apache · morazow · Jan 14, 2026 · Jan 14, 2026 · Jan 16, 2026 · Jan 18, 2026
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -63,4 +63,27 @@ Selector labels
 {{- define "fluss.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "fluss.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fluss.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "fluss.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate JAAS configuration for SASL
+*/}}
+{{- define "fluss.sasl.jaasConfig" -}}
+FlussServer {
+   org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+   {{- range .Values.sasl.users }}
+   user_{{ .username }}="{{ .password }}"
+   {{- end }};
+};
+{{- end }}
diff --git a/helm/templates/rbac.yaml b/helm/templates/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "fluss.fullname" . }}-metadata-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "fluss.fullname" . }}-metadata-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "fluss.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "fluss.fullname" . }}-metadata-reader
+{{- end -}}
diff --git a/helm/templates/secret-sasl.yaml b/helm/templates/secret-sasl.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.sasl.enabled -}}
+{{- if not .Values.sasl.existingSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fluss.fullname" . }}-sasl-jaas-config
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+type: Opaque
+data:
+  jaas.conf: {{ include "fluss.sasl.jaasConfig" . | b64enc | quote }}
+{{- end -}}
+{{- end -}}
diff --git a/helm/templates/sts-coordinator.yaml b/helm/templates/sts-coordinator.yaml
@@ -35,41 +35,106 @@ spec:
         {{- include "fluss.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: coordinator
     spec:
-      {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ .Values.serviceAccount.name | default (include "fluss.fullname" .) }}
+      serviceAccountName: {{ include "fluss.serviceAccountName" . }}
+      {{- if .Values.externalAccess.enabled }}
+      initContainers:
+        - name: auto-discovery
+          image: "{{ .Values.externalAccess.initContainer.image.registry }}/{{ .Values.externalAccess.initContainer.image.repository }}:{{ .Values.externalAccess.initContainer.image.tag }}"
+          imagePullPolicy: {{ .Values.externalAccess.initContainer.image.pullPolicy }}
+          command:
+            - "/bin/bash"
+            - "-c"
+            - |
+              SVC_NAME="coordinator-server-external"
+              echo "Waiting for service $SVC_NAME external IP..."
+              EXTERNAL_HOST=""
+              while [ -z "$EXTERNAL_HOST" ]; do
+                EXTERNAL_HOST=$(kubectl get svc $SVC_NAME -n $POD_NAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+                if [ -z "$EXTERNAL_HOST" ]; then
+                  sleep 5
+                fi
+              done
+              echo "Found external hostname: $EXTERNAL_HOST"
+              echo "$EXTERNAL_HOST" > /shared/external.host
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: shared
+              mountPath: /shared
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-coordinator
           image: "{{.Values.image.repository}}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: POD_NAME
-              valueFrom: 
-                fieldRef: 
-                  fieldPath: metadata.name 
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             - name: POD_IP
-              valueFrom: 
-                fieldRef: 
+              valueFrom:
+                fieldRef:
                   fieldPath: status.podIP
             - name: POD_NAMESPACE
-              valueFrom: 
-                fieldRef: 
+              valueFrom:
+                fieldRef:
                   fieldPath: metadata.namespace
             - name: NODE_IP
               valueFrom:
                 fieldRef:
                   fieldPath: status.hostIP
+          ports:
+            - name: internal
+              containerPort: {{ .Values.listeners.internal.port }}
+            - name: client
+              containerPort: {{ .Values.listeners.client.port }}
+            {{- if .Values.externalAccess.enabled }}
+            - name: external
+              containerPort: {{ .Values.listeners.external.port }}
+            {{- end }}
           command:
             - "/bin/sh"
             - "-c"
             - |
               export FLUSS_SERVER_ID=${POD_NAME##*-} && \
               cp /opt/conf/server.yaml $FLUSS_HOME/conf && \
 
+              BIND_LISTENERS="INTERNAL://${POD_IP}:{{ .Values.listeners.internal.port }}, CLIENT://${POD_IP}:{{ .Values.listeners.client.port }}" && \
