feat: support customize Aliyun STS endpoint for OIDC authentication (#…

…101)

* feat: support customize Aliyun STS endpoint for OIDC authentication

Signed-off-by: arkbriar <[email protected]>

* Release 0.1.65

Signed-off-by: arkbriar <[email protected]>

---------

Signed-off-by: arkbriar <[email protected]>

charts/risingwave-operator/values.yaml

@@ -86,9 +86,9 @@ manager:
   ## @param manager.updateStrategy Update strategy of the deployment.
   ##
   updateStrategy: { }
-    # type: RollingUpdate
-    # rollingUpdate:
-    #   maxSurge: 0
+  # type: RollingUpdate
+  # rollingUpdate:
+  #   maxSurge: 0
   #   maxUnavailable: 1
 
   ## @param manager.minReadySeconds Minimum number of seconds for which a newly created pod should be ready

charts/risingwave/Chart.yaml

@@ -19,7 +19,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.64
+version: 0.1.65
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/risingwave/templates/_helpers.tpl

@@ -420,3 +420,22 @@ Create the OBS endpoint to use.
 {{- define "risingwave.obs.endpoint" }}
 {{- printf "https://obs.$(OBS_REGION).myhuaweicloud.com" }}
 {{- end }}
+
+{{/*
+Cloud related enviroments.
+*/}}
+{{- define "risingwave.cloudEnvironments" -}}
+{{/* Aliyun related */}}
+{{- if .Values.cloud.aliyun.sts.endpoint }}
+- name: ALIBABA_CLOUD_STS_ENDPOINT
+  value: {{ .Values.cloud.aliyun.sts.endpoint | quote }}
+{{- else if .Values.cloud.aliyun.sts.region }}
+{{- if .Values.cloud.aliyun.sts.useVPCEndpoint }}
+- name: ALIBABA_CLOUD_STS_ENDPOINT
+  value: {{ printf "https://sts-vpc.%s.aliyuncs.com" .Values.cloud.aliyun.sts.region }}
+{{- else }}
+- name: ALIBABA_CLOUD_STS_ENDPOINT
+  value: {{ printf "https://sts.%s.aliyuncs.com" .Values.cloud.aliyun.sts.region }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/risingwave/templates/compactor-deploy.yaml

@@ -130,6 +130,7 @@ spec:
             name: {{ $credentialsSecret }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED

charts/risingwave/templates/compute-sts.yaml

@@ -164,6 +164,7 @@ spec:
             name: {{ $credentialsSecret }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED
@@ -331,6 +332,7 @@ spec:
             name: {{ .Values.frontendComponent.extraEnvVarsSecret }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED

charts/risingwave/templates/frontend-deploy.yaml

@@ -168,6 +168,7 @@ spec:
         {{- end }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED

charts/risingwave/templates/meta-sts.yaml

@@ -157,6 +157,7 @@ spec:
             name: {{ include "risingwave.mysqlCredentialsSecretName" . }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED

charts/risingwave/templates/standalone/standalone-sts.yaml

@@ -203,6 +203,7 @@ spec:
             name: {{ include "risingwave.mysqlCredentialsSecretName" . }}
         {{- end }}
         env:
+        {{ include "risingwave.cloudEnvironments" . | nindent 8 }}
         # Disable auto region loading. Refer to the original source for more information.
         # https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/aws-config/src/imds/region.rs
         - name: AWS_EC2_METADATA_DISABLED

