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants