This is an automated email from the ASF dual-hosted git repository.
eladkal pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new b14dc6bceb add kerberos sidecar to pod-template-file (#38815)
b14dc6bceb is described below
commit b14dc6bceb58c54d622e09ed2897c033e8eed4e5
Author: rom sharon <[email protected]>
AuthorDate: Tue Apr 9 09:27:29 2024 +0300
add kerberos sidecar to pod-template-file (#38815)
---
chart/files/pod-template-file.kubernetes-helm-yaml | 109 ++++++++++++++++++++-
helm_tests/airflow_aux/test_pod_template_file.py | 55 +++++++++++
2 files changed, 162 insertions(+), 2 deletions(-)
diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml
b/chart/files/pod-template-file.kubernetes-helm-yaml
index 0c35d4ae2f..52acc99a90 100644
--- a/chart/files/pod-template-file.kubernetes-helm-yaml
+++ b/chart/files/pod-template-file.kubernetes-helm-yaml
@@ -22,6 +22,8 @@
{{- $tolerations := or .Values.workers.tolerations .Values.tolerations }}
{{- $topologySpreadConstraints := or .Values.workers.topologySpreadConstraints
.Values.topologySpreadConstraints }}
{{- $securityContext := include "airflowPodSecurityContext" (list .
.Values.workers) }}
+{{- $containerSecurityContextKerberosSidecar := include
"containerSecurityContext" (list . .Values.workers.kerberosSidecar) }}
+{{- $containerLifecycleHooksKerberosSidecar := or
.Values.workers.kerberosSidecar.containerLifecycleHooks
.Values.containerLifecycleHooks }}
{{- $containerSecurityContext := include "containerSecurityContext" (list .
.Values.workers) }}
{{- $containerLifecycleHooks := or .Values.workers.containerLifecycleHooks
.Values.containerLifecycleHooks }}
apiVersion: v1
@@ -40,12 +42,14 @@ metadata:
{{- if .Values.airflowPodAnnotations }}
{{- toYaml .Values.airflowPodAnnotations | nindent 4 }}
{{- end }}
+ {{- if .Values.workers.kerberosInitContainer.enabled }}
+ checksum/kerberos-keytab: {{ include (print $.Template.BasePath
"/secrets/kerberos-keytab-secret.yaml") . | sha256sum }}
+ {{- end }}
{{- if .Values.workers.podAnnotations }}
{{- toYaml .Values.workers.podAnnotations | nindent 4 }}
{{- end }}
{{- end }}
spec:
- {{- if or (and .Values.dags.gitSync.enabled (not
.Values.dags.persistence.enabled)) .Values.workers.extraInitContainers }}
initContainers:
{{- if and .Values.dags.gitSync.enabled (not
.Values.dags.persistence.enabled) }}
{{- include "git_sync_container" (dict "Values" .Values "is_init" "true"
"Template" .Template) | nindent 4 }}
@@ -53,7 +57,45 @@ spec:
{{- if .Values.workers.extraInitContainers }}
{{- toYaml .Values.workers.extraInitContainers | nindent 4 }}
{{- end }}
- {{- end }}
+ {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion)
.Values.workers.kerberosInitContainer.enabled }}
+ - name: kerberos-init
+ image: {{ template "airflow_image" . }}
+ imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+ args: ["kerberos", "-o"]
+ resources: {{- toYaml .Values.workers.kerberosInitContainer.resources |
nindent 8 }}
+ volumeMounts:
+ - name: logs
+ mountPath: {{ template "airflow_logs" . }}
+ {{- include "airflow_config_mount" . | nindent 8 }}
+ - name: config
+ mountPath: {{ .Values.kerberos.configPath | quote }}
+ subPath: krb5.conf
+ readOnly: true
+ - name: kerberos-keytab
+ subPath: "kerberos.keytab"
+ mountPath: {{ .Values.kerberos.keytabPath | quote }}
+ readOnly: true
+ - name: kerberos-ccache
+ mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
+ readOnly: false
+ {{- if .Values.volumeMounts }}
+ {{- toYaml .Values.volumeMounts | nindent 8 }}
+ {{- end }}
+ {{- if .Values.workers.extraVolumeMounts }}
+ {{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent 8 }}
+ {{- end }}
+ {{- if or .Values.webserver.webserverConfig
.Values.webserver.webserverConfigConfigMapName }}
+ {{- include "airflow_webserver_config_mount" . | nindent 8 }}
+ {{- end }}
+ envFrom: {{- include "custom_airflow_environment_from" . | default "\n
[]" | indent 6 }}
+ env:
+ - name: KRB5_CONFIG
+ value: {{ .Values.kerberos.configPath | quote }}
+ - name: KRB5CCNAME
+ value: {{ include "kerberos_ccache_path" . | quote }}
+ {{- include "custom_airflow_environment" . | indent 6 }}
+ {{- include "standard_airflow_environment" . | indent 6 }}
+ {{- end }}
containers:
- envFrom: {{- include "custom_airflow_environment_from" . | default "\n
[]" | indent 6 }}
env:
@@ -83,6 +125,62 @@ spec:
{{- if .Values.workers.extraVolumeMounts }}
{{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent 8 }}
{{- end }}
+ {{- if .Values.kerberos.enabled }}
+ - name: kerberos-keytab
