You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by di...@apache.org on 2020/08/07 14:36:03 UTC
[airflow] branch v1-10-test updated: Allows secrets with mounts in init containers

This is an automated email from the ASF dual-hosted git repository.

dimberman pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v1-10-test by this push:
     new 9b89f07  Allows secrets with mounts in init containers
9b89f07 is described below

commit 9b89f074f57c5cf58535ffc2341db950a48e8b6e
Author: Daniel Imberman <da...@gmail.com>
AuthorDate: Fri Aug 7 07:33:23 2020 -0700

    Allows secrets with mounts in init containers
    
    (cherry picked from commit aecb978cd89066557270b8cbc6e73e89dd96b84a)
---
 airflow/contrib/kubernetes/pod.py   |  5 ++++-
 airflow/kubernetes/secret.py        | 19 ++++++++++++-------
 tests/kubernetes/models/test_pod.py | 10 ++++++++++
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/airflow/contrib/kubernetes/pod.py b/airflow/contrib/kubernetes/pod.py
index 0ce5800..2d24876 100644
--- a/airflow/contrib/kubernetes/pod.py
+++ b/airflow/contrib/kubernetes/pod.py
@@ -306,4 +306,7 @@ def _extract_volumes_and_secrets(volumes, volume_mounts):
 def _extract_volume_secret(volume, volume_mount):
     if not volume.secret:
         return None
-    return Secret("volume", volume_mount.mount_path, volume.name, volume.secret.secret_name)
+    if volume_mount:
+        Secret("volume", volume_mount.mount_path, volume.name, volume.secret.secret_name)
+    else:
+        Secret("volume", None, volume.name, volume.secret.secret_name)
diff --git a/airflow/kubernetes/secret.py b/airflow/kubernetes/secret.py
index 9ff1927..eeacdad 100644
--- a/airflow/kubernetes/secret.py
+++ b/airflow/kubernetes/secret.py
@@ -84,6 +84,14 @@ class Secret(K8SModel):
     def to_volume_secret(self):
         import kubernetes.client.models as k8s
         vol_id = 'secretvol{}'.format(uuid.uuid4())
+        if self.deploy_target:
+            volume_mount = k8s.V1VolumeMount(
+                mount_path=self.deploy_target,
+                name=vol_id,
+                read_only=True
+            )
+        else:
+            volume_mount = None
         return (
             k8s.V1Volume(
                 name=vol_id,
@@ -91,11 +99,7 @@ class Secret(K8SModel):
                     secret_name=self.secret
                 )
             ),
-            k8s.V1VolumeMount(
-                mount_path=self.deploy_target,
-                name=vol_id,
-                read_only=True
-            )
+            volume_mount
         )
 
     def attach_to_pod(self, pod):
@@ -104,8 +108,9 @@ class Secret(K8SModel):
             volume, volume_mount = self.to_volume_secret()
             cp_pod.spec.volumes = pod.spec.volumes or []
             cp_pod.spec.volumes.append(volume)
-            cp_pod.spec.containers[0].volume_mounts = pod.spec.containers[0].volume_mounts or []
-            cp_pod.spec.containers[0].volume_mounts.append(volume_mount)
+            if volume_mount:
+                cp_pod.spec.containers[0].volume_mounts = pod.spec.containers[0].volume_mounts or []
+                cp_pod.spec.containers[0].volume_mounts.append(volume_mount)
         if self.deploy_type == 'env' and self.key is not None:
             env = self.to_env_secret()
             cp_pod.spec.containers[0].env = cp_pod.spec.containers[0].env or []
diff --git a/tests/kubernetes/models/test_pod.py b/tests/kubernetes/models/test_pod.py
index 8de33bf..8a89da0 100644
--- a/tests/kubernetes/models/test_pod.py
+++ b/tests/kubernetes/models/test_pod.py
@@ -98,11 +98,16 @@ class TestPod(unittest.TestCase):
                 request_cpu="100Mi",
                 limit_gpu="100G"
             ),
+            init_containers=k8s.V1Container(
+                name="test-container",
+                volume_mounts=k8s.V1VolumeMount(mount_path="/foo/bar", name="init-volume-secret")
+            ),
             volumes=[
                 Volume(name="foo", configs={}),
                 {"name": "bar", 'secret': {'secretName': 'volume-secret'}}
             ],
             secrets=[
+                Secret("volume", None, "init-volume-secret"),
                 Secret('env', "AIRFLOW_SECRET", 'secret_name', "airflow_config"),
                 Secret("volume", "/opt/airflow", "volume-secret", "secret-key")
             ],
@@ -137,11 +142,16 @@ class TestPod(unittest.TestCase):
                                                        'name': 'secretvol' + str(static_uuid),
                                                         'readOnly': True}]}],
                       'hostNetwork': False,
+                      'initContainers': {'name': 'test-container',
+                                         'volumeMounts': {'mountPath': '/foo/bar',
+                                                          'name': 'init-volume-secret'}},
                       'securityContext': {},
                       'tolerations': [],
                       'volumes': [{'name': 'foo'},
                                   {'name': 'bar',
                                    'secret': {'secretName': 'volume-secret'}},
+                                  {'name': 'secretvolcf4a56d2-8101-4217-b027-2af6216feb48',
+                                   'secret': {'secretName': 'init-volume-secret'}},
                                   {'name': 'secretvol' + str(static_uuid),
                                    'secret': {'secretName': 'volume-secret'}}
                                   ]}}