Helm installation #
The operator installation is managed by a helm chart. To install with the chart bundled in the source code run:
helm install flink-kubernetes-operator helm/flink-kubernetes-operator
To install from our Helm Chart Reporsitory run:
helm repo add flink-operator-repo https://downloads.apache.org/flink/flink-kubernetes-operator-<OPERATOR-VERSION>/
helm install flink-kubernetes-operator flink-operator-repo/flink-kubernetes-operator
Alternatively to install the operator (and also the helm chart) to a specific namespace add the arguments --namespace
and --create-namespace
ex:
helm install flink-kubernetes-operator helm/flink-kubernetes-operator --namespace flink --create-namespace
Note that in this case you will need to update the namespace in the examples accordingly or the default
namespace to the watched namespaces.
Overriding configuration parameters during Helm install #
Helm provides different ways to override the default installation parameters (contained in values.yaml
) for the Helm chart.
To override single parameters you can use --set
, for example:
helm install --set image.repository=apache/flink-kubernetes-operator --set image.tag=1.10.0 flink-kubernetes-operator helm/flink-kubernetes-operator
You can also provide your custom values file by using the -f
flag:
helm install -f myvalues.yaml flink-kubernetes-operator helm/flink-kubernetes-operator
The configurable parameters of the Helm chart and which default values as detailed in the following table:
Parameters | Description | Default Value |
---|---|---|
watchNamespaces | List of kubernetes namespaces to watch for FlinkDeployment changes, empty means all namespaces. | |
image.repository | The image repository of flink-kubernetes-operator. | ghcr.io/apache/flink-kubernetes-operator |
image.pullPolicy | The image pull policy of flink-kubernetes-operator. | IfNotPresent |
image.tag | The image tag of flink-kubernetes-operator. | latest |
image.digest | The image tag of flink-kubernetes-operator. If set then it takes precedence and the image tag will be ignored. | |
replicas | Operator replica count. Must be 1 unless leader election is configured. | 1 |
strategy.type | Operator pod upgrade strategy. Must be Recreate unless leader election is configured. | Recreate |
rbac.create | Whether to enable RBAC to create for said namespaces. | true |
rbac.nodesRule.create | Whether to add RBAC rule to list nodes which is needed for rest-service exposed as NodePort type. | false |
operatorPod.annotations | Custom annotations to be added to the operator pod (but not the deployment). | |
operatorPod.labels | Custom labels to be added to the operator pod and deployment. | |
operatorPod.env | Custom env to be added to the operator pod. | |
operatorPod.envFrom | Custom envFrom settings to be added to the operator pod. | |
operatorPod.dnsPolicy | DNS policy to be used by the operator pod. | |
operatorPod.dnsConfig | DNS configuration to be used by the operator pod. | |
operatorPod.nodeSelector | Custom nodeSelector to be added to the operator pod. | |
operatorPod.topologySpreadConstraints | Custom topologySpreadConstraints to be added to the operator pod. | |
operatorPod.resources | Custom resources block to be added to the operator pod on main container. | |
operatorPod.webhook.resources | Custom resources block to be added to the operator pod on flink-webhook container. | |
operatorPod.tolerations | Custom tolerations to be added to the operator pod. | |
operatorServiceAccount.create | Whether to enable operator service account to create for flink-kubernetes-operator. | true |
operatorServiceAccount.annotations | The annotations of operator service account. | |
operatorServiceAccount.name | The name of operator service account. | flink-operator |
jobServiceAccount.create | Whether to enable job service account to create for flink jobmanager/taskmanager pods. | true |
jobServiceAccount.annotations | The annotations of job service account. | “helm.sh/resource-policy”: keep |
jobServiceAccount.name | The name of job service account. | flink |
operatorVolumeMounts.create | Whether to enable operator volume mounts to create for flink-kubernetes-operator. | false |
operatorVolumeMounts.data | List of mount paths of operator volume mounts. | - name: flink-artifacts mountPath: /opt/flink/artifacts |
operatorVolumes.create | Whether to enable operator volumes to create for flink-kubernetes-operator. | false |
operatorVolumes.data | The ConfigMap of operator volumes. | - name: flink-artifacts hostPath: path: /tmp/flink/artifacts type: DirectoryOrCreate |
podSecurityContext | Defines privilege and access control settings for a pod or container for pod security context. | runAsUser: 9999 runAsGroup: 9999 |
operatorSecurityContext | Defines privilege and access control settings for a pod or container for operator security context. | |
webhookSecurityContext | Defines privilege and access control settings for a pod or container for webhook security context. | |
webhook.create | Whether to enable validating and mutating webhooks for flink-kubernetes-operator. | true |
webhook.mutator.create | Enable or disable mutating webhook, overrides webhook.create |
|
webhook.validator.create | Enable or disable validating webhook, overrides webhook.create |
|
webhook.keystore | The ConfigMap of webhook key store. | useDefaultPassword: true |
defaultConfiguration.create | Whether to enable default configuration to create for flink-kubernetes-operator. | true |
defaultConfiguration.append | Whether to append configuration files with configs. | true |
defaultConfiguration.flink-conf.yaml | The default configuration of flink-conf.yaml. | kubernetes.operator.metrics.reporter.slf4j.factory.class: org.apache.flink.metrics.slf4j.Slf4jReporterFactory kubernetes.operator.metrics.reporter.slf4j.interval: 5 MINUTE kubernetes.operator.reconcile.interval: 15 s kubernetes.operator.observer.progress-check.interval: 5 s |
defaultConfiguration.log4j-operator.properties | The default configuration of log4j-operator.properties. | |
defaultConfiguration.log4j-console.properties | The default configuration of log4j-console.properties. | |
metrics.port | The metrics port on the container for default configuration. | |
imagePullSecrets | The image pull secrets of flink-kubernetes-operator. | |
nameOverride | Overrides the name with the specified name. | |
fullnameOverride | Overrides the fullname with the specified full name. | |
jvmArgs.webhook | The JVM start up options for webhook. | |
jvmArgs.operator | The JVM start up options for operator. | |
operatorHealth.port | Operator health endpoint port to be used by the probes. | 8085 |
operatorHealth.livenessProbe | Liveness probe configuration for the operator using the health endpoint. Only time settings should be configured, endpoint is set automatically based on port. | |
operatorHealth.startupProbe | Startup probe configuration for the operator using the health endpoint. Only time settings should be configured, endpoint is set automatically based on port. | |
postStart | The postStart hook configuration for the main container. | |
tls.create | Whether to mount an optional secret containing a tls truststore for the flink-kubernetes-operator. | false |
tls.secretName | The name of the tls secret | flink-operator-cert |
tls.secretKeyRef.name | The name of the secret containing the password for the java keystore/truststore | operator-certificate-password |
tls.secretKeyRef.key | The key that holds this password | password |
For more information check the Helm documentation.
