Moving access-control ConfigMap to a separate file

Moving the access control ConfigMap to a separate file will prevent the coordinator from restarting when changing access control rules if a refreshPeriod is specified.
trinodb · Sep 6, 2024 · f47aca0 · f47aca0
1 parent 6427afe
commit f47aca0
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 25 deletions.
diff --git a/charts/trino/templates/configmap-access-control.yaml b/charts/trino/templates/configmap-access-control.yaml
@@ -0,0 +1,14 @@
+{{- if eq .Values.accessControl.type "configmap" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "trino.fullname" . }}-access-control-volume-coordinator
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "trino.labels" . | nindent 4 }}
+    app.kubernetes.io/component: coordinator
+data:
+  {{- range $key, $val := .Values.accessControl.rules }}
+  {{ $key }}: {{ $val | quote }}
+  {{- end }}
+{{- end }}
diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml
@@ -80,14 +80,25 @@ data:
     {{- .Values.server.coordinatorExtraConfig | nindent 4 }}
     {{- end }}
 
-{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
+{{- if .Values.accessControl }}
+  {{- if eq .Values.accessControl.type "configmap" }}
   access-control.properties: |
     access-control.name=file
     {{- if .Values.accessControl.refreshPeriod }}
     security.refresh-period={{ .Values.accessControl.refreshPeriod }}
     {{- end }}
     security.config-file={{ .Values.server.config.path }}/access-control/{{ .Values.accessControl.configFile | default "rules.json" }}
-{{- end }}{{- end }}
+  {{- else if eq .Values.accessControl.type "properties" }}
+  access-control.properties: |
+    {{- if .Values.accessControl.properties }}
+    {{- .Values.accessControl.properties | nindent 4 }}
+    {{- else}}
+    {{- fail "accessControl.properties is required when accessControl.type is 'properties'." }}
+    {{- end }}
+  {{- else}}
+  {{- fail "Invalid accessControl.type value. It must be either 'configmap' or 'properties'." }}
+  {{- end }}
+{{- end }}
 
 {{- if .Values.resourceGroups }}
   resource-groups.properties: |
@@ -135,23 +146,6 @@ data:
   {{ $fileName }}: |
     {{- $fileContent | nindent 4 }}
 {{- end }}
-
----
-
-{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "trino.fullname" . }}-access-control-volume-coordinator
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "trino.labels" . | nindent 4 }}
-    app.kubernetes.io/component: coordinator
-data:
-  {{- range $key, $val := .Values.accessControl.rules }}
-  {{ $key }}: {{ $val | quote }}
-  {{- end }}
-{{- end }}{{- end }}
 {{- if .Values.resourceGroups }}
 ---
 apiVersion: v1

diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml
@@ -17,6 +17,9 @@ spec:
   template:
     metadata:
       annotations:
+        {{- if and (eq .Values.accessControl.type "configmap") (not .Values.accessControl.refreshPeriod) }}
+        checksum/access-control-config: {{ include (print $.Template.BasePath "/configmap-access-control.yaml") . | sha256sum }}
+        {{- end }}
         checksum/catalog-config: {{ include (print $.Template.BasePath "/configmap-catalog.yaml") . | sha256sum }}
         checksum/coordinator-config: {{ include (print $.Template.BasePath "/configmap-coordinator.yaml") . | sha256sum }}
       {{- if .Values.coordinator.annotations }}
@@ -33,8 +36,7 @@ spec:
       serviceAccountName: {{ include "trino.serviceAccountName" . }}
       {{- with .Values.securityContext }}
       securityContext:
-        runAsUser: {{ .runAsUser }}
-        runAsGroup: {{ .runAsGroup }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if .Values.shareProcessNamespace.coordinator }}
       shareProcessNamespace: {{ .Values.shareProcessNamespace.coordinator }}
@@ -49,11 +51,11 @@ spec:
         - name: schemas-volume
           configMap:
             name: {{ template "trino.fullname" . }}-schemas-volume-coordinator
-        {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
+        {{- if eq .Values.accessControl.type "configmap" }}
         - name: access-control-volume
           configMap:
             name: {{ template "trino.fullname" . }}-access-control-volume-coordinator
-        {{- end }}{{- end }}
+        {{- end }}
         {{- if .Values.resourceGroups }}
         - name: resource-groups-volume
           configMap:
@@ -125,10 +127,10 @@ spec:
               name: catalog-volume
             - mountPath: {{ .Values.kafka.mountPath }}
               name: schemas-volume
-            {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
+            {{- if eq .Values.accessControl.type "configmap" }}
             - mountPath: {{ .Values.server.config.path }}/access-control
               name: access-control-volume
-            {{- end }}{{- end }}
+            {{- end }}
             {{- if .Values.resourceGroups }}
             - mountPath: {{ .Values.server.config.path }}/resource-groups
               name: resource-groups-volume
@@ -203,6 +205,10 @@ spec:
         - name: jmx-exporter
           image: {{ .Values.jmx.exporter.image }}
           imagePullPolicy: {{ .Values.jmx.exporter.pullPolicy }}
+          {{- with .Values.jmx.exporter.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           args:
             - "{{ .Values.jmx.exporter.port }}"
             - /etc/jmx-exporter/jmx-exporter-config.yaml