From e22b5040fe4bb1508ef658a58d8b9244e92fe7d8 Mon Sep 17 00:00:00 2001 From: "bing.ma" Date: Wed, 15 May 2024 15:13:21 +0800 Subject: [PATCH] expose acl configuration as configMap --- example/rocketmq_v1alpha1_broker_cr.yaml | 39 ++++++++++++++++++ pkg/constants/constants.go | 5 ++- pkg/controller/broker/broker_controller.go | 47 ++++++++++++++++------ 3 files changed, 77 insertions(+), 14 deletions(-) diff --git a/example/rocketmq_v1alpha1_broker_cr.yaml b/example/rocketmq_v1alpha1_broker_cr.yaml index e3d9bd3e..4f7a6cbc 100644 --- a/example/rocketmq_v1alpha1_broker_cr.yaml +++ b/example/rocketmq_v1alpha1_broker_cr.yaml @@ -28,6 +28,39 @@ data: brokerRole=ASYNC_MASTER --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: broker-acl-config +data: + plain_acl.yml: | + globalWhiteRemoteAddresses: + - 10.10.103.* + - 192.168.0.* + + accounts: + - accessKey: RocketMQ + secretKey: 123456789 # ||| + whiteRemoteAddress: + admin: false + defaultTopicPerm: DENY + defaultGroupPerm: SUB + topicPerms: + - topicA=DENY + - topicB=PUB|SUB + - topicC=SUB + groupPerms: + # the group should convert to retry topic + - groupA=DENY + - groupB=PUB|SUB + - groupC=SUB + + - accessKey: rocketmq2 + secretKey: 123456789 # ||| + whiteRemoteAddress: 192.168.1.* + # if it is admin, it could access all resources + admin: true +--- apiVersion: rocketmq.apache.org/v1alpha1 kind: Broker metadata: @@ -75,6 +108,12 @@ spec: items: - key: broker-common.conf path: broker-common.conf + - name: broker-acl-config + configMap: + name: broker-acl-config + items: + - key: plain_acl.yml + path: plain_acl.yml # volumeClaimTemplates defines the storageClass volumeClaimTemplates: - metadata: diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index cc5e209a..585c1b37 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -46,9 +46,12 @@ const ( // SubscriptionGroupJsonDir is the directory of subscriptionGroup.json SubscriptionGroupJsonDir = StoreConfigDir + "/subscriptionGroup.json" - // BrokerConfigDir is the directory of the mounted config file + // BrokerConfigPath is the directory of the mounted config file BrokerConfigPath = DataPath + "/rocketmq/broker/conf" + // BrokerPlainAclConfigName is the name of mounted acl config file + BrokerPlainAclConfigName = "plain_acl.yml" + // BrokerConfigName is the name of mounted configuration file BrokerConfigName = "broker-common.conf" diff --git a/pkg/controller/broker/broker_controller.go b/pkg/controller/broker/broker_controller.go index f6ea6640..8d0a4a29 100644 --- a/pkg/controller/broker/broker_controller.go +++ b/pkg/controller/broker/broker_controller.go @@ -484,19 +484,7 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker *rocketmqv1alpha1.Broker, ContainerPort: cons.BrokerHighAvailabilityContainerPort, Name: cons.BrokerHighAvailabilityContainerPortName, }}, - VolumeMounts: []corev1.VolumeMount{{ - MountPath: cons.LogMountPath, - Name: broker.Spec.VolumeClaimTemplates[0].Name, - SubPath: cons.LogSubPathName + getPathSuffix(broker, brokerGroupIndex, replicaIndex), - }, { - MountPath: cons.StoreMountPath, - Name: broker.Spec.VolumeClaimTemplates[0].Name, - SubPath: cons.StoreSubPathName + getPathSuffix(broker, brokerGroupIndex, replicaIndex), - }, { - MountPath: cons.BrokerConfigPath + "/" + cons.BrokerConfigName, - Name: broker.Spec.Volumes[0].Name, - SubPath: cons.BrokerConfigName, - }}, + VolumeMounts: getVolumeMounts(broker, brokerGroupIndex, replicaIndex), }}, Volumes: getVolumes(broker), SecurityContext: getPodSecurityContext(broker), @@ -512,6 +500,39 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker *rocketmqv1alpha1.Broker, } +func getVolumeMounts(broker *rocketmqv1alpha1.Broker, brokerGroupIndex int, replicaIndex int) []corev1.VolumeMount { + mounts := make([]corev1.VolumeMount, 0) + + if len(broker.Spec.VolumeClaimTemplates) >= 1 { + mounts = append(mounts, corev1.VolumeMount{ + MountPath: cons.LogMountPath, + Name: broker.Spec.VolumeClaimTemplates[0].Name, + SubPath: cons.LogSubPathName + getPathSuffix(broker, brokerGroupIndex, replicaIndex), + }) + mounts = append(mounts, corev1.VolumeMount{ + MountPath: cons.StoreMountPath, + Name: broker.Spec.VolumeClaimTemplates[0].Name, + SubPath: cons.StoreSubPathName + getPathSuffix(broker, brokerGroupIndex, replicaIndex), + }) + } + if len(broker.Spec.Volumes) >= 1 { + mounts = append(mounts, corev1.VolumeMount{ + MountPath: cons.BrokerConfigPath + "/" + cons.BrokerConfigName, + Name: broker.Spec.Volumes[0].Name, + SubPath: cons.BrokerConfigName, + }) + } + + if len(broker.Spec.Volumes) > 1 { + mounts = append(mounts, corev1.VolumeMount{ + MountPath: cons.BrokerConfigPath + "/" + cons.BrokerPlainAclConfigName, + Name: broker.Spec.Volumes[1].Name, + SubPath: cons.BrokerPlainAclConfigName, + }) + } + return mounts +} + func getENV(broker *rocketmqv1alpha1.Broker, replicaIndex int, brokerGroupIndex int) []corev1.EnvVar { envs := []corev1.EnvVar{{ Name: cons.EnvNameServiceAddress,