Notice: The pod resources should be set as your workload in different environments to archive a matched K8s pod QoS. See also Pod Quality of Service Classes.
Operator webhooks #
In order to use the webhooks in the operator, you must install the cert-manager on the Kubernetes cluster:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.8.2/cert-manager.yaml
The webhooks can be disabled during helm install by passing the --set webhook.create=false
parameter or editing the values.yaml
directly.
Watching only specific namespaces #
The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the --set watchNamespaces={flink-test}
parameter.
When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
Note When working with webhook in a specified namespace, users should pay attention to the definition of namespaceSelector.matchExpressions
in webhook.yaml
. Currently, the default implementation of webhook relies on the kubernetes.io/metadata.name
label to filter the validation requests
so that only validation requests from the specified namespace will be processed. The kubernetes.io/metadata.name
label is automatically attached since k8s 1.21.1.
As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm:
kubectl label namespace <target namespace name> kubernetes.io/metadata.name=<target namespace name>
Besides, users can define their own namespaceSelector to filter the requests due to customized requirements.
For example, if users label their namespace with key-value pair {customized_namespace_key: <target namespace name> } the corresponding namespaceSelector that only accepts requests from this namespace could be:
namespaceSelector:
matchExpressions:
- key: customized_namespace_key
operator: In
values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
Check out this document for more details.
Working with Argo CD #
If you are using Argo CD to manage the operator, the simplest example could look like this.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: flink-kubernetes-operator
spec:
source:
repoURL: https://github.com/apache/flink-kubernetes-operator
targetRevision: main
path: helm/flink-kubernetes-operator
...
Check out Argo CD documents for more details.
Advanced customization techniques #
The Helm chart does not aim to provide configuration options for all the possible deployment scenarios of the Operator. There are use cases for injecting common tools and/or sidecars in most enterprise environments that cannot be covered by public Helm charts.
Fortunately, post rendering in Helm gives you the ability to manually manipulate manifests before they are installed on a Kubernetes cluster. This allows users to use tools like kustomize to apply configuration changes without the need to fork public charts.
The GitHub repository for the Operator contains a simple example on how to augment the Operator Deployment with a fluent-bit sidecar container and adjust container resources using kustomize
.
The example demonstrates that we can still use a values.yaml
file to override the default Helm values for changing the log configuration, for example:
defaultConfiguration:
...
log4j-operator.properties: |+
rootLogger.appenderRef.file.ref = LogFile
appender.file.name = LogFile
appender.file.type = File
appender.file.append = false
appender.file.fileName = ${sys:log.file}
appender.file.layout.type = PatternLayout
appender.file.layout.pattern = %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p %-60c %x - %m%n
jvmArgs:
webhook: "-Dlog.file=/opt/flink/log/webhook.log -Xms256m -Xmx256m"
operator: "-Dlog.file=/opt/flink/log/operator.log -Xms2048m -Xmx2048m"
But we cannot ingest our fluent-bit sidecar for example unless we patch the deployment using kustomize
################################################################################
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
apiVersion: apps/v1
kind: Deployment
metadata:
name: not-important
spec:
template:
spec:
containers:
- name: flink-kubernetes-operator
volumeMounts:
- name: flink-log
mountPath: /opt/flink/log
resources:
requests:
memory: "2.5Gi"
cpu: "1000m"
limits:
memory: "2.5Gi"
cpu: "2000m"
- name: flink-webhook
volumeMounts:
- name: flink-log
mountPath: /opt/flink/log
resources:
requests:
memory: "0.5Gi"
cpu: "200m"
limits:
memory: "0.5Gi"
cpu: "500m"
- name: fluentbit
image: fluent/fluent-bit:1.8.12
command: [ 'sh','-c','/fluent-bit/bin/fluent-bit -i tail -p path=/opt/flink/log/*.log -p multiline.parser=java -o stdout' ]
volumeMounts:
- name: flink-log
mountPath: /opt/flink/log
volumes:
- name: flink-log
emptyDir: { }
You can try out the example using the following command:
helm install flink-kubernetes-operator helm/flink-kubernetes-operator -f examples/kustomize/values.yaml --post-renderer examples/kustomize/render
By examining the sidecar output you should see that the logs from both containers are being processed from the shared folder:
[2022/04/06 10:04:36] [ info] [input:tail:tail.0] inotify_fs_add(): inode=3812411 watch_fd=1 name=/opt/flink/log/operator.log
[2022/04/06 10:04:36] [ info] [input:tail:tail.0] inotify_fs_add(): inode=3812412 watch_fd=2 name=/opt/flink/log/webhook.log
Check out the kustomize repo for more advanced examples.
Please note that post-render mechanism will always override the Helm template values.