From 00dfeef4077d6f13abf1ff736af86dc90800953d Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Sun, 1 Sep 2024 20:15:38 +0200 Subject: [PATCH 1/3] Add access control config to worker --- charts/trino/templates/_helpers.tpl | 40 +++++++++++++++++++ charts/trino/templates/configmap-worker.yaml | 14 +++++++ charts/trino/templates/deployment-worker.yaml | 9 +++++ 3 files changed, 63 insertions(+) diff --git a/charts/trino/templates/_helpers.tpl b/charts/trino/templates/_helpers.tpl index 26aa8a6b..e1682c80 100644 --- a/charts/trino/templates/_helpers.tpl +++ b/charts/trino/templates/_helpers.tpl @@ -139,3 +139,43 @@ Create the name of the file auth secret to use {{- end }} {{- end }} {{- end }} + + +{{- define "trino.accessControlConfigMap" -}} +{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "trino.fullname" . }}-access-control-volume + namespace: {{ .Release.Namespace }} + labels: + {{- include "trino.labels" . | nindent 4 }} +data: + {{- range $key, $val := .Values.accessControl.rules }} + {{ $key }}: {{ $val | quote }} + {{- end }} +{{- end }}{{- end }} +{{- end }} + + +{{- define "trino.accessControlProperties" -}} +{{- if .Values.accessControl }} + {{- if eq .Values.accessControl.type "configmap" }} + access-control.properties: | + access-control.name=file + {{- if .Values.accessControl.refreshPeriod }} + security.refresh-period={{ .Values.accessControl.refreshPeriod }} + {{- end }} + security.config-file={{ .Values.server.config.path }}/access-control/{{ .Values.accessControl.configFile | default "rules.json" }} + {{- else if eq .Values.accessControl.type "properties" }} + access-control.properties: | + {{- if .Values.accessControl.properties }} + {{- .Values.accessControl.properties | nindent 4 }} + {{- else}} + {{- fail "accessControl.properties is required when accessControl.type is 'properties'." }} + {{- end }} + {{- else}} + {{- fail "Invalid accessControl.type value. It must be either 'configmap' or 'properties'." }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/trino/templates/configmap-worker.yaml b/charts/trino/templates/configmap-worker.yaml index e209f223..e5f24daa 100644 --- a/charts/trino/templates/configmap-worker.yaml +++ b/charts/trino/templates/configmap-worker.yaml @@ -83,10 +83,24 @@ data: {{- end }} {{ end }} + +{{- if .Values.accessControl }} + {{ include "trino.accessControlProperties" . }} +{{- end }} + {{- range $fileName, $fileContent := .Values.worker.additionalConfigFiles }} {{ $fileName }}: | {{- $fileContent | nindent 4 }} {{- end }} + +--- + +{{- if .Values.accessControl }} + {{- if eq .Values.accessControl.type "configmap" }} + {{ include "trino.accessControlConfigMap" . }} + {{- end }} +{{- end }} + --- apiVersion: v1 kind: ConfigMap diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml index 59c26504..cb03a1af 100644 --- a/charts/trino/templates/deployment-worker.yaml +++ b/charts/trino/templates/deployment-worker.yaml @@ -50,6 +50,11 @@ spec: - name: schemas-volume configMap: name: {{ template "trino.fullname" . }}-schemas-volume-worker + {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} + - name: access-control-volume + configMap: + name: {{ template "trino.fullname" . }}-access-control-volume + {{- end }}{{- end }} {{- range .Values.configMounts }} - name: {{ .name }} configMap: @@ -97,6 +102,10 @@ spec: name: catalog-volume - mountPath: {{ .Values.kafka.mountPath }} name: schemas-volume + {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} + - mountPath: {{ .Values.server.config.path }}/access-control + name: access-control-volume + {{- end }}{{- end }} {{- range .Values.configMounts }} - name: {{ .name }} mountPath: {{ .path }} From 51d4221d39ecc0763bcd6ebc901780b1b2844d5b Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Sun, 1 Sep 2024 20:16:25 +0200 Subject: [PATCH 2/3] Refact use centralised access control from helpers --- .../templates/configmap-coordinator.yaml | 49 ++++++------------- .../templates/deployment-coordinator.yaml | 2 +- 2 files changed, 15 insertions(+), 36 deletions(-) diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml index 9711c9ee..1f21acd3 100644 --- a/charts/trino/templates/configmap-coordinator.yaml +++ b/charts/trino/templates/configmap-coordinator.yaml @@ -80,26 +80,6 @@ data: {{- .Values.server.coordinatorExtraConfig | nindent 4 }} {{- end }} -{{- if .Values.accessControl }} - {{- if eq .Values.accessControl.type "configmap" }} - access-control.properties: | - access-control.name=file - {{- if .Values.accessControl.refreshPeriod }} - security.refresh-period={{ .Values.accessControl.refreshPeriod }} - {{- end }} - security.config-file={{ .Values.server.config.path }}/access-control/{{ .Values.accessControl.configFile | default "rules.json" }} - {{- else if eq .Values.accessControl.type "properties" }} - access-control.properties: | - {{- if .Values.accessControl.properties }} - {{- .Values.accessControl.properties | nindent 4 }} - {{- else}} - {{- fail "accessControl.properties is required when accessControl.type is 'properties'." }} - {{- end }} - {{- else}} - {{- fail "Invalid accessControl.type value. It must be either 'configmap' or 'properties'." }} - {{- end }} -{{- end }} - {{- if .Values.resourceGroups }} resource-groups.properties: | resource-groups.configuration-manager=file @@ -142,29 +122,26 @@ data: {{- end }} {{ end }} -{{- range $fileName, $fileContent := .Values.coordinator.additionalConfigFiles }} +{{- if .Values.accessControl }} + {{ include "trino.accessControlProperties" . }} +{{- end }} + +{{- range $fileName, $fileContent := .Values.worker.additionalConfigFiles }} {{ $fileName }}: | {{- $fileContent | nindent 4 }} {{- end }} --- -{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "trino.fullname" . }}-access-control-volume-coordinator - namespace: {{ .Release.Namespace }} - labels: - {{- include "trino.labels" . | nindent 4 }} - app.kubernetes.io/component: coordinator -data: - {{- range $key, $val := .Values.accessControl.rules }} - {{ $key }}: {{ $val | quote }} +{{- if .Values.accessControl }} + {{- if eq .Values.accessControl.type "configmap" }} + {{ include "trino.accessControlConfigMap" . }} {{- end }} -{{- end }}{{- end }} -{{- if .Values.resourceGroups }} +{{- end }} + --- +{{- if .Values.resourceGroups }} + apiVersion: v1 kind: ConfigMap metadata: @@ -177,7 +154,9 @@ data: resource-groups.json: |- {{- .Values.resourceGroups.resourceGroupsConfig | nindent 4 }} {{- end }} + --- + apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml index 9b068db4..466a7830 100644 --- a/charts/trino/templates/deployment-coordinator.yaml +++ b/charts/trino/templates/deployment-coordinator.yaml @@ -51,7 +51,7 @@ spec: {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} - name: access-control-volume configMap: - name: {{ template "trino.fullname" . }}-access-control-volume-coordinator + name: {{ template "trino.fullname" . }}-access-control-volume {{- end }}{{- end }} {{- if .Values.resourceGroups }} - name: resource-groups-volume From 3d38e4ffa66937a6720bd7f101b08280a7830f5b Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Wed, 4 Sep 2024 16:23:53 +0200 Subject: [PATCH 3/3] Fix mutualise resource definition --- charts/trino/templates/_helpers.tpl | 16 ---------- .../templates/configmap-access-control.yaml | 15 +++++++++ .../templates/configmap-coordinator.yaml | 31 ++----------------- charts/trino/templates/configmap-worker.yaml | 13 ++------ 4 files changed, 20 insertions(+), 55 deletions(-) create mode 100644 charts/trino/templates/configmap-access-control.yaml diff --git a/charts/trino/templates/_helpers.tpl b/charts/trino/templates/_helpers.tpl index e1682c80..48b30358 100644 --- a/charts/trino/templates/_helpers.tpl +++ b/charts/trino/templates/_helpers.tpl @@ -141,22 +141,6 @@ Create the name of the file auth secret to use {{- end }} -{{- define "trino.accessControlConfigMap" -}} -{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "trino.fullname" . }}-access-control-volume - namespace: {{ .Release.Namespace }} - labels: - {{- include "trino.labels" . | nindent 4 }} -data: - {{- range $key, $val := .Values.accessControl.rules }} - {{ $key }}: {{ $val | quote }} - {{- end }} -{{- end }}{{- end }} -{{- end }} - {{- define "trino.accessControlProperties" -}} {{- if .Values.accessControl }} diff --git a/charts/trino/templates/configmap-access-control.yaml b/charts/trino/templates/configmap-access-control.yaml new file mode 100644 index 00000000..46ef4582 --- /dev/null +++ b/charts/trino/templates/configmap-access-control.yaml @@ -0,0 +1,15 @@ +{{- define "trino.accessControlConfigMap" -}} +{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "trino.fullname" . }}-access-control-volume + namespace: {{ .Release.Namespace }} + labels: + {{- include "trino.labels" . | nindent 4 }} +data: + {{- range $key, $val := .Values.accessControl.rules }} + {{ $key }}: {{ $val | quote }} + {{- end }} +{{- end }}{{- end }} +{{- end }} diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml index 1f21acd3..3e67393e 100644 --- a/charts/trino/templates/configmap-coordinator.yaml +++ b/charts/trino/templates/configmap-coordinator.yaml @@ -122,41 +122,16 @@ data: {{- end }} {{ end }} -{{- if .Values.accessControl }} - {{ include "trino.accessControlProperties" . }} -{{- end }} -{{- range $fileName, $fileContent := .Values.worker.additionalConfigFiles }} +{{ include "trino.accessControlProperties" . }} + +{{- range $fileName, $fileContent := .Values.coordinator.additionalConfigFiles }} {{ $fileName }}: | {{- $fileContent | nindent 4 }} {{- end }} --- -{{- if .Values.accessControl }} - {{- if eq .Values.accessControl.type "configmap" }} - {{ include "trino.accessControlConfigMap" . }} - {{- end }} -{{- end }} - ---- -{{- if .Values.resourceGroups }} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "trino.fullname" . }}-resource-groups-volume-coordinator - namespace: {{ .Release.Namespace }} - labels: - {{- include "trino.labels" . | nindent 4 }} - app.kubernetes.io/component: coordinator -data: - resource-groups.json: |- - {{- .Values.resourceGroups.resourceGroupsConfig | nindent 4 }} -{{- end }} - ---- - apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/trino/templates/configmap-worker.yaml b/charts/trino/templates/configmap-worker.yaml index e5f24daa..3e81f37a 100644 --- a/charts/trino/templates/configmap-worker.yaml +++ b/charts/trino/templates/configmap-worker.yaml @@ -84,23 +84,14 @@ data: {{ end }} -{{- if .Values.accessControl }} - {{ include "trino.accessControlProperties" . }} -{{- end }} +{{ include "trino.accessControlProperties" . }} + {{- range $fileName, $fileContent := .Values.worker.additionalConfigFiles }} {{ $fileName }}: | {{- $fileContent | nindent 4 }} {{- end }} ---- - -{{- if .Values.accessControl }} - {{- if eq .Values.accessControl.type "configmap" }} - {{ include "trino.accessControlConfigMap" . }} - {{- end }} -{{- end }} - --- apiVersion: v1 kind: ConfigMap