This is an automated email from the ASF dual-hosted git repository.
jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 0a93e2e28b Add support for securityContext in dag-processors
wait-for-migrations (#35593)
0a93e2e28b is described below
commit 0a93e2e28baa282e20e2a68dcb718e3708048a47
Author: shohamy7 <[email protected]>
AuthorDate: Tue Nov 14 02:21:36 2023 +0200
Add support for securityContext in dag-processors wait-for-migrations
(#35593)
---
.../dag-processor/dag-processor-deployment.yaml | 2 ++
chart/values.yaml | 3 +++
helm_tests/airflow_core/test_dag_processor.py | 23 ++++++++++++++++++++++
3 files changed, 28 insertions(+)
diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml
b/chart/templates/dag-processor/dag-processor-deployment.yaml
index 61cd3f56bc..24da3fca8e 100644
--- a/chart/templates/dag-processor/dag-processor-deployment.yaml
+++ b/chart/templates/dag-processor/dag-processor-deployment.yaml
@@ -29,6 +29,7 @@
{{- $revisionHistoryLimit := or .Values.dagProcessor.revisionHistoryLimit
.Values.revisionHistoryLimit }}
{{- $securityContext := include "airflowPodSecurityContext" (list .
.Values.dagProcessor) }}
{{- $containerSecurityContext := include "containerSecurityContext" (list .
.Values.dagProcessor) }}
+{{- $containerSecurityContextWaitForMigrations := include
"containerSecurityContext" (list . .Values.dagProcessor.waitForMigrations) }}
{{- $containerLifecycleHooks := or
.Values.dagProcessor.containerLifecycleHooks .Values.containerLifecycleHooks }}
apiVersion: apps/v1
kind: Deployment
@@ -120,6 +121,7 @@ spec:
resources: {{- toYaml .Values.dagProcessor.resources | nindent 12 }}
image: {{ template "airflow_image_for_migrations" . }}
imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+ securityContext: {{ $containerSecurityContextWaitForMigrations |
nindent 12 }}
volumeMounts:
{{- if .Values.volumeMounts }}
{{- toYaml .Values.volumeMounts | nindent 12 }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 82a641480d..5e14e4029c 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1671,6 +1671,9 @@ dagProcessor:
# Whether to create init container to wait for db migrations
enabled: true
env: []
+ # Detailed default security context for waitForMigrations for container
level
+ securityContexts:
+ container: {}
env: []
diff --git a/helm_tests/airflow_core/test_dag_processor.py
b/helm_tests/airflow_core/test_dag_processor.py
index f77c646f55..7371469ca8 100644
--- a/helm_tests/airflow_core/test_dag_processor.py
+++ b/helm_tests/airflow_core/test_dag_processor.py
@@ -69,6 +69,29 @@ class TestDagProcessor:
)
assert actual is None
+ def test_wait_for_migration_security_contexts_are_configurable(self):
+ docs = render_chart(
+ values={
+ "dagProcessor": {
+ "enabled": True,
+ "waitForMigrations": {
+ "enabled": True,
+ "securityContexts": {
+ "container": {
+ "allowPrivilegeEscalation": False,
+ "readOnlyRootFilesystem": True,
+ },
+ },
+ },
+ },
+ },
+
show_only=["templates/dag-processor/dag-processor-deployment.yaml"],
+ )
+
+ assert {"allowPrivilegeEscalation": False, "readOnlyRootFilesystem":
True} == jmespath.search(
+ "spec.template.spec.initContainers[0].securityContext", docs[0]
+ )
+
def test_should_add_extra_containers(self):
docs = render_chart(
values={
