You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2021/11/05 17:05:21 UTC

[airflow] branch main updated: Allow specifying kerberos keytab in the chart (#19054)

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 4b0aeb9  Allow specifying kerberos keytab in the chart (#19054)
4b0aeb9 is described below

commit 4b0aeb926c055fc36740363d6e438ab7c2165d71
Author: Aakcht <aa...@gmail.com>
AuthorDate: Fri Nov 5 20:03:47 2021 +0300

    Allow specifying kerberos keytab in the chart (#19054)
---
 chart/templates/secrets/kerberos-keytab.yaml   | 35 ++++++++++++++++++++++++++
 chart/templates/workers/worker-deployment.yaml |  1 +
 chart/tests/test_kerberos.py                   | 35 +++++++++++++++++++++++++-
 chart/values.schema.json                       |  8 ++++++
 chart/values.yaml                              |  6 +++++
 5 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/chart/templates/secrets/kerberos-keytab.yaml b/chart/templates/secrets/kerberos-keytab.yaml
new file mode 100644
index 0000000..e41a9e2
--- /dev/null
+++ b/chart/templates/secrets/kerberos-keytab.yaml
@@ -0,0 +1,35 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+{{ if .Values.kerberos.keytabBase64Content }}
+apiVersion: v1
+metadata:
+  name: {{ include "kerberos_keytab_secret" . | quote }}
+  labels:
+    tier: airflow
+    component: webserver
+    release: {{ .Release.Name }}
+    chart: {{ .Chart.Name }}
+    heritage: {{ .Release.Service }}
+{{- with .Values.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+data:
+  kerberos.keytab: {{ .Values.kerberos.keytabBase64Content }}
+kind: Secret
+type: Opaque
+{{ end }}
diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml
index de6b4c6..666ba06 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -68,6 +68,7 @@ spec:
         checksum/result-backend-secret: {{ include (print $.Template.BasePath "/secrets/result-backend-connection-secret.yaml") . | sha256sum }}
         checksum/pgbouncer-config-secret: {{ include (print $.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }}
         checksum/webserver-secret-key: {{ include (print $.Template.BasePath "/secrets/webserver-secret-key-secret.yaml") . | sha256sum }}
+        checksum/kerberos-keytab: {{ include (print $.Template.BasePath "/secrets/kerberos-keytab.yaml") . | sha256sum }}
         checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }}
         checksum/extra-configmaps: {{ include (print $.Template.BasePath "/configmaps/extra-configmaps.yaml") . | sha256sum }}
         checksum/extra-secrets: {{ include (print $.Template.BasePath "/secrets/extra-secrets.yaml") . | sha256sum }}
diff --git a/chart/tests/test_kerberos.py b/chart/tests/test_kerberos.py
index fbf8e70..b3ffb7d 100644
--- a/chart/tests/test_kerberos.py
+++ b/chart/tests/test_kerberos.py
@@ -31,7 +31,7 @@ class KerberosTest(unittest.TestCase):
             obj for obj in k8s_objects if obj["metadata"]["name"] != "NO-KERBEROS-airflow-config"
         ]
         k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider)
-        assert "kerberos" not in k8s_objects_to_consider_str
+        assert k8s_objects_to_consider_str.count("kerberos") == 1
 
     def test_kerberos_envs_available_in_worker_with_persistence(self):
         docs = render_chart(
@@ -95,3 +95,36 @@ class KerberosTest(unittest.TestCase):
             show_only=["templates/workers/worker-deployment.yaml"],
         )
         assert jmespath.search("spec.template.spec.containers[0].resources", docs[0]) == {}
+
+    def test_kerberos_keytab_secret_available(self):
+        docs = render_chart(
+            values={
+                "executor": "CeleryExecutor",
+                "kerberos": {
+                    "enabled": True,
+                    "keytabBase64Content": "dGVzdGtleXRhYg==",
+                    "configPath": "/etc/krb5.conf",
+                    "ccacheMountPath": "/var/kerberos-ccache",
+                    "ccacheFileName": "ccache",
+                },
+            },
+            show_only=["templates/secrets/kerberos-keytab.yaml"],
+        )
+
+        assert jmespath.search('data."kerberos.keytab"', docs[0]) == "dGVzdGtleXRhYg=="
+
+    def test_kerberos_keytab_secret_unavailable_when_not_specified(self):
+        docs = render_chart(
+            values={
+                "executor": "CeleryExecutor",
+                "kerberos": {
+                    "enabled": True,
+                    "configPath": "/etc/krb5.conf",
+                    "ccacheMountPath": "/var/kerberos-ccache",
+                    "ccacheFileName": "ccache",
+                },
+            },
+            show_only=["templates/secrets/kerberos-keytab.yaml"],
+        )
+
+        assert 0 == len(docs)
diff --git a/chart/values.schema.json b/chart/values.schema.json
index d847a3d..3f5cdc2 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -862,6 +862,14 @@
                     "type": "string",
                     "default": "/etc/krb5.conf"
                 },
+                "keytabBase64Content": {
+                    "description": "Kerberos keytab base64 encoded content.",
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "default": null
+                },
                 "keytabPath": {
                     "description": "Path to mount the keytab for refreshing credentials in the kerberos sidecar.",
                     "type": "string",
diff --git a/chart/values.yaml b/chart/values.yaml
index 3c5b04c..b558a93 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -327,11 +327,17 @@ webserverSecretKeySecretName: ~
 #
 #  kubectl create secret generic {{ .Release.name }}-kerberos-keytab --from-file=kerberos.keytab
 #
+#
+#  Alternatively, instead of manually creating the secret, it is possible to specify
+#  kerberos.keytabBase64Content parameter. This parameter should contain base64 encoded keytab.
+#
+
 kerberos:
   enabled: false
   ccacheMountPath: /var/kerberos-ccache
   ccacheFileName: cache
   configPath: /etc/krb5.conf
+  keytabBase64Content: ~
   keytabPath: /etc/airflow.keytab
   principal: airflow@FOO.COM
   reinitFrequency: 3600