Skip to content

Commit

Permalink
Establishing init container + sidecar model for airflow kerberos (apa…
Browse files Browse the repository at this point in the history 
…che#35548)
  • Loading branch information
@amoghrajesh
amoghrajesh authored Nov 9, 2023
1 parent addbd58 commit f791900
Show file tree
Hide file tree
Showing 4 changed files with 163 additions and 0 deletions.
39 changes: 39 additions & 0 deletions chart/templates/workers/worker-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,45 @@ spec:
- name: logs
mountPath: {{ template "airflow_logs" . }}
{{- end }}
{{- if and (semverCompare ">=2.8.0" .Values.airflowVersion) .Values.workers.kerberosInitContainer.enabled }}
- name: kerberos-init
image: {{ template "airflow_image" . }}
imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
args: ["kerberos", "-o"]
resources: {{- toYaml .Values.workers.kerberosInitContainer.resources | nindent 12 }}
volumeMounts:
- name: logs
mountPath: {{ template "airflow_logs" . }}
{{- include "airflow_config_mount" . | nindent 12 }}
- name: config
mountPath: {{ .Values.kerberos.configPath | quote }}
subPath: krb5.conf
readOnly: true
- name: kerberos-keytab
subPath: "kerberos.keytab"
mountPath: {{ .Values.kerberos.keytabPath | quote }}
readOnly: true
- name: kerberos-ccache
mountPath: {{ .Values.kerberos.ccacheMountPath | quote }}
readOnly: false
{{- if .Values.volumeMounts }}
{{- toYaml .Values.volumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.workers.extraVolumeMounts }}
{{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent 12 }}
{{- end }}
{{- if or .Values.webserver.webserverConfig .Values.webserver.webserverConfigConfigMapName }}
{{- include "airflow_webserver_config_mount" . | nindent 12 }}
{{- end }}
envFrom: {{- include "custom_airflow_environment_from" . | default "\n []" | indent 10 }}
env:
- name: KRB5_CONFIG
value: {{ .Values.kerberos.configPath | quote }}
- name: KRB5CCNAME
value: {{ include "kerberos_ccache_path" . | quote }}
{{- include "custom_airflow_environment" . | indent 10 }}
{{- include "standard_airflow_environment" . | indent 10 }}
{{- end }}
{{- if .Values.workers.waitForMigrations.enabled }}
- name: wait-for-airflow-migrations
resources: {{- toYaml .Values.workers.resources | nindent 12 }}
Expand Down
83 changes: 83 additions & 0 deletions chart/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1705,6 +1705,89 @@
}
}
},
"kerberosInitContainer": {
"description": "Kerberos init container for Airflow workers.",
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"description": "Enable Kerberos init container for the worker.",
"type": "boolean",
"default": false
},
"resources": {
"description": "Resources on workers kerberos init container",
"type": "object",
"default": {},
"examples": [
{
"limits": {
"cpu": "100m",
"memory": "128Mi"
},
"requests": {
"cpu": "100m",
"memory": "128Mi"
}
}
],
"$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"containerLifecycleHooks": {
"description": "Container Lifecycle Hooks definition for the kerberos init container. If not set, the values from global `containerLifecycleHooks` will be used.",
"type": "object",
"$ref": "#/definitions/io.k8s.api.core.v1.Lifecycle",
"default": {},
"x-docsSection": "Kubernetes",
"examples": [
{
"postStart": {
"exec": {
"command": [
"/bin/sh",
"-c",
"echo postStart handler > /usr/share/message"
]
}
},
"preStop": {
"exec": {
"command": [
"/bin/sh",
"-c",
"echo preStop handler > /usr/share/message"
]
}
}
}
]
},
"securityContexts": {
"description": "Security context definition for the kerberos init container. If not set, the values from global `securityContexts` will be used.",
"type": "object",
"x-docsSection": "Kubernetes",
"properties": {
"container": {
"description": "Container security context definition for the kerberos init container.",
"type": "object",
"$ref": "#/definitions/io.k8s.api.core.v1.SecurityContext",
"default": {},
"x-docsSection": "Kubernetes",
"examples": [
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
}
}
]
}
}
}
}
},
"resources": {
"description": "Resources on workers",
"type": "object",
Expand Down
12 changes: 12 additions & 0 deletions chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,18 @@ workers:
# container level lifecycle hooks
containerLifecycleHooks: {}

kerberosInitContainer:
# Enable kerberos init container
enabled: false
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi


resources: {}
# limits:
# cpu: 100m
Expand Down
29 changes: 29 additions & 0 deletions helm_tests/airflow_core/test_worker.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,35 @@ def test_airflow_local_settings_kerberos_sidecar(self):
"readOnly": True,
} in jmespath.search("spec.template.spec.containers[2].volumeMounts", docs[0])

@pytest.mark.parametrize(
"airflow_version, expected_init_containers",
[
("1.9.0", 2),
("1.10.14", 2),
("2.0.2", 2),
("2.1.0", 2),
("2.8.0", 3),
],
)
def test_airflow_kerberos_init_container(self, airflow_version, expected_init_containers):
docs = render_chart(
values={
"airflowVersion": airflow_version,
"workers": {
"kerberosInitContainer": {"enabled": True},
"persistence": {"fixPermissions": True},
},
},
show_only=["templates/workers/worker-deployment.yaml"],
)

initContainers = jmespath.search("spec.template.spec.initContainers", docs[0])
assert len(initContainers) == expected_init_containers

if expected_init_containers == 3:
assert initContainers[1]["name"] == "kerberos-init"
assert initContainers[1]["args"] == ["kerberos", "-o"]

@pytest.mark.parametrize(
"airflow_version, expected_arg",
[
Expand Down

0 comments on commit f791900

Please sign in to comment.