This is an automated email from the ASF dual-hosted git repository.
zykkk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 04f2e3311e5 [feature](k8s) add kerberos support for doris-operator
(#48183)
04f2e3311e5 is described below
commit 04f2e3311e5aed3b098145eb8f9db24e3606a0a4
Author: catpineapple <1391869...@qq.com>
AuthorDate: Fri Feb 28 10:27:38 2025 +0800
[feature](k8s) add kerberos support for doris-operator (#48183)
add kerberos support for doris-operator: Parse the ENV passed into the pod
to verify key mounting and environment analysis
---
docker/runtime/be/resource/be_entrypoint.sh | 46 +++++++++++++++++++++++++++++
docker/runtime/fe/resource/fe_entrypoint.sh | 46 +++++++++++++++++++++++++++++
2 files changed, 92 insertions(+)
diff --git a/docker/runtime/be/resource/be_entrypoint.sh
b/docker/runtime/be/resource/be_entrypoint.sh
index 124f6e2d26e..41f77a936c7 100755
--- a/docker/runtime/be/resource/be_entrypoint.sh
+++ b/docker/runtime/be/resource/be_entrypoint.sh
@@ -83,6 +83,51 @@ update_conf_from_configmap()
done
}
+mount_kerberos_config()
+{
+ if [[ ! -n "$KRB5_MOUNT_PATH" ]]; then
+ return
+ fi
+
+ KRB5_CONFIG_DIR=$(dirname "$KRB5_CONFIG")
+ # If the krb5 directory does not exist, need to create it.
+ if [[ ! -d "$KRB5_CONFIG_DIR" ]]; then
+ log_stderr "[info] Creating krb5 directory: $KRB5_CONFIG_DIR"
+ mkdir -p "$KRB5_CONFIG_DIR"
+ fi
+
+ log_stderr "[info] Creating krb5 symlinks for each file from
$KRB5_MOUNT_PATH to $KRB5_CONFIG_DIR"
+ # The files under KRB5_MONT_PATH are soft links from other directories.
Therefore, a for loop is needed to directly soft link the files.
+ for file in "$KRB5_MOUNT_PATH"/*; do
+ if [ -e "$file" ]; then
+ filename=$(basename "$file")
+ log_stderr "[info] Creating krb5 symlink for $filename"
+ ln -sf "$file" "$KRB5_CONFIG_DIR/$filename"
+ fi
+ done
+
+ if [[ "$KEYTAB_MOUNT_PATH" == "$KEYTAB_FINAL_USED_PATH" ]]; then
+ log_stderr "[info] KEYTAB_MOUNT_PATH is same as
KEYTAB_FINAL_USED_PATH, skip creating symlinks"
+ return
+ fi
+
+ # If the keytab directory does not exist, need to create it.
+ if [[ ! -d "$KEYTAB_FINAL_USED_PATH" ]]; then
+ log_stderr "[info] Creating keytab directory: $KEYTAB_FINAL_USED_PATH"
+ mkdir -p "$KEYTAB_FINAL_USED_PATH"
+ fi
+
+ log_stderr "[info] Creating keytab symlinks for each file from
$KEYTAB_MOUNT_PATH to $KEYTAB_FINAL_USED_PATH"
+ # The files under KEYTAB_MOUNT_PATH are soft links from other directories.
Therefore, a for loop is needed to directly soft link the files.
+ for file in "$KEYTAB_MOUNT_PATH"/*; do
+ if [ -e "$file" ]; then
+ filename=$(basename "$file")
+ log_stderr "[info] Creating keytab symlink for $filename"
+ ln -sf "$file" "$KEYTAB_FINAL_USED_PATH/$filename"
+ fi
+ done
+}
+
# resolve password for root
resolve_password_from_secret()
{
@@ -278,6 +323,7 @@ fi
update_conf_from_configmap
add_default_conf
+mount_kerberos_config
# resolve password for root to manage nodes in doris.
resolve_password_from_secret
collect_env_info
diff --git a/docker/runtime/fe/resource/fe_entrypoint.sh
b/docker/runtime/fe/resource/fe_entrypoint.sh
index f992e6b9bff..6076ef55b1a 100755
--- a/docker/runtime/fe/resource/fe_entrypoint.sh
+++ b/docker/runtime/fe/resource/fe_entrypoint.sh
@@ -320,6 +320,51 @@ update_conf_from_configmap()
add_fqdn_config
}
+mount_kerberos_config()
+{
+ if [[ ! -n "$KRB5_MOUNT_PATH" ]]; then
+ return
+ fi
+
+ KRB5_CONFIG_DIR=$(dirname "$KRB5_CONFIG")
+ # If the krb5 directory does not exist, need to create it.
+ if [[ ! -d "$KRB5_CONFIG_DIR" ]]; then
+ log_stderr "[info] Creating krb5 directory: $KRB5_CONFIG_DIR"
+ mkdir -p "$KRB5_CONFIG_DIR"
+ fi
+
+ log_stderr "[info] Creating krb5 symlinks for each file from
$KRB5_MOUNT_PATH to $KRB5_CONFIG_DIR"
+ # The files under KRB5_MONT_PATH are soft links from other directories.
Therefore, a for loop is needed to directly soft link the files.
+ for file in "$KRB5_MOUNT_PATH"/*; do
+ if [ -e "$file" ]; then
+ filename=$(basename "$file")
+ log_stderr "[info] Creating krb5 symlink for $filename"
+ ln -sf "$file" "$KRB5_CONFIG_DIR/$filename"
+ fi
+ done
+
+ if [[ "$KEYTAB_MOUNT_PATH" == "$KEYTAB_FINAL_USED_PATH" ]]; then
+ log_stderr "[info] KEYTAB_MOUNT_PATH is same as
KEYTAB_FINAL_USED_PATH, skip creating symlinks"
+ return
+ fi
+
+ # If the keytab directory does not exist, need to create it.
+ if [[ ! -d "$KEYTAB_FINAL_USED_PATH" ]]; then
+ log_stderr "[info] Creating keytab directory: $KEYTAB_FINAL_USED_PATH"
+ mkdir -p "$KEYTAB_FINAL_USED_PATH"
+ fi
+
+ log_stderr "[info] Creating keytab symlinks for each file from
$KEYTAB_MOUNT_PATH to $KEYTAB_FINAL_USED_PATH"
+ # The files under KEYTAB_MOUNT_PATH are soft links from other directories.
Therefore, a for loop is needed to directly soft link the files.
+ for file in "$KEYTAB_MOUNT_PATH"/*; do
+ if [ -e "$file" ]; then
+ filename=$(basename "$file")
+ log_stderr "[info] Creating keytab symlink for $filename"
+ ln -sf "$file" "$KEYTAB_FINAL_USED_PATH/$filename"
+ fi
+ done
+}
+
# resolve password for root
resolve_password_from_secret()
{
@@ -393,6 +438,7 @@ if [[ "x$fe_addrs" == "x" ]]; then
fi
update_conf_from_configmap
+mount_kerberos_config
# resolve password for root to manage nodes in doris.
resolve_password_from_secret
if [[ -f "/opt/apache-doris/fe/doris-meta/image/ROLE" ]]; then
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
