You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2021/11/05 17:05:21 UTC
[airflow] branch main updated: Allow specifying kerberos keytab in
the chart (#19054)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4b0aeb9 Allow specifying kerberos keytab in the chart (#19054)
4b0aeb9 is described below
commit 4b0aeb926c055fc36740363d6e438ab7c2165d71
Author: Aakcht <aa...@gmail.com>
AuthorDate: Fri Nov 5 20:03:47 2021 +0300
Allow specifying kerberos keytab in the chart (#19054)
---
chart/templates/secrets/kerberos-keytab.yaml | 35 ++++++++++++++++++++++++++
chart/templates/workers/worker-deployment.yaml | 1 +
chart/tests/test_kerberos.py | 35 +++++++++++++++++++++++++-
chart/values.schema.json | 8 ++++++
chart/values.yaml | 6 +++++
5 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/chart/templates/secrets/kerberos-keytab.yaml b/chart/templates/secrets/kerberos-keytab.yaml
new file mode 100644
index 0000000..e41a9e2
--- /dev/null
+++ b/chart/templates/secrets/kerberos-keytab.yaml
@@ -0,0 +1,35 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+{{ if .Values.kerberos.keytabBase64Content }}
+apiVersion: v1
+metadata:
+ name: {{ include "kerberos_keytab_secret" . | quote }}
+ labels:
+ tier: airflow
+ component: webserver
+ release: {{ .Release.Name }}
+ chart: {{ .Chart.Name }}
+ heritage: {{ .Release.Service }}
+{{- with .Values.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+data:
+ kerberos.keytab: {{ .Values.kerberos.keytabBase64Content }}
+kind: Secret
+type: Opaque
+{{ end }}
diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml
index de6b4c6..666ba06 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -68,6 +68,7 @@ spec:
checksum/result-backend-secret: {{ include (print $.Template.BasePath "/secrets/result-backend-connection-secret.yaml") . | sha256sum }}
checksum/pgbouncer-config-secret: {{ include (print $.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }}
checksum/webserver-secret-key: {{ include (print $.Template.BasePath "/secrets/webserver-secret-key-secret.yaml") . | sha256sum }}
+ checksum/kerberos-keytab: {{ include (print $.Template.BasePath "/secrets/kerberos-keytab.yaml") . | sha256sum }}
checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }}
checksum/extra-configmaps: {{ include (print $.Template.BasePath "/configmaps/extra-configmaps.yaml") . | sha256sum }}
checksum/extra-secrets: {{ include (print $.Template.BasePath "/secrets/extra-secrets.yaml") . | sha256sum }}
diff --git a/chart/tests/test_kerberos.py b/chart/tests/test_kerberos.py
index fbf8e70..b3ffb7d 100644
--- a/chart/tests/test_kerberos.py
+++ b/chart/tests/test_kerberos.py
@@ -31,7 +31,7 @@ class KerberosTest(unittest.TestCase):
obj for obj in k8s_objects if obj["metadata"]["name"] != "NO-KERBEROS-airflow-config"
]
k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider)
- assert "kerberos" not in k8s_objects_to_consider_str
+ assert k8s_objects_to_consider_str.count("kerberos") == 1
def test_kerberos_envs_available_in_worker_with_persistence(self):
docs = render_chart(
@@ -95,3 +95,36 @@ class KerberosTest(unittest.TestCase):
show_only=["templates/workers/worker-deployment.yaml"],
)
assert jmespath.search("spec.template.spec.containers[0].resources", docs[0]) == {}
+
+ def test_kerberos_keytab_secret_available(self):
+ docs = render_chart(
+ values={
+ "executor": "CeleryExecutor",
+ "kerberos": {
+ "enabled": True,
+ "keytabBase64Content": "dGVzdGtleXRhYg==",
+ "configPath": "/etc/krb5.conf",
+ "ccacheMountPath": "/var/kerberos-ccache",
+ "ccacheFileName": "ccache",
+ },
+ },
+ show_only=["templates/secrets/kerberos-keytab.yaml"],
+ )
+
+ assert jmespath.search('data."kerberos.keytab"', docs[0]) == "dGVzdGtleXRhYg=="
+
+ def test_kerberos_keytab_secret_unavailable_when_not_specified(self):
+ docs = render_chart(
+ values={
+ "executor": "CeleryExecutor",
+ "kerberos": {
+ "enabled": True,
+ "configPath": "/etc/krb5.conf",
+ "ccacheMountPath": "/var/kerberos-ccache",
+ "ccacheFileName": "ccache",
+ },
+ },
+ show_only=["templates/secrets/kerberos-keytab.yaml"],
+ )
+
+ assert 0 == len(docs)
diff --git a/chart/values.schema.json b/chart/values.schema.json
index d847a3d..3f5cdc2 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -862,6 +862,14 @@
"type": "string",
"default": "/etc/krb5.conf"
},
+ "keytabBase64Content": {
+ "description": "Kerberos keytab base64 encoded content.",
+ "type": [
+ "string",
+ "null"
+ ],
+ "default": null
+ },
"keytabPath": {
"description": "Path to mount the keytab for refreshing credentials in the kerberos sidecar.",
"type": "string",
diff --git a/chart/values.yaml b/chart/values.yaml
index 3c5b04c..b558a93 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -327,11 +327,17 @@ webserverSecretKeySecretName: ~
#
# kubectl create secret generic {{ .Release.name }}-kerberos-keytab --from-file=kerberos.keytab
#
+#
+# Alternatively, instead of manually creating the secret, it is possible to specify
+# kerberos.keytabBase64Content parameter. This parameter should contain base64 encoded keytab.
+#
+
kerberos:
enabled: false
ccacheMountPath: /var/kerberos-ccache
ccacheFileName: cache
configPath: /etc/krb5.conf
+ keytabBase64Content: ~
keytabPath: /etc/airflow.keytab
principal: airflow@FOO.COM
reinitFrequency: 3600