[ 
https://issues.apache.org/jira/browse/AIRFLOW-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16997723#comment-16997723
 ] 

ASF GitHub Bot commented on AIRFLOW-4301:
-----------------------------------------

olivertso commented on pull request #5922: [AIRFLOW-4301] Fix 
KubernetesPodOperator secret volume mapping
URL: https://github.com/apache/airflow/pull/5922
 
 
   Make sure you have checked _all_ steps below.
   
   ### Jira
   
   - [ ] My PR addresses the following [Airflow 
Jira](https://issues.apache.org/jira/browse/AIRFLOW/) issues and references 
them in the PR title. For example, "\[AIRFLOW-XXX\] My Airflow PR"
     - https://issues.apache.org/jira/browse/AIRFLOW-XXX
     - In case you are fixing a typo in the documentation you can prepend your 
commit with \[AIRFLOW-XXX\], code changes always need a Jira issue.
     - In case you are proposing a fundamental code change, you need to create 
an Airflow Improvement Proposal 
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)).
     - In case you are adding a dependency, check if the license complies with 
the [ASF 3rd Party License 
Policy](https://www.apache.org/legal/resolved.html#category-x).
   
   ### Description
   
   - [ ] Here are some details about my PR, including screenshots of any UI 
changes:
   
   ### Tests
   
   - [ ] My PR adds the following unit tests __OR__ does not need testing for 
this extremely good reason:
   
   ### Commits
   
   - [ ] My commits all reference Jira issues in their subject lines, and I 
have squashed multiple commits if they address the same issue. In addition, my 
commits follow the guidelines from "[How to write a good git commit 
message](http://chris.beams.io/posts/git-commit/)":
     1. Subject is separated from body by a blank line
     1. Subject is limited to 50 characters (not including Jira issue reference)
     1. Subject does not end with a period
     1. Subject uses the imperative mood ("add", not "adding")
     1. Body wraps at 72 characters
     1. Body explains "what" and "why", not "how"
   
   ### Documentation
   
   - [ ] In case of new functionality, my PR adds documentation that describes 
how to use it.
     - All the public functions and the classes in the PR contain docstrings 
that explain what it does
     - If you implement backwards incompatible changes, please leave a note in 
the [Updating.md](https://github.com/apache/airflow/blob/master/UPDATING.md) so 
we can assign it to a appropriate release
   
   ### Code Quality
   
   - [ ] Passes `flake8`
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secrets in KubernetesPodOperator are not mapped as expected for deploy_type 
> volume
> ----------------------------------------------------------------------------------
>
>                 Key: AIRFLOW-4301
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4301
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: operators
>    Affects Versions: 1.10.2
>            Reporter: Hüdaverdi Cakir
>            Priority: Major
>              Labels: kubernetes
>
> Consider following secret configuration:
> {code:python}
> secret1 = Secret('volume', '/usr/src/app/config/secret1.json', 'k8s-creds', 
> 'secret-file1')
> secret2 = Secret('volume', '/usr/src/app/config/secret2.json', 'k8s-creds', 
> 'secret-file2')
> {code}
> h2. observed
> When this configuration is deployed via the KubernetesPodOperator, following 
> files are visible in the pod (container):
> {code:bash}
> # ls -l /usr/src/app/config/secret1.json
> total 0
> lrwxrwxrwx    1 root     root            10 Apr 12 18:17 secret-file1 -> 
> ..data/secret-file1
> lrwxrwxrwx    1 root     root            15 Apr 12 18:17 secret-file2 -> 
> ..data/secret-file2
> lrwxrwxrwx    1 root     root            11 Apr 12 18:17 secret-file3 -> 
> ..data/secret-file3
> # ls -l /usr/src/app/config/secret2.json
> total 0
> lrwxrwxrwx    1 root     root            10 Apr 12 18:17 secret-file1 -> 
> ..data/secret-file1
> lrwxrwxrwx    1 root     root            15 Apr 12 18:17 secret-file2 -> 
> ..data/secret-file2
> lrwxrwxrwx    1 root     root            11 Apr 12 18:17 secret-file3 -> 
> ..data/secret-file3
> {code}
> As you can see, all secrets were mapped per {{deploy_target}} (e.g. 
> secret1.json), regardless what {{key}} (e.g. secret-file1) was provided. This 
> also includes a third key (secret-file3) which was never meant to be exposed.
> h2. expected
> For {{deploy_type=volume}}, when {{key}} is provided, {{deploy_target}} 
> should be considered as a single file, and not as a folder.
> Whereas, when {{key}} is not provided, then {{deploy_target}} should be 
> considered as a folder and all secret keys under given secret should be 
> mapped.
> h2. workaround
> Using {{VolumeMount}} and {{Volume}} for mapping secrets manually.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to