You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by je...@apache.org on 2022/04/08 19:38:42 UTC

[airflow] branch main updated: Add securityContext config for Redis to helm chart (#22182)

This is an automated email from the ASF dual-hosted git repository.

jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 5ec0bab053 Add securityContext config for Redis to helm chart (#22182)
5ec0bab053 is described below

commit 5ec0bab053434319f066a6da25d58bdfef67bc6c
Author: Dan Vaughan <82...@users.noreply.github.com>
AuthorDate: Fri Apr 8 20:38:32 2022 +0100

    Add securityContext config for Redis to helm chart (#22182)
    
    Co-authored-by: Jed Cunningham <je...@apache.org>
---
 chart/templates/redis/redis-statefulset.yaml |  2 ++
 chart/values.schema.json                     | 18 ++++++++++++++++++
 chart/values.yaml                            |  7 +++++++
 tests/charts/test_security_context.py        | 20 +++++++++++++++-----
 4 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/chart/templates/redis/redis-statefulset.yaml b/chart/templates/redis/redis-statefulset.yaml
index 044eedb0bf..e96fa88f5e 100644
--- a/chart/templates/redis/redis-statefulset.yaml
+++ b/chart/templates/redis/redis-statefulset.yaml
@@ -22,6 +22,7 @@
 {{- $nodeSelector := or .Values.redis.nodeSelector .Values.nodeSelector }}
 {{- $affinity := or .Values.redis.affinity .Values.affinity }}
 {{- $tolerations := or .Values.redis.tolerations .Values.tolerations }}
+{{- $securityContext := include "localSecurityContext" .Values.redis }}
 kind: StatefulSet
 apiVersion: apps/v1
 metadata:
@@ -67,6 +68,7 @@ spec:
       imagePullSecrets:
         - name: {{ template "registry_secret" . }}
       {{- end }}
+      securityContext: {{ $securityContext | nindent 8 }}
       containers:
         - name: redis
           image: {{ template "redis_image" . }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index dc9c978cc0..5baa5a6f2d 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -3774,6 +3774,24 @@
                             }
                         }
                     }
+                },
+                "securityContext": {
+                    "description": "Security context for the cleanup job pod. If not set, the values from `securityContext` will be used.",
+                    "type": "object",
+                    "$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+                    "default": {},
+                    "examples": [
+                        {
+                            "runAsUser": 999,
+                            "runAsGroup": 0,
+                            "fsGroup": 0
+                        }
+                    ]
+                },
+                "uid": {
+                    "description": "Redis run as user parameter.",
+                    "type": "integer",
+                    "default": 0
                 }
             }
         },
diff --git a/chart/values.yaml b/chart/values.yaml
index 10532b52c9..2f06f98f67 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1329,6 +1329,13 @@ redis:
   affinity: {}
   tolerations: []
 
+  # Set to 0 for backwards-compatiblity
+  uid: 0
+  # If not set, `redis.uid` will be used
+  securityContext: {}
+  #  runAsUser: 999
+  #  runAsGroup: 0
+
 # Auth secret for a private registry
 # This is used if pulling airflow images from a private registry
 registry:
diff --git a/tests/charts/test_security_context.py b/tests/charts/test_security_context.py
index aefccf7a50..e7ce43bd57 100644
--- a/tests/charts/test_security_context.py
+++ b/tests/charts/test_security_context.py
@@ -139,6 +139,7 @@ class TestSecurityContext:
                 "createUserJob": {**component_contexts},
                 "migrateDatabaseJob": {**component_contexts},
                 "triggerer": {**component_contexts},
+                "redis": {**component_contexts},
                 "statsd": {"enabled": True, **component_contexts},
                 "airflowVersion": "2.2.0",
                 "executor": "CeleryKubernetesExecutor",
@@ -152,6 +153,7 @@ class TestSecurityContext:
                 "templates/jobs/create-user-job.yaml",
                 "templates/jobs/migrate-database-job.yaml",
                 "templates/statsd/statsd-deployment.yaml",
+                "templates/redis/redis-statefulset.yaml",
             ],
         )
 
@@ -160,14 +162,22 @@ class TestSecurityContext:
             assert 9000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[index])
             assert 90 == jmespath.search("spec.template.spec.securityContext.fsGroup", docs[index])
 
-    # Test containerSecurity priority over uid under statsd
-    def test_check_statsd_uid(self):
+    # Test containerSecurity priority over uid under components using localSecurityContext
+    def test_check_local_uid(self):
+        component_contexts = {"uid": 3000, "securityContext": {"runAsUser": 7000}}
         docs = render_chart(
-            values={"statsd": {"enabled": True, "uid": 3000, "securityContext": {"runAsUser": 7000}}},
-            show_only=["templates/statsd/statsd-deployment.yaml"],
+            values={
+                "redis": {**component_contexts},
+                "statsd": {"enabled": True, **component_contexts},
+            },
+            show_only=[
+                "templates/statsd/statsd-deployment.yaml",
+                "templates/redis/redis-statefulset.yaml",
+            ],
         )
 
-        assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+        for doc in docs:
+            assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", doc)
 
     # Test containerSecurity priority over uid under dags.gitSync
     def test_gitsync_sidecar_and_init_container(self):