This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit a01bd324b11382f87f61c3ae1b96bdcc700c7f89 Author: Songkran Nethan <[email protected]> AuthorDate: Sun Nov 1 00:37:45 2020 +0700 Add Flower Authentication to Helm Chart (#11836) (cherry picked from commit 644ac1b06019bcd1c1c540373051c31b766efccf) --- chart/templates/_helpers.yaml | 4 ++ chart/templates/flower/flower-deployment.yaml | 29 +++++++++--- chart/templates/secrets/flower-secret.yaml | 36 ++++++++++++++ chart/tests/test_flower_authorization.py | 68 +++++++++++++++++++++++++++ chart/values.schema.json | 21 +++++++++ chart/values.yaml | 7 +++ 6 files changed, 159 insertions(+), 6 deletions(-) diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml index beb26a7..9914127 100644 --- a/chart/templates/_helpers.yaml +++ b/chart/templates/_helpers.yaml @@ -252,6 +252,10 @@ {{ default (printf "%s-elasticsearch" .Release.Name) .Values.elasticsearch.secretName }} {{- end }} +{{ define "flower_secret" -}} +{{ default (printf "%s-flower" .Release.Name) .Values.flower.secretName }} +{{- end }} + {{ define "kerberos_keytab_secret" -}} {{ .Release.Name }}-kerberos-keytab {{- end }} diff --git a/chart/templates/flower/flower-deployment.yaml b/chart/templates/flower/flower-deployment.yaml index 887b70d..c5d1f91 100644 --- a/chart/templates/flower/flower-deployment.yaml +++ b/chart/templates/flower/flower-deployment.yaml @@ -81,19 +81,36 @@ spec: containerPort: {{ .Values.ports.flowerUI }} livenessProbe: failureThreshold: 10 - httpGet: - path: / - port: {{ .Values.ports.flowerUI }} + exec: + command: + - curl + {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}} + - "--user" + - $AIRFLOW__CELERY__FLOWER_BASIC_AUTH + {{- end }} + - {{ printf "localhost:%s" (.Values.ports.flowerUI | toString) }} initialDelaySeconds: 10 periodSeconds: 5 readinessProbe: failureThreshold: 10 - httpGet: - path: / - port: {{ .Values.ports.flowerUI }} + exec: + command: + - curl + {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}} + - "--user" + - $AIRFLOW__CELERY__FLOWER_BASIC_AUTH + {{- end }} + - {{ printf "localhost:%s" (.Values.ports.flowerUI | toString) }} initialDelaySeconds: 10 periodSeconds: 5 env: + {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}} + - name: AIRFLOW__CELERY__FLOWER_BASIC_AUTH + valueFrom: + secretKeyRef: + name: {{ template "flower_secret" . }} + key: basicAuth + {{- end }} {{- include "standard_airflow_environment" . | indent 10 }} volumes: - name: config diff --git a/chart/templates/secrets/flower-secret.yaml b/chart/templates/secrets/flower-secret.yaml new file mode 100644 index 0000000..c88734d --- /dev/null +++ b/chart/templates/secrets/flower-secret.yaml @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +################################ +## Flower Secret +################################# +{{- if (and (not .Values.flower.secretName) .Values.flower.username .Values.flower.password) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-flower + labels: + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +type: Opaque +data: + basicAuth: {{ (printf "%s:%s" .Values.flower.username .Values.flower.password) | b64enc | quote }} +{{- end }} diff --git a/chart/tests/test_flower_authorization.py b/chart/tests/test_flower_authorization.py new file mode 100644 index 0000000..f0cc5b0 --- /dev/null +++ b/chart/tests/test_flower_authorization.py @@ -0,0 +1,68 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import unittest + +import jmespath +from tests.helm_template_generator import render_chart + + +class FlowerAuthorizationTest(unittest.TestCase): + def test_should_create_flower_deployment_with_authorization(self): + docs = render_chart( + values={ + "executor": "CeleryExecutor", + "flower": {"username": "flower", "password": "fl0w3r"}, + "ports": {"flowerUI": 7777}, + }, + show_only=["templates/flower/flower-deployment.yaml"], + ) + + self.assertEqual( + "AIRFLOW__CELERY__FLOWER_BASIC_AUTH", + jmespath.search("spec.template.spec.containers[0].env[0].name", docs[0]), + ) + self.assertEqual( + ['curl', '--user', '$AIRFLOW__CELERY__FLOWER_BASIC_AUTH', 'localhost:7777'], + jmespath.search("spec.template.spec.containers[0].livenessProbe.exec.command", docs[0]), + ) + self.assertEqual( + ['curl', '--user', '$AIRFLOW__CELERY__FLOWER_BASIC_AUTH', 'localhost:7777'], + jmespath.search("spec.template.spec.containers[0].readinessProbe.exec.command", docs[0]), + ) + + def test_should_create_flower_deployment_without_authorization(self): + docs = render_chart( + values={ + "executor": "CeleryExecutor", + "ports": {"flowerUI": 7777}, + }, + show_only=["templates/flower/flower-deployment.yaml"], + ) + + self.assertEqual( + "AIRFLOW__CORE__FERNET_KEY", + jmespath.search("spec.template.spec.containers[0].env[0].name", docs[0]), + ) + self.assertEqual( + ['curl', 'localhost:7777'], + jmespath.search("spec.template.spec.containers[0].livenessProbe.exec.command", docs[0]), + ) + self.assertEqual( + ['curl', 'localhost:7777'], + jmespath.search("spec.template.spec.containers[0].readinessProbe.exec.command", docs[0]), + ) diff --git a/chart/values.schema.json b/chart/values.schema.json index 2f25892..7881c82 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -784,6 +784,27 @@ "resources": { "type": "object" }, + "secretName": { + "description": "A secret containing the user and password pair.", + "type": [ + "string", + "null" + ] + }, + "username": { + "description": "Username use to access flower.", + "type": [ + "string", + "null" + ] + }, + "password": { + "description": "Password use to access flower.", + "type": [ + "string", + "null" + ] + }, "service": { "description": "Flower service configuration.", "type": "object", diff --git a/chart/values.yaml b/chart/values.yaml index 4855214..1e3b81f 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -409,6 +409,13 @@ flower: # cpu: 100m # memory: 128Mi + # A secret containing the connection + secretName: ~ + + # Else, if username and password are set, create secret from username and password + username: ~ + password: ~ + service: type: ClusterIP
