This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new efef218967e Add workers.celery.kerberosSidecar &
workers.kubernetes.kerberosSidecar sections (#61881)
efef218967e is described below
commit efef218967e2b6dbbed027c3dee0f368d48da067
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Fri Mar 6 16:39:12 2026 +0100
Add workers.celery.kerberosSidecar & workers.kubernetes.kerberosSidecar
sections (#61881)
* Add workers.celery.kerberosSidecar & workers.kubernetes.kerberosSidecar
* Misc
---
chart/files/pod-template-file.kubernetes-helm-yaml | 14 +-
chart/templates/_helpers.yaml | 13 +-
chart/templates/workers/worker-deployment.yaml | 2 +-
chart/templates/workers/worker-hpa.yaml | 2 +-
chart/templates/workers/worker-kedaautoscaler.yaml | 2 +-
chart/templates/workers/worker-networkpolicy.yaml | 2 +-
.../workers/worker-poddisruptionbudget.yaml | 2 +-
chart/templates/workers/worker-service.yaml | 2 +-
chart/templates/workers/worker-serviceaccount.yaml | 2 +-
chart/values.schema.json | 174 ++++++++++++++++++-
chart/values.yaml | 42 +++++
.../helm_tests/airflow_aux/test_airflow_common.py | 12 +-
.../airflow_aux/test_container_lifecycle.py | 74 ++++++--
.../airflow_aux/test_pod_template_file.py | 186 ++++++++++++++++++++-
.../tests/helm_tests/airflow_core/test_worker.py | 12 +-
.../helm_tests/airflow_core/test_worker_sets.py | 83 ++++++++-
.../tests/helm_tests/security/test_kerberos.py | 74 +++++---
.../helm_tests/security/test_security_context.py | 39 ++++-
18 files changed, 654 insertions(+), 83 deletions(-)
diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml
b/chart/files/pod-template-file.kubernetes-helm-yaml
index 088cf55ec6a..4fa1413037e 100644
--- a/chart/files/pod-template-file.kubernetes-helm-yaml
+++ b/chart/files/pod-template-file.kubernetes-helm-yaml
@@ -22,8 +22,8 @@
{{- $tolerations := or .Values.workers.tolerations .Values.tolerations }}
{{- $topologySpreadConstraints := or .Values.workers.topologySpreadConstraints
.Values.topologySpreadConstraints }}
{{- $securityContext := include "airflowPodSecurityContext" (list
.Values.workers.kubernetes .Values.workers .Values) }}
-{{- $containerSecurityContextKerberosSidecar := include
"containerSecurityContext" (list .Values.workers.kerberosSidecar .Values) }}
-{{- $containerLifecycleHooksKerberosSidecar := or
.Values.workers.kerberosSidecar.containerLifecycleHooks
.Values.containerLifecycleHooks }}
+{{- $containerSecurityContextKerberosSidecar := include
"containerSecurityContext" (list .Values.workers.kubernetes.kerberosSidecar
.Values.workers.kerberosSidecar .Values) }}
+{{- $containerLifecycleHooksKerberosSidecar := or
.Values.workers.kubernetes.kerberosSidecar.containerLifecycleHooks
.Values.workers.kerberosSidecar.containerLifecycleHooks
.Values.containerLifecycleHooks }}
{{- $containerSecurityContextKerberosInitContainer := include
"containerSecurityContext" (list
.Values.workers.kubernetes.kerberosInitContainer
.Values.workers.kerberosInitContainer .Values) }}
{{- $containerLifecycleHooksKerberosInitContainer := or
.Values.workers.kubernetes.kerberosInitContainer.containerLifecycleHooks
.Values.workers.kerberosInitContainer.containerLifecycleHooks
.Values.containerLifecycleHooks }}
{{- $containerSecurityContext := include "containerSecurityContext" (list
.Values.workers.kubernetes .Values.workers .Values) }}
@@ -112,7 +112,7 @@ spec:
env:
- name: AIRFLOW__CORE__EXECUTOR
value: {{ .Values.executor | quote }}
- {{- if or .Values.workers.kerberosSidecar.enabled
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled }}
+ {{- if or .Values.workers.kubernetes.kerberosSidecar.enabled
.Values.workers.kerberosSidecar.enabled
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled }}
- name: KRB5_CONFIG
value: {{ .Values.kerberos.configPath | quote }}
- name: KRB5CCNAME
@@ -161,7 +161,7 @@ spec:
mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
readOnly: true
{{- end }}
- {{- if .Values.workers.kerberosSidecar.enabled }}
