potiuk commented on issue #16684: URL: https://github.com/apache/airflow/issues/16684#issuecomment-869686798
I think this is actually very good that we cannot use _CMD from within Helm chart. I always thought of the _CMD pattern as one giving you false sense of security through obfuscation. The _CMD is really a poor and not-really-secure solution, that was introduced because in "classic" deployments you have no other possibilities. But I think that is not that useful in K8S where you have other ways to get secret values: static Secrets, but also for example dynamically generated secretes (https://www.hashicorp.com/blog/dynamic-database-credentials-with-vault-and-kubernetes for example). And it does not stop here. There might be cases where custom non-K8S integrated command might still be needed, but IMHO this would be much better to handle it via a custom sidecar that could share folder with secrets with Airflow and use https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/secrets-backend/local-filesystem-secrets-backend.html to read those. This has one huge advantage over _CMD pattern. Unlike the _CMD pattern, it is actually secure. The sidecar could have the "long living" authentication token that would be inaccessible to the rest of the airflow, and it could only share the "short-living" tokens with Airflow. This is not really possible with _CMD pattern - this is merely an obfuscation, because no matter what the command run via _CMD must have somewhere the long-living authentication and determined user in Airflow could always find it if they really try. With the side-car pattern, it's not really possible by Airflow user to get hold of the long-living authentication credential. Very similar pattern is implemented in Kerberos support for Airlfow Charet, where only Kerberos sidecar has access to the long-living credentials (keytab) and it only shares the short-term token in shared volume that Airflow can read. See https://github.com/apache/airflow/blob/98c12d49f37f6879e3e9fd926853f57a15ab761b/chart/values.yaml#L270 I think we should encourage our users to use the other available options rather than rely on _CMD variables. If anything, I'd describe the side-car pattern in Helm documentation as "recommended" approach of dynamically retrieving credentials. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
