sidshas03 opened a new pull request, #63276:
URL: https://github.com/apache/airflow/pull/63276
Fixes #63253
Hi team, this PR is to handle token rotation properly when
`dags.gitSync.credentialsSecret` is used.
### Problem
Right now password/token is passed as env var (`GIT_SYNC_PASSWORD` /
`GITSYNC_PASSWORD`).
When secret is rotated (for example ESO GitHub App token), running git-sync
container does not pick the new value until restart.
### What I changed
- Added secret volume mount for git-sync credentials
(`git-sync-credentials`) in:
- scheduler
- worker
- triggerer
- dag-processor
- Switched password config to file-based envs:
- `GIT_SYNC_PASSWORD_FILE=/etc/git-secret/credentials/GIT_SYNC_PASSWORD`
- `GITSYNC_PASSWORD_FILE=/etc/git-secret/credentials/GITSYNC_PASSWORD`
- Kept username keys from secret as before (`GIT_SYNC_USERNAME` /
`GITSYNC_USERNAME`).
- Updated chart values comments + schema description.
- Added/updated helm tests for scheduler/worker/triggerer/dag-processor.
### Why this fix
git-sync can re-read password from file path on sync loop, so rotated token
is picked without forcing pod restart.
### Testing
Ran helm unit tests for the updated git-sync paths and related suites
(`HELM_TEST_KUBERNETES_VERSION=1.32.8`), and selected tests are passing.
1. Ran focused Helm unit tests for the new credential-file behavior:
-
`test_git_sync_scheduler.py::test_should_set_username_and_password_file_env_variables`
-
`test_git_sync_worker.py::test_should_set_password_file_env_variables_when_credentials_secret_is_configured`
-
`test_git_sync_triggerer.py::test_should_set_password_file_env_variables_when_credentials_secret_is_configured`
-
`test_dag_processor.py::test_should_set_password_file_env_variables_when_credentials_secret_is_configured`
Result: **4 passed**
2. Ran broader git-sync regression subset:
- Full files:
- `helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py`
- `helm-tests/tests/helm_tests/other/test_git_sync_worker.py`
- `helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py`
- Plus dag-processor git-sync checks:
- `test_validate_if_ssh_params_are_added_with_git_ssh_key`
-
`test_should_set_password_file_env_variables_when_credentials_secret_is_configured`
Result: **42 passed**
3. Sanity checks:
- `jq empty chart/values.schema.json` (schema JSON valid)
- Python compile check for modified tests (`compileall`) passed
Environment note: tests were run with `HELM_TEST_KUBERNETES_VERSION=1.32.8`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
