Add code changes to enable rack awareness features in Hdfs clusters (#429)

* crd changes

* Minor changes, mostly pushing so Sigi can try make run-dev

* Attempt to add a reflector that updates the clusterrolebinding.
Went horribly wrong :)

* WIP, should work, but patch doesn't

* Got clusterrolebinding patching to work.

* Added operator changes to roll out the topology provider.

* Got clusterrolebinding patching to work.

* wip: complete missing code

* merge conflict fixes

* clippy fix

* removed tiltfile and added hadoop path env-var

* restored tiltfile (only meant to delete stack references)

* linting

* cleaned up patching code

* clippy fix

* comment struct fields

* regenerate charts

* wip: working test, but with local image

* cleaned up test

* updated docs and added some code comments

* add listeners to role

* removed listenerclasses from role

* update roles

* class path setting not needed as jar copied to different location in product image

* changelog

* updated docs

* fixed kerberos tests on openshift

* Update rust/operator-binary/src/main.rs

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

* Update rust/crd/src/lib.rs

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

* clarified docs

* removed function and created dedicated test for rack-awareness

* cleanup comments and log statement

* Move the code for the hdfs_clusterrolebinding_nodes to a separate module

---------

Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de>
Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>
Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

Author: 4 people

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
+- Added rack awareness support via topology provider implementation ([#429]).
 - More CRD documentation ([#433]).
 - Support for exposing HDFS clusters to clients outside of Kubernetes ([#450]).
 - Helm: support labels in values.yaml ([#460]).
@@ -30,6 +31,7 @@ All notable changes to this project will be documented in this file.
 - Include hdfs principals `dfs.journalnode.kerberos.principal`, `dfs.namenode.kerberos.principal`
   and `dfs.datanode.kerberos.principal` in the discovery ConfigMap in case Kerberos is enabled ([#451]).
 
+[#429]: https://github.com/stackabletech/hdfs-operator/pull/429
 [#450]: https://github.com/stackabletech/hdfs-operator/pull/450
 [#451]: https://github.com/stackabletech/hdfs-operator/pull/451
 [#454]: https://github.com/stackabletech/hdfs-operator/pull/454

deploy/helm/hdfs-operator/crds/crds.yaml

@@ -83,6 +83,25 @@ spec:
                       enum:
                         - cluster-internal
                       type: string
+                    rackAwareness:
+                      description: Configuration to control HDFS topology (rack) awareness feature
+                      items:
+                        properties:
+                          labelName:
+                            description: Name of the label that will be used to resolve a datanode to a topology zone.
+                            type: string
+                          labelType:
+                            description: Name of the label type that will be typically either `node` or `pod`, used to create a topology out of datanodes.
+                            enum:
+                              - node
+                              - pod
+                            type: string
+                        required:
+                          - labelName
+                          - labelType
+                        type: object
+                      nullable: true
+                      type: array
                     vectorAggregatorConfigMapName:
                       description: Name of the Vector aggregator [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery). It must contain the key `ADDRESS` with the address of the Vector aggregator. Follow the [logging tutorial](https://docs.stackable.tech/home/nightly/tutorials/logging-vector-aggregator) to learn how to configure log aggregation with Vector.
                       nullable: true

deploy/helm/hdfs-operator/templates/roles.yaml

@@ -13,6 +13,7 @@ rules:
     verbs:
       - list
       - watch
+      - get
   - apiGroups:
       - ""
     resources:
@@ -96,6 +97,14 @@ rules:
       - listeners
     verbs:
       - get
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - list
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
@@ -111,6 +120,19 @@ rules:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrolebinding-nodes
+    verbs:
+      - patch
+      - get
+      - update
+      - list
+      - watch
+      - create
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -177,8 +199,15 @@ rules:
       - configmaps
       - secrets
       - serviceaccounts
+      - pods
     verbs:
       - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list
   - apiGroups:
       - events.k8s.io
     resources:
@@ -195,3 +224,25 @@ rules:
     verbs:
       - use
 {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole-nodes
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+      - endpoints
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - listeners.stackable.tech
+    resources:
+      - listeners
+    verbs:
+      - get
+      - list

deploy/helm/hdfs-operator/templates/serviceaccount.yaml

@@ -26,4 +26,16 @@ roleRef:
   kind: ClusterRole
   name: {{ include "operator.fullname" . }}-clusterrole
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "operator.name" . }}-clusterrolebinding-nodes
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "operator.name" . }}-clusterrole-nodes
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}

docs/modules/hdfs/pages/usage-guide/operations/rack-awareness.adoc

@@ -1,80 +1,18 @@
 = HDFS Rack Awareness
 
-Apache Hadoop supports a feature called Rack Awareness, which allows defining a topology for the nodes making up a cluster.
+Apache Hadoop supports a feature called Rack Awareness, which allows users to define a topology for the nodes making up a cluster.
 Hadoop will then use that topology to spread out replicas of blocks in a fashion that maximizes fault tolerance.
 