+ {{- if or .Values.workers.kubernetes.kerberosSidecar.enabled
.Values.workers.kerberosSidecar.enabled }}
- name: worker-kerberos
image: {{ template "airflow_image" . }}
imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
@@ -170,7 +170,7 @@ spec:
lifecycle: {{- tpl (toYaml $containerLifecycleHooksKerberosSidecar) . |
nindent 8 }}
{{- end }}
args: ["kerberos"]
- resources: {{- toYaml .Values.workers.kerberosSidecar.resources |
nindent 8 }}
+ resources: {{- toYaml
(.Values.workers.kubernetes.kerberosSidecar.resources | default
.Values.workers.kerberosSidecar.resources) | nindent 8 }}
volumeMounts:
- name: logs
mountPath: {{ template "airflow_logs" . }}
@@ -261,13 +261,13 @@ spec:
name: {{ include "airflow_config" . }}
name: config
{{- if semverCompare ">=3.0.0" .Values.airflowVersion }}
- {{- if and (or .Values.apiServer.apiServerConfig
.Values.apiServer.apiServerConfigConfigMapName) (or
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled
.Values.workers.kerberosSidecar.enabled) }}
+ {{- if and (or .Values.apiServer.apiServerConfig
.Values.apiServer.apiServerConfigConfigMapName) (or
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled
.Values.workers.kubernetes.kerberosSidecar.enabled
.Values.workers.kerberosSidecar.enabled) }}
- name: api-server-config
configMap:
name: {{ template "airflow_api_server_config_configmap_name" . }}
{{- end }}
{{- else }}
- {{- if and (or .Values.webserver.webserverConfig
.Values.webserver.webserverConfigConfigMapName) (or
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled
.Values.workers.kerberosSidecar.enabled) }}
+ {{- if and (or .Values.webserver.webserverConfig
.Values.webserver.webserverConfigConfigMapName) (or
.Values.workers.kubernetes.kerberosInitContainer.enabled
.Values.workers.kerberosInitContainer.enabled
.Values.workers.kubernetes.kerberosSidecar.enabled
.Values.workers.kerberosSidecar.enabled) }}
- name: webserver-config
configMap:
name: {{ template "airflow_webserver_config_configmap_name" . }}
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index ceb0041a7b7..f3f92a87c42 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -646,7 +646,6 @@ server_tls_key_file = /etc/pgbouncer/server.key
{{- include "_serviceAccountName" (merge (dict "key" "webserver") .) -}}
{{- end }}
-
{{/* Create the name of the API server service account to use */}}
{{- define "apiServer.serviceAccountName" -}}
{{- include "_serviceAccountName" (merge (dict "key" "apiServer"
"nameSuffix" "api-server" ) .) -}}
@@ -902,9 +901,9 @@ Where `.` is the global variables scope and
`.Values.workers` the local variable
Set the default value for container securityContext
If no value is passed for securityContexts.container or
<node>.securityContexts.container, defaults to deny privileges escallation and
dropping all POSIX capabilities.
- +-----------------------------------+ +----------------------------+
+-----------------------------------------------------------+
- | <node>.securityContexts.container | -> | securityContexts.containers |
-> | allowPrivilegesEscalation: false, capabilities.drop: [ALL]|
- +-----------------------------------+ +----------------------------+
+-----------------------------------------------------------+
+ +-----------------------------------+ +-----------------------------+
+------------------------------------------------------------+
+ | <node>.securityContexts.container | -> | securityContexts.containers |
-> | allowPrivilegesEscalation: false, capabilities.drop: [ALL] |
+ +-----------------------------------+ +-----------------------------+
+------------------------------------------------------------+
The template can be called like so:
include "containerSecurityContext" (list .Values.webserver .Values)
@@ -937,9 +936,9 @@ capabilities:
Set the default value for external container securityContext(redis and statsd).
If no value is passed for <node>.securityContexts.container, defaults to deny
privileges escallation and dropping all POSIX capabilities.
