jscheffl commented on code in PR #64767:
URL: https://github.com/apache/airflow/pull/64767#discussion_r3067828414
##########
providers/celery/src/airflow/providers/celery/executors/default_celery.py:
##########
@@ -141,31 +141,50 @@ def get_default_celery_config(team_conf) -> dict[str,
Any]:
try:
if celery_ssl_active:
+ ssl_mutual_tls = team_conf.getboolean("celery", "SSL_MUTUAL_TLS",
fallback=True)
+ ssl_key = team_conf.get("celery", "SSL_KEY")
+ ssl_cert = team_conf.get("celery", "SSL_CERT")
+ ssl_cacert = team_conf.get("celery", "SSL_CACERT")
+
+ if ssl_mutual_tls and (not ssl_key or not ssl_cert):
+ raise ValueError(
+ "SSL_MUTUAL_TLS is True (default) but SSL_KEY and/or
SSL_CERT are not set. "
+ "Set both for mutual TLS, or set SSL_MUTUAL_TLS=False for
one-way TLS."
+ )
+
+ if not ssl_cacert:
+ log.info("SSL_CACERT is not set. Using system CA certificates
for server verification.")
+
+ if not ssl_mutual_tls and (ssl_key or ssl_cert):
+ log.warning(
+ "SSL_MUTUAL_TLS is False but SSL_KEY/SSL_CERT are
configured. "
+ "Client certificates will not be used. "
+ "Set SSL_MUTUAL_TLS=True if you intend to use mutual TLS."
+ )
+
if broker_url and re.search(r"amqps?://", broker_url):
- broker_use_ssl = {
- "keyfile": team_conf.get("celery", "SSL_KEY"),
- "certfile": team_conf.get("celery", "SSL_CERT"),
- "ca_certs": team_conf.get("celery", "SSL_CACERT"),
- "cert_reqs": ssl.CERT_REQUIRED,
- }
+ broker_use_ssl = {"cert_reqs": ssl.CERT_REQUIRED}
+ if ssl_cacert:
+ broker_use_ssl["ca_certs"] = ssl_cacert
+ if ssl_mutual_tls:
+ broker_use_ssl["keyfile"] = ssl_key
+ broker_use_ssl["certfile"] = ssl_cert
elif broker_url and re.search("rediss?://|sentinel://",
broker_url):
- broker_use_ssl = {
- "ssl_keyfile": team_conf.get("celery", "SSL_KEY"),
- "ssl_certfile": team_conf.get("celery", "SSL_CERT"),
- "ssl_ca_certs": team_conf.get("celery", "SSL_CACERT"),
- "ssl_cert_reqs": ssl.CERT_REQUIRED,
- }
+ broker_use_ssl = {"ssl_cert_reqs": ssl.CERT_REQUIRED}
+ if ssl_cacert:
+ broker_use_ssl["ssl_ca_certs"] = ssl_cacert
+ if ssl_mutual_tls:
+ broker_use_ssl["ssl_keyfile"] = ssl_key
+ broker_use_ssl["ssl_certfile"] = ssl_cert
else:
- raise AirflowException(
+ raise ValueError(
"The broker you configured does not support SSL_ACTIVE to
be True. "
"Please use RabbitMQ or Redis if you would like to use SSL
for broker."
)
config["broker_use_ssl"] = broker_use_ssl
- except AirflowConfigException:
- raise AirflowException(
- "AirflowConfigException: SSL_ACTIVE is True, please ensure
SSL_KEY, SSL_CERT and SSL_CACERT are set"
- )
+ except ValueError:
+ raise
except Exception as e:
raise AirflowException(
Review Comment:
Nit for a follow-up PR: AirflowException is to be replaced with a dedicated
exception. But this PR is okay also w/o adjusting this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
