You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/01/06 16:50:36 UTC
[GitHub] [airflow] Junnplus opened a new pull request #13516: Add verity_ssl config for kubernetes
Junnplus opened a new pull request #13516:
URL: https://github.com/apache/airflow/pull/13516
`certificate verify failed` is a common issue for k8s python client without ssl_cert, I have the some problem with deploy airflow in k8s on alicloud.
- use `cleanup_pods` to clean up k8s pod raise this error
- use `KubernetesPodOperator` also raised
---
**^ Add meaningful description above**
Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Junnplus commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
Junnplus commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r553165330
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
when use `in_cluster` mode, Python k8s client will load incluster config, but certificate bundle `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` is invalid on alicloud.
set `verify_ssl` can skip verifying SSL certificate
https://github.com/kubernetes-client/python/blob/master/kubernetes/client/configuration.py#L130
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555362524
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
Is it possible to follow the error with invalid certificate on Alicloud somewhere?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Junnplus commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
Junnplus commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r553167751
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
relate issue: https://github.com/kubernetes-client/python/issues/490
and cleanup pod error:
```Max retries exceeded with url: /api/v1/namespaces/airflow/pods?continue=None&limit=500 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555356541
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -123,5 +128,8 @@ def get_kube_client(
if conf.getboolean('kubernetes', 'enable_tcp_keepalive', fallback=False):
_enable_tcp_keepalive()
+ if not conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
+ _disable_verify_ssl()
+
client_conf = _get_kube_config(in_cluster, cluster_context, config_file)
return _get_client_with_patched_configuration(client_conf)
Review comment:
```suggestion
client_conf = _get_kube_config(in_cluster, cluster_context, config_file)
if conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
configuration.verify_ssl = False
return _get_client_with_patched_configuration(client_conf)
```
It seems to me that in this way we will avoid modifying the global configuration.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Junnplus commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
Junnplus commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555438133
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -123,5 +128,8 @@ def get_kube_client(
if conf.getboolean('kubernetes', 'enable_tcp_keepalive', fallback=False):
_enable_tcp_keepalive()
+ if not conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
+ _disable_verify_ssl()
+
client_conf = _get_kube_config(in_cluster, cluster_context, config_file)
return _get_client_with_patched_configuration(client_conf)
Review comment:
@mik-laj this way seems is invalid for incluster mode
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil merged pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
kaxil merged pull request #13516:
URL: https://github.com/apache/airflow/pull/13516
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#issuecomment-755879933
[The Workflow run](https://github.com/apache/airflow/actions/runs/467869388) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
kaxil commented on pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#issuecomment-758020242
cc @dimberman @mik-laj
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#issuecomment-758143198
The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#issuecomment-758296276
[The Workflow run](https://github.com/apache/airflow/actions/runs/477780522) is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#issuecomment-755880154
[The Workflow run](https://github.com/apache/airflow/actions/runs/467874355) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #13516: Add verity_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r553045491
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
Review comment:
```suggestion
def _disable_verify_ssl() -> None:
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555362524
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
Is it possible to trace the error with invalid certificate on Alicloud somewhere?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555356541
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -123,5 +128,8 @@ def get_kube_client(
if conf.getboolean('kubernetes', 'enable_tcp_keepalive', fallback=False):
_enable_tcp_keepalive()
+ if not conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
+ _disable_verify_ssl()
+
client_conf = _get_kube_config(in_cluster, cluster_context, config_file)
return _get_client_with_patched_configuration(client_conf)
Review comment:
```suggestion
if not conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
configuration.verify_ssl = False
client_conf = _get_kube_config(in_cluster, cluster_context, config_file)
if conf.getboolean('kubernetes', 'verify_ssl', fallback=True):
return _get_client_with_patched_configuration(client_conf)
```
It seems to me that in this way we will avoid modifying the global configuration.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Junnplus commented on a change in pull request #13516: Add verify_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
Junnplus commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r555442189
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
@mik-laj I only find out related issue https://github.com/getsentry/sentry-kubernetes/pull/38
It seems that internal implementation for alicloud
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #13516: Add verity_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r553048763
##########
File path: tests/kubernetes/test_client.py
##########
@@ -50,3 +56,10 @@ def test_enable_tcp_keepalive(self):
self.assertEqual(HTTPConnection.default_socket_options, expected_http_connection_options)
self.assertEqual(HTTPSConnection.default_socket_options, expected_https_connection_options)
+
+ def test_disable_verity_ssl(self):
+ self.assertTrue(Configuration.verify_ssl)
+
+ _disable_verity_ssl()
Review comment:
```suggestion
_disable_verify_ssl()
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #13516: Add verity_ssl config for kubernetes
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #13516:
URL: https://github.com/apache/airflow/pull/13516#discussion_r553049503
##########
File path: airflow/kubernetes/kube_client.py
##########
@@ -58,6 +58,11 @@ def _get_client_with_patched_configuration(cfg: Optional[Configuration]) -> clie
else:
return client.CoreV1Api()
+ def _disable_verity_ssl() -> None:
+ configuration = client.Configuration()
+ configuration.verify_ssl = False
+ client.Configuration.set_default(configuration)
Review comment:
I am not sure how this works -- can you explain please since we don't use the client you are using over here
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org