- +-----------------------------------+
+-----------------------------------------------------------+
- | <node>.securityContexts.container | -> | allowPrivilegesEscalation:
false, capabilities.drop: [ALL]|
- +-----------------------------------+
+-----------------------------------------------------------+
+ +-----------------------------------+
+------------------------------------------------------------+
+ | <node>.securityContexts.container | -> | allowPrivilegesEscalation:
false, capabilities.drop: [ALL] |
+ +-----------------------------------+
+------------------------------------------------------------+
The template can be called like so:
include "externalContainerSecurityContext" .Values.statsd
diff --git a/chart/templates/workers/worker-deployment.yaml
b/chart/templates/workers/worker-deployment.yaml
index 920e01895c1..4d44c4fa824 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-hpa.yaml
b/chart/templates/workers/worker-hpa.yaml
index 6fe4fd3cb4e..99dd5a29468 100644
--- a/chart/templates/workers/worker-hpa.yaml
+++ b/chart/templates/workers/worker-hpa.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-kedaautoscaler.yaml
b/chart/templates/workers/worker-kedaautoscaler.yaml
index 32b2ea87d3d..dac8991c4d7 100644
--- a/chart/templates/workers/worker-kedaautoscaler.yaml
+++ b/chart/templates/workers/worker-kedaautoscaler.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-networkpolicy.yaml
b/chart/templates/workers/worker-networkpolicy.yaml
index 09fb4c0484d..814a183d524 100644
--- a/chart/templates/workers/worker-networkpolicy.yaml
+++ b/chart/templates/workers/worker-networkpolicy.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-poddisruptionbudget.yaml
b/chart/templates/workers/worker-poddisruptionbudget.yaml
index a56eaa1f04a..8aed138c3be 100644
--- a/chart/templates/workers/worker-poddisruptionbudget.yaml
+++ b/chart/templates/workers/worker-poddisruptionbudget.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-service.yaml
b/chart/templates/workers/worker-service.yaml
index ed77ea0a2f0..367ebcb496f 100644
--- a/chart/templates/workers/worker-service.yaml
+++ b/chart/templates/workers/worker-service.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/templates/workers/worker-serviceaccount.yaml
b/chart/templates/workers/worker-serviceaccount.yaml
index f1a9a27eac7..c1f4d6f816f 100644
--- a/chart/templates/workers/worker-serviceaccount.yaml
+++ b/chart/templates/workers/worker-serviceaccount.yaml
@@ -22,7 +22,7 @@
#################################
{{- $globals := deepCopy . -}}
{{- $filteredCelery := include "removeNilFields" .Values.workers.celery |
fromYaml -}}
-{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer")) | fromYaml) -}}
+{{- $mergedWorkers := (include "workersMergeValues" (list .Values.workers
$filteredCelery "" (list "kerberosInitContainer" "kerberosSidecar")) |
fromYaml) -}}
{{- $_ := unset $mergedWorkers "celery" -}}
{{- $workerSets := .Values.workers.celery.sets | default list -}}
{{- if .Values.workers.celery.enableDefault -}}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 8b494c285d2..74d931666da 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -2063,7 +2063,7 @@
}
},
"kerberosSidecar": {
- "description": "Kerberos sidecar for Airflow Celery
workers and pods created with pod-template-file.",
+ "description": "Kerberos sidecar for Airflow Celery
workers and pods created with pod-template-file. Use
`workers.celery.kerberosSidecar` and/or `workers.kubernetes.kerberosSidecar` to
separate value between Celery workers and pod-template-file",
"type": "object",
"additionalProperties": false,
"properties": {
@@ -3086,6 +3086,92 @@
}
}
},
+ "kerberosSidecar": {
+ "description": "Kerberos sidecar for Airflow
Celery workers.",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable Kerberos sidecar.",
+ "type": [
+ "boolean",
+ "null"
+ ],
+ "default": null
+ },
+ "resources": {
+ "description": "Resources on kerberos
sidecar.",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "limits": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ }
+ ],
+ "$ref":
"#/definitions/io.k8s.api.core.v1.ResourceRequirements"
+ },
+ "containerLifecycleHooks": {
+ "description": "Container Lifecycle Hooks
definition for the kerberos sidecar. If not set, the values from
`workers.containerLifecycleHooks` will be used.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.Lifecycle",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "postStart": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo postStart