+ subPath: "kerberos.keytab"
+ mountPath: {{ .Values.kerberos.keytabPath | quote }}
+ readOnly: true
+ - name: config
+ mountPath: {{ .Values.kerberos.configPath | quote }}
+ subPath: krb5.conf
+ readOnly: true
+ - name: kerberos-ccache
+ mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- if .Values.workers.kerberosSidecar.enabled }}
+ - name: worker-kerberos
+ image: {{ template "airflow_image" . }}
+ imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+ securityContext: {{ $containerSecurityContextKerberosSidecar | nindent 8
}}
+ {{- if $containerLifecycleHooksKerberosSidecar }}
+ lifecycle: {{- tpl (toYaml $containerLifecycleHooksKerberosSidecar) . |
nindent 8 }}
+ {{- end }}
+ args: ["kerberos"]
+ resources: {{- toYaml .Values.workers.kerberosSidecar.resources |
nindent 8 }}
+ volumeMounts:
+ - name: logs
+ mountPath: {{ template "airflow_logs" . }}
+ {{- include "airflow_config_mount" . | nindent 8 }}
+ - name: config
+ mountPath: {{ .Values.kerberos.configPath | quote }}
+ subPath: krb5.conf
+ readOnly: true
+ - name: kerberos-keytab
+ subPath: "kerberos.keytab"
+ mountPath: {{ .Values.kerberos.keytabPath | quote }}
+ readOnly: true
+ - name: kerberos-ccache
+ mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
+ readOnly: false
+ {{- if .Values.volumeMounts }}
+ {{- toYaml .Values.volumeMounts | nindent 8 }}
+ {{- end }}
+ {{- if .Values.workers.extraVolumeMounts }}
+ {{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent 8 }}
+ {{- end }}
+ {{- if or .Values.webserver.webserverConfig
.Values.webserver.webserverConfigConfigMapName }}
+ {{- include "airflow_webserver_config_mount" . | nindent 8 }}
+ {{- end }}
+ envFrom: {{- include "custom_airflow_environment_from" . | default "\n
[]" | indent 6 }}
+ env:
+ - name: KRB5_CONFIG
+ value: {{ .Values.kerberos.configPath | quote }}
+ - name: KRB5CCNAME
+ value: {{ include "kerberos_ccache_path" . | quote }}
+ {{- include "custom_airflow_environment" . | indent 6 }}
+ {{- include "standard_airflow_environment" . | indent 6 }}
+ {{- end }}
{{- if .Values.workers.extraContainers }}
{{- toYaml .Values.workers.extraContainers | nindent 4 }}
{{- end }}
@@ -136,6 +234,13 @@ spec:
{{- if .Values.volumes }}
{{- toYaml .Values.volumes | nindent 2 }}
{{- end }}
+ {{- if .Values.kerberos.enabled }}
+ - name: kerberos-keytab
+ secret:
+ secretName: {{ include "kerberos_keytab_secret" . | quote }}
+ - name: kerberos-ccache
+ emptyDir: {}
+ {{- end }}
{{- if .Values.workers.extraVolumes }}
{{- tpl (toYaml .Values.workers.extraVolumes) . | nindent 2 }}
{{- end }}
diff --git a/helm_tests/airflow_aux/test_pod_template_file.py
b/helm_tests/airflow_aux/test_pod_template_file.py
index 4002dfa3a8..ee70b6f21d 100644
--- a/helm_tests/airflow_aux/test_pod_template_file.py
+++ b/helm_tests/airflow_aux/test_pod_template_file.py
@@ -845,3 +845,58 @@ class TestPodTemplateFile:
)
assert jmespath.search("spec.runtimeClassName", docs[0]) == "nvidia"
+
+ def test_airflow_local_settings_kerberos_sidecar(self):
+ docs = render_chart(
+ values={
+ "airflowLocalSettings": "# Well hello!",
+ "workers": {"kerberosSidecar": {"enabled": True}},
+ },
+ show_only=["templates/pod-template-file.yaml"],
+ chart_dir=self.temp_chart_dir,
+ )
+ jmespath.search("spec.containers[1].name", docs[0]) ==
"worker-kerberos"
+
+ assert {
+ "name": "config",
+ "mountPath": "/opt/airflow/config/airflow_local_settings.py",
+ "subPath": "airflow_local_settings.py",
+ "readOnly": True,
+ } in jmespath.search("spec.containers[1].volumeMounts", docs[0])
+
+ @pytest.mark.parametrize(
+ "airflow_version, init_container_enabled, expected_init_containers",
+ [
+ ("1.9.0", True, 0),
+ ("1.9.0", False, 0),
+ ("1.10.14", True, 0),
+ ("1.10.14", False, 0),
+ ("2.0.2", True, 0),
+ ("2.0.2", False, 0),
+ ("2.1.0", True, 0),
+ ("2.1.0", False, 0),
+ ("2.8.0", True, 1),
+ ("2.8.0", False, 0),
+ ],
+ )
+ def test_airflow_kerberos_init_container(
+ self, airflow_version, init_container_enabled, expected_init_containers
+ ):
+ docs = render_chart(
+ values={
+ "airflowVersion": airflow_version,
+ "workers": {
+ "kerberosInitContainer": {"enabled":
init_container_enabled},
+ },
+ },
+ show_only=["templates/pod-template-file.yaml"],
+ chart_dir=self.temp_chart_dir,
+ )
+
+ initContainers = jmespath.search("spec.initContainers", docs[0])
+ if expected_init_containers == 0:
+ assert initContainers is None
+
+ if expected_init_containers == 1:
+ assert initContainers[0]["name"] == "kerberos-init"
+ assert initContainers[0]["args"] == ["kerberos", "-o"]
