Miretpl commented on code in PR #67012:
URL: https://github.com/apache/airflow/pull/67012#discussion_r3405016832
##########
dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:
##########
@@ -714,13 +716,40 @@ def _upload_k8s_image(python: str, kubernetes_version:
str, output: Output | Non
# CI runs from Docker Hub anonymous-pull rate limits, which intermittently
# turn the scheduled K8s test job red. Auto-bumped by
# scripts/ci/prek/upgrade_important_versions.py.
+#
+# Scope: ONLY images referenced by the regular K8S system tests under
+# kubernetes-tests/tests/kubernetes_tests/ (the suite `breeze k8s tests`
+# runs against the deployed chart). Images that appear in a kustomize
+# overlay under chart/kustomize-overlays/<name>/ must NOT be added here:
+# `breeze k8s smoke-test-overlay` auto-discovers them from the rendered
+# manifest via _discover_overlay_images() and preloads them with the same
+# pull-and-kind-load pattern. If a per-overlay pytest module needs to spawn
+# an ad-hoc client pod, prefer reusing an image already declared by the
+# overlay (inherits the auto-preload by default); add to this list only
+# if the image is also useful to the non-overlay K8S tests.
K8S_TEST_IMAGES_TO_PRELOAD: tuple[str, ...] = (
"alpine:3.23.4", # xcom_sidecar default in providers/cncf/kubernetes
"bitnamilegacy/postgresql:16.1.0-debian-11-r15", # chart/values.yaml
postgresql subchart
"busybox:1.38.0", # busybox-based system tests in kubernetes-tests/
"ubuntu:24.04", # ubuntu-based system tests in kubernetes-tests/
)
+# Allow-list of third-party container images that kustomize overlays under
+# chart/kustomize-overlays/ may declare. `breeze k8s smoke-test-overlay`
+# auto-discovers every `image:` in the rendered manifest and `docker pull`s it
+# into kind; this list bounds *what* it may pull so an overlay cannot make CI
+# pull and run an arbitrary, unreviewed image. It is a deliberately-reviewed
+# gate: introducing an overlay image means editing both the overlay manifest
+# (owned by `/chart/` in .github/CODEOWNERS) and this list (owned by `/dev/`),
+# so a maintainer must approve before CI will pull it. Keep entries pinned to
+# the exact `image:` string the overlay declares.
+ALLOWED_OVERLAY_IMAGES: frozenset[str] = frozenset(
+ {
+ "gcavalcante8808/krb5-server:latest", # kerberos overlay KDC + client
test pod
+ "alpine/k8s:1.31.0", # kerberos overlay keytab-bootstrap job
Review Comment:
Maybe we could make it dependent on `ALLOWED_KUBERNETES_VERSIONS` from
`airflow_breeze.global_constants` to not have to manually update the k8s image
every time (and possibily forgot about it)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