handler > /usr/share/message"
+ ]
+ }
+ },
+ "preStop": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo preStop handler
> /usr/share/message"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "securityContexts": {
+ "description": "Security context
definition for the kerberos sidecar. If not set, the values from
`workers.securityContexts` will be used.",
+ "type": "object",
+ "x-docsSection": "Kubernetes",
+ "properties": {
+ "container": {
+ "description": "Container security
context definition for the kerberos sidecar.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.SecurityContext",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+
"allowPrivilegeEscalation": false,
+ "capabilities": {
+ "drop": [
+ "ALL"
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
+ },
"kerberosInitContainer": {
"description": "Kerberos init container for
Airflow Celery workers.",
"type": "object",
@@ -3255,6 +3341,92 @@
}
]
},
+ "kerberosSidecar": {
+ "description": "Kerberos sidecar for pods created
with pod-template-file.",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable Kerberos sidecar.",
+ "type": [
+ "boolean",
+ "null"
+ ],
+ "default": null
+ },
+ "resources": {
+ "description": "Resources on kerberos
sidecar.",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "limits": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ }
+ ],
+ "$ref":
"#/definitions/io.k8s.api.core.v1.ResourceRequirements"
+ },
+ "containerLifecycleHooks": {
+ "description": "Container Lifecycle Hooks
definition for the kerberos sidecar. If not set, the values from
`workers.containerLifecycleHooks` will be used.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.Lifecycle",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "postStart": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo postStart
handler > /usr/share/message"
+ ]
+ }
+ },
+ "preStop": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo preStop handler
> /usr/share/message"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "securityContexts": {
+ "description": "Security context
definition for the kerberos sidecar. If not set, the values from
`workers.securityContexts` will be used.",
+ "type": "object",
+ "x-docsSection": "Kubernetes",
+ "properties": {
+ "container": {
+ "description": "Container security
context definition for the kerberos sidecar.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.SecurityContext",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+
"allowPrivilegeEscalation": false,
+ "capabilities": {
+ "drop": [
+ "ALL"
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
+ },
"kerberosInitContainer": {
"description": "Kerberos init container for pods
created with pod-template-file.",
"type": "object",
diff --git a/chart/values.yaml b/chart/values.yaml
index 4f85bd83fb8..255db1700bc 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -854,6 +854,8 @@ workers:
container: {}
# Kerberos sidecar configuration for Airflow Celery workers and pods created
with pod-template-file
+ # Use workers.celery.kerberosSidecar and/or
workers.kubernetes.kerberosSidecar to separate
+ # value between Celery workers and pod-template-file
kerberosSidecar:
# Enable kerberos sidecar
enabled: false
@@ -1202,6 +1204,26 @@ workers:
securityContexts:
container: {}
+ # Kerberos sidecar configuration for Airflow Celery workers
+ kerberosSidecar:
+ # Enable kerberos sidecar
+ enabled: ~
+
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Detailed default security context for kerberos sidecar on container
level
+ securityContexts:
+ container: {}
+
+ # Container level lifecycle hooks
+ containerLifecycleHooks: {}
+
# Kerberos init container configuration for Airflow Celery workers
# If not set, the values from `workers.kubernetesInitContainer` section
will be used.
kerberosInitContainer:
@@ -1237,6 +1259,26 @@ workers:
# Container level Lifecycle Hooks definition for pods created with
pod-template-file
containerLifecycleHooks: {}
+ # Kerberos sidecar configuration for pods created with pod-template-file
+ kerberosSidecar:
+ # Enable kerberos sidecar
+ enabled: ~
+
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Detailed default security context for kerberos sidecar on container
level
+ securityContexts:
+ container: {}
+
+ # Container level lifecycle hooks
+ containerLifecycleHooks: {}
+
# Kerberos init container configuration for pods created with
pod-template-file
# If not set, the values from `workers.kubernetesInitContainer` section
will be used.
