You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by di...@apache.org on 2020/08/07 14:36:03 UTC
[airflow] branch v1-10-test updated: Allows secrets with mounts in
init containers
This is an automated email from the ASF dual-hosted git repository.
dimberman pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v1-10-test by this push:
new 9b89f07 Allows secrets with mounts in init containers
9b89f07 is described below
commit 9b89f074f57c5cf58535ffc2341db950a48e8b6e
Author: Daniel Imberman <da...@gmail.com>
AuthorDate: Fri Aug 7 07:33:23 2020 -0700
Allows secrets with mounts in init containers
(cherry picked from commit aecb978cd89066557270b8cbc6e73e89dd96b84a)
---
airflow/contrib/kubernetes/pod.py | 5 ++++-
airflow/kubernetes/secret.py | 19 ++++++++++++-------
tests/kubernetes/models/test_pod.py | 10 ++++++++++
3 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/airflow/contrib/kubernetes/pod.py b/airflow/contrib/kubernetes/pod.py
index 0ce5800..2d24876 100644
--- a/airflow/contrib/kubernetes/pod.py
+++ b/airflow/contrib/kubernetes/pod.py
@@ -306,4 +306,7 @@ def _extract_volumes_and_secrets(volumes, volume_mounts):
def _extract_volume_secret(volume, volume_mount):
if not volume.secret:
return None
- return Secret("volume", volume_mount.mount_path, volume.name, volume.secret.secret_name)
+ if volume_mount:
+ Secret("volume", volume_mount.mount_path, volume.name, volume.secret.secret_name)
+ else:
+ Secret("volume", None, volume.name, volume.secret.secret_name)
diff --git a/airflow/kubernetes/secret.py b/airflow/kubernetes/secret.py
index 9ff1927..eeacdad 100644
--- a/airflow/kubernetes/secret.py
+++ b/airflow/kubernetes/secret.py
@@ -84,6 +84,14 @@ class Secret(K8SModel):
def to_volume_secret(self):
import kubernetes.client.models as k8s
vol_id = 'secretvol{}'.format(uuid.uuid4())
+ if self.deploy_target:
+ volume_mount = k8s.V1VolumeMount(
+ mount_path=self.deploy_target,
+ name=vol_id,
+ read_only=True
+ )
+ else:
+ volume_mount = None
return (
k8s.V1Volume(
name=vol_id,
@@ -91,11 +99,7 @@ class Secret(K8SModel):
secret_name=self.secret
)
),
- k8s.V1VolumeMount(
- mount_path=self.deploy_target,
- name=vol_id,
- read_only=True
- )
+ volume_mount
)
def attach_to_pod(self, pod):
@@ -104,8 +108,9 @@ class Secret(K8SModel):
volume, volume_mount = self.to_volume_secret()
cp_pod.spec.volumes = pod.spec.volumes or []
cp_pod.spec.volumes.append(volume)
- cp_pod.spec.containers[0].volume_mounts = pod.spec.containers[0].volume_mounts or []
- cp_pod.spec.containers[0].volume_mounts.append(volume_mount)
+ if volume_mount:
+ cp_pod.spec.containers[0].volume_mounts = pod.spec.containers[0].volume_mounts or []
+ cp_pod.spec.containers[0].volume_mounts.append(volume_mount)
if self.deploy_type == 'env' and self.key is not None:
env = self.to_env_secret()
cp_pod.spec.containers[0].env = cp_pod.spec.containers[0].env or []
diff --git a/tests/kubernetes/models/test_pod.py b/tests/kubernetes/models/test_pod.py
index 8de33bf..8a89da0 100644
--- a/tests/kubernetes/models/test_pod.py
+++ b/tests/kubernetes/models/test_pod.py
@@ -98,11 +98,16 @@ class TestPod(unittest.TestCase):
request_cpu="100Mi",
limit_gpu="100G"
),
+ init_containers=k8s.V1Container(
+ name="test-container",
+ volume_mounts=k8s.V1VolumeMount(mount_path="/foo/bar", name="init-volume-secret")
+ ),
volumes=[
Volume(name="foo", configs={}),
{"name": "bar", 'secret': {'secretName': 'volume-secret'}}
],
secrets=[
+ Secret("volume", None, "init-volume-secret"),
Secret('env', "AIRFLOW_SECRET", 'secret_name', "airflow_config"),
Secret("volume", "/opt/airflow", "volume-secret", "secret-key")
],
@@ -137,11 +142,16 @@ class TestPod(unittest.TestCase):
'name': 'secretvol' + str(static_uuid),
'readOnly': True}]}],
'hostNetwork': False,
+ 'initContainers': {'name': 'test-container',
+ 'volumeMounts': {'mountPath': '/foo/bar',
+ 'name': 'init-volume-secret'}},
'securityContext': {},
'tolerations': [],
'volumes': [{'name': 'foo'},
{'name': 'bar',
'secret': {'secretName': 'volume-secret'}},
+ {'name': 'secretvolcf4a56d2-8101-4217-b027-2af6216feb48',
+ 'secret': {'secretName': 'init-volume-secret'}},
{'name': 'secretvol' + str(static_uuid),
'secret': {'secretName': 'volume-secret'}}
]}}