You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/07/21 17:32:46 UTC
[GitHub] [airflow] kaxil opened a new pull request #17142: Chart: Create a random secret for Webserver's flask secret key
kaxil opened a new pull request #17142:
URL: https://github.com/apache/airflow/pull/17142
After https://github.com/apache/airflow/pull/16754 -- it is important that both Webserver and Worker have the same config value for `[webserver] secret_key` or else you will see the following error:
```
*** Fetching from: https://worker.worker-svc.default.svc.cluster.local:8793/log/<dag>/<task>/2021-07-15T11:51:59.190528+00:00/1.log
*** Failed to fetch log file from worker. 403 Client Error: FORBIDDEN for url: https://worker.worker-svc.default.svc.cluster.local:8793/log/<dag>/<task>/2021-07-15T11:51:59.190528+00:00/1.log
For more information check: https://httpstatuses.com/403
```
This happens because Airflow generates a random value for them if value isn't provided, which causes a random string generated on webserver and worker. Hence they don't match, resulting in the error.
This PR creates a K8s Secret object and creates a key for that setting and pass it as Env Var similar to what we do with Fernet Key.
<!--
Thank you for contributing! Please make sure that your code changes
are covered with tests. And in case of new features or big changes
remember to adjust the documentation.
Feel free to ping committers for the review!
In case of existing issue, reference it using one of the following:
closes: #ISSUE
related: #ISSUE
How to write a good git commit message:
http://chris.beams.io/posts/git-commit/
-->
---
**^ Add meaningful description above**
Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/main/UPDATING.md).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil merged pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
kaxil merged pull request #17142:
URL: https://github.com/apache/airflow/pull/17142
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dstandish commented on pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
dstandish commented on pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#issuecomment-942889154
i noticed some secrets are defined under `data`:
```yaml
# Airflow database & redis config
data:
# If secret names are provided, use those secrets
metadataSecretName: ~
resultBackendSecretName: ~
brokerUrlSecretName: ~
```
but others are at top level of values:
```yaml
# Fernet key settings
# Note: fernetKey can only be set during install, not upgrade
fernetKey: ~
fernetKeySecretName: ~
# Flask secret key for Airflow Webserver: `[webserver] secret_key` in airflow.cfg
webserverSecretKey: ~
webserverSecretKeySecretName: ~
```
would it make sense to combine all of them under `data`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jedcunningham commented on a change in pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
jedcunningham commented on a change in pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#discussion_r674195146
##########
File path: chart/tests/test_basic_helm_chart.py
##########
@@ -190,6 +191,7 @@ def test_labels_are_valid(self):
(f"{release_name}-statsd", "Service", "statsd"),
(f"{release_name}-statsd-policy", "NetworkPolicy", "statsd-policy"),
(f"{release_name}-webserver", "Deployment", "webserver"),
+ (f"{release_name}-webserver-secret-key", "Secret", None),
Review comment:
Should we add `component=webserver`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dstandish edited a comment on pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
dstandish edited a comment on pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#issuecomment-942889154
i noticed some secrets are defined under `data`:
```yaml
# Airflow database & redis config
data:
# If secret names are provided, use those secrets
metadataSecretName: ~
resultBackendSecretName: ~
brokerUrlSecretName: ~
```
but others are at top level of values:
```yaml
# Fernet key settings
# Note: fernetKey can only be set during install, not upgrade
fernetKey: ~
fernetKeySecretName: ~
# Flask secret key for Airflow Webserver: `[webserver] secret_key` in airflow.cfg
webserverSecretKey: ~
webserverSecretKeySecretName: ~
```
would it make sense to combine all of them under `data`?
oh ... after reading the comment i see that `data` is intended to mean metastore-related config
i was interpreting it as like ... data for the chart (i.e. which secrets to use for what)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#discussion_r674198590
##########
File path: chart/tests/test_basic_helm_chart.py
##########
@@ -190,6 +191,7 @@ def test_labels_are_valid(self):
(f"{release_name}-statsd", "Service", "statsd"),
(f"{release_name}-statsd-policy", "NetworkPolicy", "statsd-policy"),
(f"{release_name}-webserver", "Deployment", "webserver"),
+ (f"{release_name}-webserver-secret-key", "Secret", None),
Review comment:
Good point, updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#issuecomment-884370899
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dstandish edited a comment on pull request #17142: Chart: Create a random secret for Webserver's flask secret key
Posted by GitBox <gi...@apache.org>.
dstandish edited a comment on pull request #17142:
URL: https://github.com/apache/airflow/pull/17142#issuecomment-942889154
i noticed some secrets are defined under `data`:
```yaml
# Airflow database & redis config
data:
# If secret names are provided, use those secrets
metadataSecretName: ~
resultBackendSecretName: ~
brokerUrlSecretName: ~
```
but others are at top level of values:
```yaml
# Fernet key settings
# Note: fernetKey can only be set during install, not upgrade
fernetKey: ~
fernetKeySecretName: ~
# Flask secret key for Airflow Webserver: `[webserver] secret_key` in airflow.cfg
webserverSecretKey: ~
webserverSecretKeySecretName: ~
```
would it make sense to combine all of them under `data`?
oh ... i guess data means like metastore-related config
i was interpreting it as like ... data for the chart (i.e. which secrets to use for what)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org