kerberosInitContainer:
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
b/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
index 455c59456a7..c5eac7ce2c7 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
@@ -146,7 +146,15 @@ class TestAirflowCommon:
for doc in docs:
assert expected_mount in
jmespath.search("spec.template.spec.containers[0].volumeMounts", doc)
- def test_webserver_config_configmap_name_volume_mounts(self):
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {"kerberosSidecar": {"enabled": True}},
+ {"celery": {"kerberosSidecar": {"enabled": True}}},
+ {"kerberosSidecar": {"enabled": True}, "celery":
{"kerberosSidecar": {"enabled": False}}},
+ ],
+ )
+ def test_webserver_config_configmap_name_volume_mounts(self,
workers_values):
configmap_name = "my-configmap"
docs = render_chart(
values={
@@ -154,7 +162,7 @@ class TestAirflowCommon:
"webserverConfig": "CSRF_ENABLED = True # {{
.Release.Name }}",
"webserverConfigConfigMapName": configmap_name,
},
- "workers": {"kerberosSidecar": {"enabled": True}},
+ "workers": workers_values,
},
show_only=[
"templates/scheduler/scheduler-deployment.yaml",
diff --git
a/helm-tests/tests/helm_tests/airflow_aux/test_container_lifecycle.py
b/helm-tests/tests/helm_tests/airflow_aux/test_container_lifecycle.py
index 6ed68d6abe1..04bef2de7df 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_container_lifecycle.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_container_lifecycle.py
@@ -193,25 +193,75 @@ class TestContainerLifecycleHooks:
)
# Test container lifecycle hooks for worker-kerberos main container
- @pytest.mark.parametrize("hook_type", ["preStop", "postStart"])
- def test_worker_kerberos_container_setting(self, hook_type):
- docs = render_chart(
- name=RELEASE_NAME,
- values={
- "workers": {
+ @pytest.mark.parametrize(
+ ("workers_values", "expected_hook_type"),
+ [
+ (
+ {
"kerberosSidecar": {
"enabled": True,
- "containerLifecycleHooks": {hook_type:
LIFECYCLE_TEMPLATE},
+ "containerLifecycleHooks": {"preStop":
LIFECYCLE_TEMPLATE},
}
},
- },
+ "preStop",
+ ),
+ (
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {"postStart":
LIFECYCLE_TEMPLATE},
+ }
+ },
+ "postStart",
+ ),
+ (
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {"preStop":
LIFECYCLE_TEMPLATE},
+ }
+ }
+ },
+ "preStop",
+ ),
+ (
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {"postStart":
LIFECYCLE_TEMPLATE},
+ }
+ }
+ },
+ "postStart",
+ ),
+ (
+ {
+ "kerberosSidecar": {
+ "containerLifecycleHooks": {"postStart": {"exec":
{"command": ["test"]}}}
+ },
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {"preStop":
LIFECYCLE_TEMPLATE},
+ }
+ },
+ },
+ "preStop",
+ ),
+ ],
+ )
+ def test_worker_kerberos_container_setting(self, workers_values,
expected_hook_type):
+ docs = render_chart(
+ name=RELEASE_NAME,
+ values={"workers": workers_values},
show_only=["templates/workers/worker-deployment.yaml"],
)
- assert (
-
jmespath.search(f"spec.template.spec.containers[2].lifecycle.{hook_type}",
docs[0])
- == LIFECYCLE_PARSED
- )
+ assert jmespath.search("spec.template.spec.containers[2].lifecycle",
docs[0]) == {
+ expected_hook_type: LIFECYCLE_PARSED
+ }
# Test container lifecycle hooks for log-groomer-sidecar main container
@pytest.mark.parametrize("hook_type", ["preStop", "postStart"])
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py
b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py
index 70e1aac251c..a1f0f03aa1d 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py
@@ -1138,11 +1138,19 @@ class TestPodTemplateFile:
assert jmespath.search("spec.runtimeClassName", docs[0]) == "nvidia"
- def test_airflow_local_settings_kerberos_sidecar(self):
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {"kerberosSidecar": {"enabled": True}},
+ {"kubernetes": {"kerberosSidecar": {"enabled": True}}},
+ {"kerberosSidecar": {"enabled": True}, "kubernetes":
{"kerberosSidecar": {"enabled": False}}},
+ ],
+ )
+ def test_airflow_local_settings_kerberos_sidecar(self, workers_values):
docs = render_chart(
values={
"airflowLocalSettings": "# Well hello!",
