You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by je...@apache.org on 2022/04/08 19:38:42 UTC
[airflow] branch main updated: Add securityContext config for Redis to helm chart (#22182)
This is an automated email from the ASF dual-hosted git repository.
jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 5ec0bab053 Add securityContext config for Redis to helm chart (#22182)
5ec0bab053 is described below
commit 5ec0bab053434319f066a6da25d58bdfef67bc6c
Author: Dan Vaughan <82...@users.noreply.github.com>
AuthorDate: Fri Apr 8 20:38:32 2022 +0100
Add securityContext config for Redis to helm chart (#22182)
Co-authored-by: Jed Cunningham <je...@apache.org>
---
chart/templates/redis/redis-statefulset.yaml | 2 ++
chart/values.schema.json | 18 ++++++++++++++++++
chart/values.yaml | 7 +++++++
tests/charts/test_security_context.py | 20 +++++++++++++++-----
4 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/chart/templates/redis/redis-statefulset.yaml b/chart/templates/redis/redis-statefulset.yaml
index 044eedb0bf..e96fa88f5e 100644
--- a/chart/templates/redis/redis-statefulset.yaml
+++ b/chart/templates/redis/redis-statefulset.yaml
@@ -22,6 +22,7 @@
{{- $nodeSelector := or .Values.redis.nodeSelector .Values.nodeSelector }}
{{- $affinity := or .Values.redis.affinity .Values.affinity }}
{{- $tolerations := or .Values.redis.tolerations .Values.tolerations }}
+{{- $securityContext := include "localSecurityContext" .Values.redis }}
kind: StatefulSet
apiVersion: apps/v1
metadata:
@@ -67,6 +68,7 @@ spec:
imagePullSecrets:
- name: {{ template "registry_secret" . }}
{{- end }}
+ securityContext: {{ $securityContext | nindent 8 }}
containers:
- name: redis
image: {{ template "redis_image" . }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index dc9c978cc0..5baa5a6f2d 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -3774,6 +3774,24 @@
}
}
}
+ },
+ "securityContext": {
+ "description": "Security context for the cleanup job pod. If not set, the values from `securityContext` will be used.",
+ "type": "object",
+ "$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+ "default": {},
+ "examples": [
+ {
+ "runAsUser": 999,
+ "runAsGroup": 0,
+ "fsGroup": 0
+ }
+ ]
+ },
+ "uid": {
+ "description": "Redis run as user parameter.",
+ "type": "integer",
+ "default": 0
}
}
},
diff --git a/chart/values.yaml b/chart/values.yaml
index 10532b52c9..2f06f98f67 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1329,6 +1329,13 @@ redis:
affinity: {}
tolerations: []
+ # Set to 0 for backwards-compatiblity
+ uid: 0
+ # If not set, `redis.uid` will be used
+ securityContext: {}
+ # runAsUser: 999
+ # runAsGroup: 0
+
# Auth secret for a private registry
# This is used if pulling airflow images from a private registry
registry:
diff --git a/tests/charts/test_security_context.py b/tests/charts/test_security_context.py
index aefccf7a50..e7ce43bd57 100644
--- a/tests/charts/test_security_context.py
+++ b/tests/charts/test_security_context.py
@@ -139,6 +139,7 @@ class TestSecurityContext:
"createUserJob": {**component_contexts},
"migrateDatabaseJob": {**component_contexts},
"triggerer": {**component_contexts},
+ "redis": {**component_contexts},
"statsd": {"enabled": True, **component_contexts},
"airflowVersion": "2.2.0",
"executor": "CeleryKubernetesExecutor",
@@ -152,6 +153,7 @@ class TestSecurityContext:
"templates/jobs/create-user-job.yaml",
"templates/jobs/migrate-database-job.yaml",
"templates/statsd/statsd-deployment.yaml",
+ "templates/redis/redis-statefulset.yaml",
],
)
@@ -160,14 +162,22 @@ class TestSecurityContext:
assert 9000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[index])
assert 90 == jmespath.search("spec.template.spec.securityContext.fsGroup", docs[index])
- # Test containerSecurity priority over uid under statsd
- def test_check_statsd_uid(self):
+ # Test containerSecurity priority over uid under components using localSecurityContext
+ def test_check_local_uid(self):
+ component_contexts = {"uid": 3000, "securityContext": {"runAsUser": 7000}}
docs = render_chart(
- values={"statsd": {"enabled": True, "uid": 3000, "securityContext": {"runAsUser": 7000}}},
- show_only=["templates/statsd/statsd-deployment.yaml"],
+ values={
+ "redis": {**component_contexts},
+ "statsd": {"enabled": True, **component_contexts},
+ },
+ show_only=[
+ "templates/statsd/statsd-deployment.yaml",
+ "templates/redis/redis-statefulset.yaml",
+ ],
)
- assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+ for doc in docs:
+ assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", doc)
# Test containerSecurity priority over uid under dags.gitSync
def test_gitsync_sidecar_and_init_container(self):