+              ADVERTISED_LISTENERS="CLIENT://${POD_NAME}.coordinator-server-hs.${POD_NAMESPACE}.svc.cluster.local:{{ .Values.listeners.client.port }}" && \
+
+              {{- if .Values.externalAccess.enabled }}
+              if [ -f /shared/external.host ]; then
+                EXTERNAL_HOST=$(cat /shared/external.host) && \
+                ADVERTISED_LISTENERS="${ADVERTISED_LISTENERS}, EXTERNAL://${EXTERNAL_HOST}:{{ .Values.listeners.external.port }}" && \
+                BIND_LISTENERS="${BIND_LISTENERS}, EXTERNAL://${POD_IP}:{{ .Values.listeners.external.port }}"
+              fi && \
+              {{- end }}
+
               echo "" >> $FLUSS_HOME/conf/server.yaml && \
-              echo "tablet-server.id: ${FLUSS_SERVER_ID}" >> $FLUSS_HOME/conf/server.yaml && \
-              echo "bind.listeners: INTERNAL://0.0.0.0:{{ .Values.appConfig.internalPort }}, CLIENT://0.0.0.0:{{ .Values.appConfig.externalPort }}" >> $FLUSS_HOME/conf/server.yaml && \
-              echo "advertised.listeners: CLIENT://${POD_NAME}.coordinator-server-hs.${POD_NAMESPACE}.svc.cluster.local:{{ .Values.appConfig.externalPort }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "bind.listeners: ${BIND_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "advertised.listeners: ${ADVERTISED_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
+
+              {{- if .Values.sasl.enabled }}
+              {{- $jaasUsers := list -}}
+              {{- range .Values.sasl.users }}
+              {{- $jaasUsers = append $jaasUsers (printf "user_%s=\\\"%s\\\"" .username .password) -}}
+              {{- end }}
+              echo "security.sasl.enabled.mechanisms: {{ .Values.sasl.mechanism }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.sasl.plain.jaas.config: org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required {{ join " " $jaasUsers }};" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.protocol.map: INTERNAL:sasl,CLIENT:sasl{{ if .Values.externalAccess.enabled }},EXTERNAL:sasl{{ end }}" >> $FLUSS_HOME/conf/server.yaml && \
+
+              echo "client.security.protocol: SASL" >> conf/server.yaml && \
+              echo "client.security.sasl.mechanism: {{ .Values.sasl.mechanism }}" >> conf/server.yaml && \
+              echo "client.security.sasl.username: {{ (first .Values.sasl.users).username }}" >> conf/server.yaml && \
+              echo "client.security.sasl.password: {{ (first .Values.sasl.users).password }}" >> conf/server.yaml && \
+              {{- end }}
 
               bin/coordinator-server.sh start-foreground
           livenessProbe:
@@ -78,21 +143,30 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 3
             tcpSocket:
-              port: {{.Values.appConfig.externalPort}}
+              port: {{ .Values.listeners.client.port }}
           readinessProbe:
             failureThreshold: 100
             timeoutSeconds: 1
             initialDelaySeconds: 10
             periodSeconds: 3
             tcpSocket:
-              port: {{.Values.appConfig.externalPort}}
+              port: {{ .Values.listeners.client.port }}
           resources:
             {{- toYaml .Values.resources.tabletServer | nindent 12 }}
           volumeMounts:
             - name: fluss-conf
               mountPath: /opt/conf
             - name: data
               mountPath: /tmp/fluss/data
+            {{- if .Values.sasl.enabled }}
+            - name: sasl-config
+              mountPath: /etc/fluss/conf
+              readOnly: true
+            {{- end }}
+            {{- if .Values.externalAccess.enabled }}
+            - name: shared
+              mountPath: /shared
+            {{- end }}
       volumes:
         - name: fluss-conf
           configMap:
@@ -101,6 +175,15 @@ spec:
         - name: data
           emptyDir: {}
         {{- end }}
+        {{- if .Values.sasl.enabled }}
+        - name: sasl-config
+          secret:
+            secretName: {{ if .Values.sasl.existingSecret }}{{ .Values.sasl.existingSecret }}{{ else }}{{ include "fluss.fullname" . }}-sasl-jaas-config{{ end }}
+        {{- end }}
+        {{- if .Values.externalAccess.enabled }}
+        - name: shared
+          emptyDir: {}
+        {{- end }}
   {{- if .Values.persistence.enabled }}
   volumeClaimTemplates:
     - metadata:
@@ -111,4 +194,4 @@ spec:
           requests:
             storage: {{ .Values.persistence.size }}
         storageClassName: {{ .Values.persistence.storageClass }}
-  {{- end}}
+  {{- end}}