- "workers": {"kerberosSidecar": {"enabled": True}},
+ "workers": workers_values,
},
show_only=["templates/pod-template-file.yaml"],
chart_dir=self.temp_chart_dir,
@@ -1156,6 +1164,178 @@ class TestPodTemplateFile:
"readOnly": True,
} in jmespath.search("spec.containers[1].volumeMounts", docs[0])
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {
+ "kerberosSidecar": {
+ "resources": {
+ "requests": {"cpu": "1m", "memory": "2Mi"},
+ }
+ },
+ "kubernetes": {"kerberosSidecar": {"enabled": True}},
+ },
+ {
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "resources": {
+ "requests": {"cpu": "1m", "memory": "2Mi"},
+ },
+ }
+ }
+ },
+ {
+ "kerberosSidecar": {
+ "resources": {
+ "limits": {"cpu": "30m", "memory": "40Mi"},
+ }
+ },
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "resources": {
+ "requests": {"cpu": "1m", "memory": "2Mi"},
+ },
+ }
+ },
+ },
+ ],
+ )
+ def test_kerberos_sidecar_resources(self, workers_values):
+ docs = render_chart(
+ values={"workers": workers_values},
+ show_only=["templates/pod-template-file.yaml"],
+ chart_dir=self.temp_chart_dir,
+ )
+
+ assert jmespath.search("spec.containers[?name=='worker-kerberos'] |
[0].resources", docs[0]) == {
+ "requests": {
+ "cpu": "1m",
+ "memory": "2Mi",
+ },
+ }
+
+ @pytest.mark.parametrize(
+ ("workers_values", "expected_hook_type"),
+ [
+ (
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "preStop": {"exec": {"command": ["echo", "{{
.Release.Name }}"]}}
+ },
+ }
+ },
+ "preStop",
+ ),
+ (
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "postStart": {"exec": {"command": ["echo", "{{
.Release.Name }}"]}}
+ },
+ }
+ },
+ "postStart",
+ ),
+ (
+ {
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "preStop": {"exec": {"command": ["echo", "{{
.Release.Name }}"]}}
+ },
+ }
+ }
+ },
+ "preStop",
+ ),
+ (
+ {
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "postStart": {"exec": {"command": ["echo", "{{
.Release.Name }}"]}}
+ },
+ }
+ }
+ },
+ "postStart",
+ ),
+ (
+ {
+ "kerberosSidecar": {
+ "containerLifecycleHooks": {"postStart": {"exec":
{"command": ["test"]}}}
+ },
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "preStop": {"exec": {"command": ["echo", "{{
.Release.Name }}"]}}
+ },
+ }
+ },
+ },
+ "preStop",
+ ),
+ ],
+ )
+ def test_kerberos_sidecar_lifecycle(self, workers_values,
expected_hook_type):
+ docs = render_chart(
+ name="test-release",
+ values={"workers": workers_values},
+ show_only=["templates/pod-template-file.yaml"],
+ chart_dir=self.temp_chart_dir,
+ )
+
+ assert jmespath.search("spec.containers[1].lifecycle", docs[0]) == {
+ expected_hook_type: {"exec": {"command": ["echo", "test-release"]}}
+ }
+
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
+ },
+ {
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
+ }
+ },
+ {
+ "kerberosSidecar": {"securityContexts": {"container":
{"runAsUser": 10}}},
+ "kubernetes": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
+ },
+ },
+ ],
+ )
+ def test_kerberos_sidecar_security_context(self, workers_values):
+ docs = render_chart(
+ values={"workers": workers_values},
+ show_only=["templates/pod-template-file.yaml"],
+ chart_dir=self.temp_chart_dir,
+ )
+
+ assert jmespath.search("spec.containers[1].securityContext", docs[0])
== {
+ "allowPrivilegeEscalation": False
+ }
+
def test_kerberos_init_container_default(self):
docs = render_chart(
show_only=["templates/pod-template-file.yaml"],
@@ -1266,8 +1446,10 @@ class TestPodTemplateFile:
("airflow_version", "workers_values", "kerberos_init_container",
"expected_config_name"),
[
(None, {"kerberosSidecar": {"enabled": True}}, False,
"api-server-config"),
+ (None, {"kubernetes": {"kerberosSidecar": {"enabled": True}}},
False, "api-server-config"),
(None, {"kubernetes": {"kerberosInitContainer": {"enabled":
True}}}, True, "api-server-config"),
(None, {"kerberosInitContainer": {"enabled": True}}, True,
"api-server-config"),
+ ("2.11.0", {"kubernetes": {"kerberosSidecar": {"enabled": True}}},
False, "webserver-config"),
("2.11.0", {"kerberosSidecar": {"enabled": True}}, False,
"webserver-config"),
(
"2.11.0",
