This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f7919002cc Establishing init container + sidecar model for airflow
kerberos (#35548)
f7919002cc is described below
commit f7919002cc3e552ab1bf106c28333f60e5706115
Author: Amogh Desai <amoghrajesh1...@gmail.com>
AuthorDate: Fri Nov 10 00:03:37 2023 +0530
Establishing init container + sidecar model for airflow kerberos (#35548)
---
chart/templates/workers/worker-deployment.yaml | 39 ++++++++++++
chart/values.schema.json | 83 ++++++++++++++++++++++++++
chart/values.yaml | 12 ++++
helm_tests/airflow_core/test_worker.py | 29 +++++++++
4 files changed, 163 insertions(+)
diff --git a/chart/templates/workers/worker-deployment.yaml
b/chart/templates/workers/worker-deployment.yaml
index 6074302195..b4dcb4cb96 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -150,6 +150,45 @@ spec:
- name: logs
mountPath: {{ template "airflow_logs" . }}
{{- end }}
+ {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion)
.Values.workers.kerberosInitContainer.enabled }}
+ - name: kerberos-init
+ image: {{ template "airflow_image" . }}
+ imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+ args: ["kerberos", "-o"]
+ resources: {{- toYaml
.Values.workers.kerberosInitContainer.resources | nindent 12 }}
+ volumeMounts:
+ - name: logs
+ mountPath: {{ template "airflow_logs" . }}
+ {{- include "airflow_config_mount" . | nindent 12 }}
+ - name: config
+ mountPath: {{ .Values.kerberos.configPath | quote }}
+ subPath: krb5.conf
+ readOnly: true
+ - name: kerberos-keytab
+ subPath: "kerberos.keytab"
+ mountPath: {{ .Values.kerberos.keytabPath | quote }}
+ readOnly: true
+ - name: kerberos-ccache
+ mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
+ readOnly: false
+ {{- if .Values.volumeMounts }}
+ {{- toYaml .Values.volumeMounts | nindent 12 }}
+ {{- end }}
+ {{- if .Values.workers.extraVolumeMounts }}
+ {{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent
12 }}
+ {{- end }}
+ {{- if or .Values.webserver.webserverConfig
.Values.webserver.webserverConfigConfigMapName }}
+ {{- include "airflow_webserver_config_mount" . | nindent 12 }}
+ {{- end }}
+ envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
+ env:
+ - name: KRB5_CONFIG
+ value: {{ .Values.kerberos.configPath | quote }}
+ - name: KRB5CCNAME
+ value: {{ include "kerberos_ccache_path" . | quote }}
+ {{- include "custom_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- end }}
{{- if .Values.workers.waitForMigrations.enabled }}
- name: wait-for-airflow-migrations
resources: {{- toYaml .Values.workers.resources | nindent 12 }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index b111bbdc15..e031376b81 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -1705,6 +1705,89 @@
}
}
},
+ "kerberosInitContainer": {
+ "description": "Kerberos init container for Airflow
workers.",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable Kerberos init container for
the worker.",
+ "type": "boolean",
+ "default": false
+ },
+ "resources": {
+ "description": "Resources on workers kerberos init
container",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "limits": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ }
+ ],
+ "$ref":
"#/definitions/io.k8s.api.core.v1.ResourceRequirements"
+ },
+ "containerLifecycleHooks": {
+ "description": "Container Lifecycle Hooks
definition for the kerberos init container. If not set, the values from global
`containerLifecycleHooks` will be used.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.Lifecycle",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "postStart": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo postStart handler >
/usr/share/message"
+ ]
+ }
+ },
+ "preStop": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo preStop handler >
/usr/share/message"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "securityContexts": {
+ "description": "Security context definition for
the kerberos init container. If not set, the values from global
`securityContexts` will be used.",
+ "type": "object",
+ "x-docsSection": "Kubernetes",
+ "properties": {
+ "container": {
+ "description": "Container security context
definition for the kerberos init container.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.SecurityContext",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "allowPrivilegeEscalation": false,
+ "capabilities": {
+ "drop": [
+ "ALL"
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
+ },
"resources": {
"description": "Resources on workers",
"type": "object",
diff --git a/chart/values.yaml b/chart/values.yaml
index 6b78296aff..07bdb54757 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -627,6 +627,18 @@ workers:
# container level lifecycle hooks
containerLifecycleHooks: {}
+ kerberosInitContainer:
+ # Enable kerberos init container
+ enabled: false
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+
resources: {}
# limits:
# cpu: 100m
diff --git a/helm_tests/airflow_core/test_worker.py
b/helm_tests/airflow_core/test_worker.py
index 87ba0e30e8..c9dfdb0f53 100644
--- a/helm_tests/airflow_core/test_worker.py
+++ b/helm_tests/airflow_core/test_worker.py
@@ -563,6 +563,35 @@ class TestWorker:
"readOnly": True,
} in jmespath.search("spec.template.spec.containers[2].volumeMounts",
docs[0])
+ @pytest.mark.parametrize(
+ "airflow_version, expected_init_containers",
+ [
+ ("1.9.0", 2),
+ ("1.10.14", 2),
+ ("2.0.2", 2),
+ ("2.1.0", 2),
+ ("2.8.0", 3),
+ ],
+ )
+ def test_airflow_kerberos_init_container(self, airflow_version,
expected_init_containers):
+ docs = render_chart(
+ values={
+ "airflowVersion": airflow_version,
+ "workers": {
+ "kerberosInitContainer": {"enabled": True},
+ "persistence": {"fixPermissions": True},
+ },
+ },
+ show_only=["templates/workers/worker-deployment.yaml"],
+ )
+
+ initContainers = jmespath.search("spec.template.spec.initContainers",
docs[0])
+ assert len(initContainers) == expected_init_containers
+
+ if expected_init_containers == 3:
+ assert initContainers[1]["name"] == "kerberos-init"
+ assert initContainers[1]["args"] == ["kerberos", "-o"]
+
@pytest.mark.parametrize(
"airflow_version, expected_arg",
[