 The default write path, for example, is to put replicas of a newly created block first on a different node, but within the same rack, and the second copy on a node in a remote rack.
-In order for this to work properly, Hadoop needs to have information about the underlying infrastructure it runs on available - in a Kubernetes environment, this means obtaining information from the pods or nodes of the cluster.
+In order for this to work properly, Hadoop needs to have access to the information about the underlying infrastructure it runs on. In a Kubernetes environment, this means obtaining information from the pods or nodes of the cluster.
 
 In order to enable gathering this information the Hadoop images contain https://github.com/stackabletech/hdfs-topology-provider on the classpath, which can be configured to read labels from Kubernetes objects.
 
-In the current version of the SDP this is not exposed as fully integrated functionality in the operator, but rather needs to be configured via config overrides.
+In the current version of the SDP this is now exposed as fully integrated functionality in the operator, and no longer needs to be configured via config overrides.
 
+NOTE: Prior to SDP release 24.3, it was necessary to manually deploy RBAC objects to allow the Hadoop pods access to the necessary Kubernetes objects. This ClusterRole allows the reading of pods and nodes and needs to be bound to the individual ServiceAccounts that are deployed per Hadoop cluster: this is now performed by the operator itself.
 
-NOTE: Until the operator code has been merged, users will need to manually deploy RBAC objects to allow the Hadoop pods access to the necessary Kubernetes objects.
-
-Specifically this is a ClusterRole that allows reading pods and nodes, which needs to be bound to the individual ServiceAccounts that are deployed per Hadoop cluster.
-
-The following listing shows the generic objects that need to be deployed:
-
-[source,yaml]
-----
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: hdfs-clusterrole-nodes
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-      - pods
-    verbs:
-      - get
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
-kind: ClusterRoleBinding
-metadata:
-  name: hdfs-clusterrolebinding-nodes
-roleRef:
-  kind: ClusterRole
-  name: hdfs-clusterrole-nodes
-  apiGroup: rbac.authorization.k8s.io
-----
-
-In addition to this, the ClusterRoleBinding object needs to be patched with an entry for every Hadoop cluster in the `subjects` field:
-
-[source,yaml]
-----
-subjects:
-  - kind: ServiceAccount
-    name: hdfs-<clustername>-serviceaccount
-    namespace: <cluster-namespace>
-----
-
-So for an HDFS cluster using the ServiceAccount `hdfs-serviceaccount` in the `stackable` namespace, the full ClusterRoleBinding would look like this:
-[source,yaml]
-----
----
-apiVersion: rbac.authorization.k8s.io/v1
-# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
-kind: ClusterRoleBinding
-metadata:
-  name: hdfs-clusterrolebinding-nodes
-subjects:
-  - kind: ServiceAccount
-    name: hdfs-serviceaccount
-    namespace: stackable
-roleRef:
-  kind: ClusterRole
-  name: hdfs-clusterrole-nodes
-  apiGroup: rbac.authorization.k8s.io
-----
-
-To then configure the cluster for rack awareness, the following setting needs to be set via config override:
+Configuration of the tool is done by using the field `rackAwareness` under the cluster configuration:
 
 [source,yaml]
 ----
@@ -83,35 +21,14 @@ kind: HdfsCluster
 metadata:
   name: simple-hdfs
 spec:
+  clusterConfig:
+    rackAwareness:
+      - labelType: node
+        labelName: topology.kubernetes.io/zone
+      - labelType: pod
+        labelName: app.kubernetes.io/role-group
   nameNodes:
-    configOverrides:
-      core-site.xml:
-        net.topology.node.switch.mapping.impl: tech.stackable.hadoop.StackableTopologyProvider
+    ...
 ----
 
-This instructs the namenode to use the topology tool for looking up information from Kubernetes.
-
-Configuration of the tool is then done via the environment variable `TOPOLOGY_LABELS`.
-
-This variable can be set to a semicolon separated list (maximum of two levels are allowed by default) of the following format: [node|pod]:<labelname>
-
-
-So for example `node:topology.kubernetes.io/zone;pod:app.kubernetes.io/role-group` would resolve to /<value of label topology.kubernetes.io/zone on the node>/<value of label app.kubernetes.io/role-group on the pod>.
-
-
-A full example of configuring this would look like this:
-
-[source,yaml]
-----
-apiVersion: hdfs.stackable.tech/v1alpha1
-kind: HdfsCluster
-metadata:
-  name: simple-hdfs
-spec:
-  nameNodes:
-    configOverrides:
-      core-site.xml:
-        net.topology.node.switch.mapping.impl: tech.stackable.hadoop.StackableTopologyProvider
-    envOverrides:
-      TOPOLOGY_LABELS: "node:topology.kubernetes.io/zone;pod:app.kubernetes.io/role-group"
-----
+Internally this will be used to create a topology label consisting of the value of the node label `topology.kubernetes.io/zone` and the pod label `app.kubernetes.io/role-group`, e.g. `/eu-central-1/rg1`.