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
index 0d29a8429ab..beb0cdf4435 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
@@ -886,11 +886,19 @@ class TestWorker:
assert volume_mount in
jmespath.search("spec.template.spec.containers[0].volumeMounts", docs[0])
assert volume_mount in
jmespath.search("spec.template.spec.initContainers[0].volumeMounts", docs[0])
- def test_airflow_local_settings_kerberos_sidecar(self):
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {"kerberosSidecar": {"enabled": True}},
+ {"celery": {"kerberosSidecar": {"enabled": True}}},
+ {"kerberosSidecar": {"enabled": True}, "celery":
{"kerberosSidecar": {"enabled": False}}},
+ ],
+ )
+ def test_airflow_local_settings_kerberos_sidecar(self, workers_values):
docs = render_chart(
values={
"airflowLocalSettings": "# Well hello!",
- "workers": {"kerberosSidecar": {"enabled": True}},
+ "workers": workers_values,
},
show_only=["templates/workers/worker-deployment.yaml"],
)
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker_sets.py
b/helm-tests/tests/helm_tests/airflow_core/test_worker_sets.py
index b91abf3c1bb..530a9bd01ce 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_worker_sets.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_worker_sets.py
@@ -1852,16 +1852,20 @@ class TestWorkerSets:
assert jmespath.search("spec.behavior", docs[0]) == {"scaleDown":
{"selectPolicy": "Max"}}
- def test_overwrite_kerberos_sidecar_enabled(self):
- docs = render_chart(
- values={
- "workers": {
- "celery": {
- "enableDefault": False,
- "sets": [{"name": "test", "kerberosSidecar":
{"enabled": True}}],
- },
- }
+ @pytest.mark.parametrize(
+ "workers_celery_values",
+ [
+ {"enableDefault": False, "sets": [{"name": "test",
"kerberosSidecar": {"enabled": True}}]},
+ {
+ "kerberosSidecar": {"enabled": False},
+ "enableDefault": False,
+ "sets": [{"name": "test", "kerberosSidecar": {"enabled":
True}}],
},
+ ],
+ )
+ def test_overwrite_kerberos_sidecar_enabled(self, workers_celery_values):
+ docs = render_chart(
+ values={"workers": {"celery": workers_celery_values}},
show_only=["templates/workers/worker-deployment.yaml"],
)
@@ -1936,6 +1940,27 @@ class TestWorkerSets:
],
},
},
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "resources": {
+ "requests": {"cpu": "10m", "memory": "20Mi"},
+ }
+ },
+ "enableDefault": False,
+ "sets": [
+ {
+ "name": "test",
+ "kerberosSidecar": {
+ "enabled": True,
+ "resources": {
+ "limits": {"cpu": "3m", "memory": "4Mi"},
+ },
+ },
+ }
+ ],
+ },
+ },
],
)
def test_overwrite_kerberos_sidecar_resources(self, values):
@@ -1990,6 +2015,27 @@ class TestWorkerSets:
],
},
},
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "securityContexts": {
+ "container": {"allowPrivilegeEscalation": False},
+ }
+ },
+ "enableDefault": False,
+ "sets": [
+ {
+ "name": "test",
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {
+ "container": {"runAsUser": 10},
+ },
+ },
+ }
+ ],
+ },
+ },
],
)
def test_overwrite_kerberos_sidecar_security_context_container(self,
values):
@@ -2040,6 +2086,25 @@ class TestWorkerSets:
],
},
},
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "containerLifecycleHooks": {"preStop": {"exec":
{"command": ["echo", "test"]}}}
+ },
+ "enableDefault": False,
+ "sets": [
+ {
+ "name": "test",
+ "kerberosSidecar": {
+ "enabled": True,
+ "containerLifecycleHooks": {
+ "postStart": {"exec": {"command": ["echo",
"{{ .Release.Name }}"]}},
+ },
+ },
+ }
+ ],
+ },
+ },
],
)
def test_overwrite_kerberos_sidecar_container_lifecycle_hooks(self,
values):
diff --git a/helm-tests/tests/helm_tests/security/test_kerberos.py
b/helm-tests/tests/helm_tests/security/test_kerberos.py
index 73e172bb8bd..bb23ae67ac1 100644
--- a/helm-tests/tests/helm_tests/security/test_kerberos.py
+++ b/helm-tests/tests/helm_tests/security/test_kerberos.py
@@ -19,6 +19,7 @@ from __future__ import annotations
import json
import jmespath
+import pytest
from chart_utils.helm_template_generator import render_chart
@@ -35,14 +36,22 @@ class TestKerberos:
k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider)
assert k8s_objects_to_consider_str.count("kerberos") == 1
