bugraoz93 commented on PR #67012: URL: https://github.com/apache/airflow/pull/67012#issuecomment-4548744445
> I think that the content of this PR is not sufficient to have a nice overview of the replacement of Kerberos by Kustomize. The current implementation adds a lot of code within the overlay itself, basically just to remove the `kerberos-keytab-secret.yaml` file logic (creation of kerberos keytab as a k8s secret), which I would say is the simplest thing within the whole kerberos feature logic. It doesn't try to: > > 1. Refresh credentials in the cache file, which are refreshed with the keytab file usage > 2. Properly configure the Airflow configuration within the existing components in the cluster > 3. Share/propagate the credential cache within the components > > When I proposed moving Kerberos to Kustomize, I had in mind a full movement of it with sidecars, Airflow configuration, etc., and I think that it would be worth doing it here, as it would show how similar things will look, which are not as simple as, e.g. KEDA, in Kustomize. > > The second thing which I noticed is that the flow presented in the current version requires: > > 1. running overlay first > 2. running helm chart second > > Overlay creates a Kerberos secret, which must exist during helm command execution if Kerberos sidecars are enabled. I think the typical flow is `helm -> overlay`, not the other way around or mixed (I don't have much experience with Kustomize, so if that is not true, I think that we should make it clear within the overlays when exactly they should be executed). Many thanks for the review! Sure, if the main concern is to change how we move Keda to kustomize and the test part looks good, glad to hear :) The order is exactly like that in the test. First helm applies, then kustomize applies. Maybe we should better document how the order will be. I will check out that too while doing the proposed Keda changes. I am working on RC for airflowctl and will come back to this in a day or two :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