charts/risingwave/tests/cloud_envs_test.yaml

@@ -0,0 +1,149 @@
+suite: Test Cloud Envs
+templates:
+- meta-sts.yaml
+- frontend-deploy.yaml
+- compute-sts.yaml
+- compactor-deploy.yaml
+- standalone/standalone-sts.yaml
+chart:
+  appVersion: 1.0.0
+  version: 0.0.1
+tests:
+- it: aliyun sts cloud env reflects (distributed)
+  templates:
+  - meta-sts.yaml
+  - frontend-deploy.yaml
+  - compute-sts.yaml
+  - compactor-deploy.yaml
+  set:
+    cloud:
+      aliyun:
+        sts:
+          endpoint: https://sts.cn-hangzhou.aliyuncs.com
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+          name: ALIBABA_CLOUD_STS_ENDPOINT
+          value: https://sts.cn-hangzhou.aliyuncs.com
+- it: aliyun sts cloud env reflects (standalone)
+  templates:
+  - standalone/standalone-sts.yaml
+  set:
+    standalone:
+      enabled: true
+    cloud:
+      aliyun:
+        sts:
+          endpoint: https://sts.cn-hangzhou.aliyuncs.com
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: https://sts.cn-hangzhou.aliyuncs.com
+- it: aliyun sts cloud env reflects region (distributed)
+  templates:
+  - meta-sts.yaml
+  - frontend-deploy.yaml
+  - compute-sts.yaml
+  - compactor-deploy.yaml
+  set:
+    cloud:
+      aliyun:
+        sts:
+          region: cn-hongkong
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: https://sts.cn-hongkong.aliyuncs.com
+- it: aliyun sts cloud env reflects region (standalone)
+  templates:
+  - standalone/standalone-sts.yaml
+  set:
+    standalone:
+      enabled: true
+    cloud:
+      aliyun:
+        sts:
+          region: cn-hongkong
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: https://sts.cn-hongkong.aliyuncs.com
+- it: aliyun sts cloud env reflects vpc (distributed)
+  templates:
+  - meta-sts.yaml
+  - frontend-deploy.yaml
+  - compute-sts.yaml
+  - compactor-deploy.yaml
+  set:
+    cloud:
+      aliyun:
+        sts:
+          region: cn-hongkong
+          useVPCEndpoint: true
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: https://sts-vpc.cn-hongkong.aliyuncs.com
+- it: aliyun sts cloud env reflects vpc (standalone)
+  templates:
+  - standalone/standalone-sts.yaml
+  set:
+    standalone:
+      enabled: true
+    cloud:
+      aliyun:
+        sts:
+          region: cn-hongkong
+          useVPCEndpoint: true
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: https://sts-vpc.cn-hongkong.aliyuncs.com
+- it: aliyun sts cloud env prioritize endpoint (distributed)
+  templates:
+  - meta-sts.yaml
+  - frontend-deploy.yaml
+  - compute-sts.yaml
+  - compactor-deploy.yaml
+  set:
+    cloud:
+      aliyun:
+        sts:
+          endpoint: http://sts-vpc.cn-shanghai.aliyuncs.com
+          region: cn-hongkong
+          useVPCEndpoint: false
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: http://sts-vpc.cn-shanghai.aliyuncs.com
+- it: aliyun sts cloud env prioritize endpoint (standalone)
+  templates:
+  - standalone/standalone-sts.yaml
+  set:
+    standalone:
+      enabled: true
+    cloud:
+      aliyun:
+        sts:
+          endpoint: http://sts-vpc.cn-shanghai.aliyuncs.com
+          region: cn-hongkong
+          useVPCEndpoint: false
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: ALIBABA_CLOUD_STS_ENDPOINT
+        value: http://sts-vpc.cn-shanghai.aliyuncs.com

charts/risingwave/values.yaml

@@ -1315,3 +1315,28 @@ bash:
   ## @param bash.image Bash image.
   ##
   image: bash:5.2
+
+## @section Cloud.
+##
+
+cloud:
+  ## @param cloud.aliyun Aliyun cloud configuration.
+  ##
+  aliyun:
+    ## @param Aliyun STS configuration.
+    ##
+    sts:
+      ## @param sts.endpoint Aliyun STS endpoint. If not set, the default endpoint will be used.
+      ## The default endpoint is https://sts.aliyuncs.com. If set, the following parameters will be ignored.
+      ## Ref: https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-endpoint
+      ##
+      endpoint: ""
+
+      ## @param sts.region Aliyun STS region. If not set, the default STS region will be used.
+      ##
+      region: ""
+
+      ## @param sts.useVPCEndpoint Whether to use VPC endpoint to access STS service.
+      ## This only works when endpoint is not set and region is set.
+      ##
+      useVPCEndpoint: false