- def test_kerberos_envs_available_in_worker_with_persistence(self):
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {"kerberosSidecar": {"enabled": True}, "celery": {"persistence":
{"enabled": True}}},
+ {"celery": {"kerberosSidecar": {"enabled": True}, "persistence":
{"enabled": True}}},
+ {
+ "kerberosSidecar": {"enabled": True},
+ "celery": {"kerberosSidecar": {"enabled": False},
"persistence": {"enabled": True}},
+ },
+ ],
+ )
+ def test_kerberos_envs_available_in_worker_with_persistence(self,
workers_values):
docs = render_chart(
values={
"executor": "CeleryExecutor",
- "workers": {
- "kerberosSidecar": {"enabled": True},
- "celery": {"persistence": {"enabled": True}},
- },
+ "workers": workers_values,
"kerberos": {
"enabled": True,
"configPath": "/etc/krb5.conf",
@@ -60,35 +69,46 @@ class TestKerberos:
"spec.template.spec.containers[0].env", docs[0]
)
- def test_kerberos_sidecar_resources(self):
- docs = render_chart(
- values={
- "executor": "CeleryExecutor",
- "workers": {
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "resources": {"requests": {"cpu": "200m", "memory":
"200Mi"}},
+ }
+ },
+ {
+ "celery": {
"kerberosSidecar": {
"enabled": True,
- "resources": {
- "requests": {
- "cpu": "200m",
- "memory": "200Mi",
- },
- "limits": {
- "cpu": "201m",
- "memory": "201Mi",
- },
- },
- },
+ "resources": {"requests": {"cpu": "200m", "memory":
"200Mi"}},
+ }
+ }
+ },
+ {
+ "kerberosSidecar": {"resources": {"limits": {"cpu": "20m",
"memory": "20Mi"}}},
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "resources": {"requests": {"cpu": "200m", "memory":
"200Mi"}},
+ }
},
},
+ ],
+ )
+ def test_kerberos_sidecar_resources(self, workers_values):
+ docs = render_chart(
+ values={
+ "executor": "CeleryExecutor",
+ "workers": workers_values,
+ },
show_only=["templates/workers/worker-deployment.yaml"],
)
- assert
jmespath.search("spec.template.spec.containers[2].resources.requests.cpu",
docs[0]) == "200m"
- assert (
-
jmespath.search("spec.template.spec.containers[2].resources.requests.memory",
docs[0]) == "200Mi"
- )
- assert
jmespath.search("spec.template.spec.containers[2].resources.limits.cpu",
docs[0]) == "201m"
- assert
jmespath.search("spec.template.spec.containers[2].resources.limits.memory",
docs[0]) == "201Mi"
+ assert jmespath.search("spec.template.spec.containers[2].resources",
docs[0]) == {
+ "requests": {"cpu": "200m", "memory": "200Mi"}
+ }
def test_keberos_sidecar_resources_are_not_added_by_default(self):
docs = render_chart(
diff --git a/helm-tests/tests/helm_tests/security/test_security_context.py
b/helm-tests/tests/helm_tests/security/test_security_context.py
index fd769e0faac..dd9da798f56 100644
--- a/helm-tests/tests/helm_tests/security/test_security_context.py
+++ b/helm-tests/tests/helm_tests/security/test_security_context.py
@@ -591,18 +591,43 @@ class TestSecurityContext:
assert ctx_value ==
jmespath.search("spec.template.spec.containers[1].securityContext", docs[0])
# Test securityContexts for worker-kerberos main container
- def test_worker_kerberos_container_setting(self):
- ctx_value = {"allowPrivilegeEscalation": False}
- docs = render_chart(
- values={
- "workers": {
- "kerberosSidecar": {"enabled": True, "securityContexts":
{"container": ctx_value}}
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
+ },
+ {
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
+ }
+ },
+ {
+ "kerberosSidecar": {"securityContexts": {"container":
{"runAsUser": 10}}},
+ "celery": {
+ "kerberosSidecar": {
+ "enabled": True,
+ "securityContexts": {"container":
{"allowPrivilegeEscalation": False}},
+ }
},
},
+ ],
+ )
+ def test_worker_kerberos_container_security_context(self, workers_values):
+ docs = render_chart(
+ values={"workers": workers_values},
show_only=["templates/workers/worker-deployment.yaml"],
)
- assert ctx_value ==
jmespath.search("spec.template.spec.containers[2].securityContext", docs[0])
+ assert
jmespath.search("spec.template.spec.containers[2].securityContext", docs[0]) ==
{
+ "allowPrivilegeEscalation": False
+ }
@pytest.mark.parametrize(
"workers_values",
