[airflow] branch main updated: Add a new Airflow conf to specify a SSL ca cert for Kubernetes client (#30048)

potiuk Wed, 15 Mar 2023 15:26:57 -0700

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git



The following commit(s) were added to refs/heads/main by this push:
     new feab463757 Add a new Airflow conf to specify a SSL ca cert for 
Kubernetes client (#30048)
feab463757 is described below

commit feab4637571e445ef3316be75963bfa5c5bc71b2
Author: Hussein Awala <[email protected]>
AuthorDate: Wed Mar 15 23:26:43 2023 +0100

    Add a new Airflow conf to specify a SSL ca cert for Kubernetes client 
(#30048)
    
    
    
    ---------
    
    Co-authored-by: Tzu-ping Chung <[email protected]>
---
 airflow/config_templates/config.yml          |  7 +++++++
 airflow/config_templates/default_airflow.cfg |  3 +++
 airflow/kubernetes/kube_client.py            | 21 +++++++++++++++------
 tests/kubernetes/test_client.py              | 17 ++++++++++-------
 4 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/airflow/config_templates/config.yml 
b/airflow/config_templates/config.yml
index 38e5600f85..d13edbb300 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -2719,6 +2719,13 @@ kubernetes_executor:
       type: integer
       example: ~
       default: "100"
+    ssl_ca_cert:
+      description: |
+        Path to a CA certificate to be used by the Kubernetes client to verify 
the server's SSL certificate.
+      version_added: 2.6.0
+      type: string
+      example: ~
+      default: ""
 sensors:
   description: ~
   options:
diff --git a/airflow/config_templates/default_airflow.cfg 
b/airflow/config_templates/default_airflow.cfg
index ee9715fd7f..5d1115793d 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -1382,6 +1382,9 @@ worker_pods_queued_check_interval = 60
 # You may want this higher if you have a very large cluster and/or use 
``multi_namespace_mode``.
 worker_pods_pending_timeout_batch_size = 100
 
+# Path to a CA certificate to be used by the Kubernetes client to verify the 
server's SSL certificate.
+ssl_ca_cert =
+
 [sensors]
 # Sensor default timeout, 7 days by default (7 * 24 * 60 * 60).
 default_timeout = 604800
diff --git a/airflow/kubernetes/kube_client.py 
b/airflow/kubernetes/kube_client.py
index 1750d93d7c..7e887ae1ac 100644
--- a/airflow/kubernetes/kube_client.py
+++ b/airflow/kubernetes/kube_client.py
@@ -30,11 +30,13 @@ try:
 
     has_kubernetes = True
 
-    def _disable_verify_ssl() -> None:
+    def _get_default_configuration() -> Configuration:
         if hasattr(Configuration, "get_default_copy"):
-            configuration = Configuration.get_default_copy()
-        else:
-            configuration = Configuration()
+            return Configuration.get_default_copy()
+        return Configuration()
+
+    def _disable_verify_ssl() -> None:
+        configuration = _get_default_configuration()
         configuration.verify_ssl = False
         Configuration.set_default(configuration)
 
@@ -114,7 +116,14 @@ def get_kube_client(
             config_file = conf.get("kubernetes_executor", "config_file", 
fallback=None)
         config.load_kube_config(config_file=config_file, 
context=cluster_context)
 
+    configuration = _get_default_configuration()
+
     if not conf.getboolean("kubernetes_executor", "verify_ssl"):
-        _disable_verify_ssl()
+        configuration.verify_ssl = False
+
+    ssl_ca_cert = conf.get("kubernetes_executor", "ssl_ca_cert")
+    if ssl_ca_cert:
+        configuration.ssl_ca_cert = ssl_ca_cert
 
-    return client.CoreV1Api()
+    api_client = client.ApiClient(configuration=configuration)
+    return client.CoreV1Api(api_client)
diff --git a/tests/kubernetes/test_client.py b/tests/kubernetes/test_client.py
index d036218e15..26eda47952 100644
--- a/tests/kubernetes/test_client.py
+++ b/tests/kubernetes/test_client.py
@@ -42,14 +42,17 @@ class TestClient:
     @mock.patch("airflow.kubernetes.kube_client.conf")
     def test_load_config_disable_ssl(self, conf, config):
         conf.getboolean.return_value = False
-        get_kube_client(in_cluster=False)
+        client = get_kube_client(in_cluster=False)
         conf.getboolean.assert_called_with("kubernetes_executor", "verify_ssl")
-        # Support wide range of kube client libraries
-        if hasattr(Configuration, "get_default_copy"):
-            configuration = Configuration.get_default_copy()
-        else:
-            configuration = Configuration()
-        assert not configuration.verify_ssl
+        assert not client.api_client.configuration.verify_ssl
+
+    @mock.patch("airflow.kubernetes.kube_client.config")
+    @mock.patch("airflow.kubernetes.kube_client.conf")
+    def test_load_config_ssl_ca_cert(self, conf, config):
+        conf.get.return_value = "/path/to/ca.crt"
+        client = get_kube_client(in_cluster=False)
+        conf.get.assert_called_with("kubernetes_executor", "ssl_ca_cert")
+        assert client.api_client.configuration.ssl_ca_cert == "/path/to/ca.crt"
 
     def test_enable_tcp_keepalive(self):
         socket_options = [

[airflow] branch main updated: Add a new Airflow conf to specify a SSL ca cert for Kubernetes client (#30048)

Reply via email to