Skip to content

Commit

Permalink
Allow specifying kerberos keytab in the chart (#19054)
Browse files Browse the repository at this point in the history
  • Loading branch information
Aakcht authored Nov 5, 2021
1 parent c96789b commit 4b0aeb9
Show file tree
Hide file tree
Showing 5 changed files with 84 additions and 1 deletion.
35 changes: 35 additions & 0 deletions chart/templates/secrets/kerberos-keytab.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

{{ if .Values.kerberos.keytabBase64Content }}
apiVersion: v1
metadata:
name: {{ include "kerberos_keytab_secret" . | quote }}
labels:
tier: airflow
component: webserver
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
data:
kerberos.keytab: {{ .Values.kerberos.keytabBase64Content }}
kind: Secret
type: Opaque
{{ end }}
1 change: 1 addition & 0 deletions chart/templates/workers/worker-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ spec:
checksum/result-backend-secret: {{ include (print $.Template.BasePath "/secrets/result-backend-connection-secret.yaml") . | sha256sum }}
checksum/pgbouncer-config-secret: {{ include (print $.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }}
checksum/webserver-secret-key: {{ include (print $.Template.BasePath "/secrets/webserver-secret-key-secret.yaml") . | sha256sum }}
checksum/kerberos-keytab: {{ include (print $.Template.BasePath "/secrets/kerberos-keytab.yaml") . | sha256sum }}
checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }}
checksum/extra-configmaps: {{ include (print $.Template.BasePath "/configmaps/extra-configmaps.yaml") . | sha256sum }}
checksum/extra-secrets: {{ include (print $.Template.BasePath "/secrets/extra-secrets.yaml") . | sha256sum }}
Expand Down
35 changes: 34 additions & 1 deletion chart/tests/test_kerberos.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def test_kerberos_not_mentioned_in_render_if_disabled(self):
obj for obj in k8s_objects if obj["metadata"]["name"] != "NO-KERBEROS-airflow-config"
]
k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider)
assert "kerberos" not in k8s_objects_to_consider_str
assert k8s_objects_to_consider_str.count("kerberos") == 1

def test_kerberos_envs_available_in_worker_with_persistence(self):
docs = render_chart(
Expand Down Expand Up @@ -95,3 +95,36 @@ def test_keberos_sidecar_resources_are_not_added_by_default(self):
show_only=["templates/workers/worker-deployment.yaml"],
)
assert jmespath.search("spec.template.spec.containers[0].resources", docs[0]) == {}

def test_kerberos_keytab_secret_available(self):
docs = render_chart(
values={
"executor": "CeleryExecutor",
"kerberos": {
"enabled": True,
"keytabBase64Content": "dGVzdGtleXRhYg==",
"configPath": "/etc/krb5.conf",
"ccacheMountPath": "/var/kerberos-ccache",
"ccacheFileName": "ccache",
},
},
show_only=["templates/secrets/kerberos-keytab.yaml"],
)

assert jmespath.search('data."kerberos.keytab"', docs[0]) == "dGVzdGtleXRhYg=="

def test_kerberos_keytab_secret_unavailable_when_not_specified(self):
docs = render_chart(
values={
"executor": "CeleryExecutor",
"kerberos": {
"enabled": True,
"configPath": "/etc/krb5.conf",
"ccacheMountPath": "/var/kerberos-ccache",
"ccacheFileName": "ccache",
},
},
show_only=["templates/secrets/kerberos-keytab.yaml"],
)

assert 0 == len(docs)
8 changes: 8 additions & 0 deletions chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -862,6 +862,14 @@
"type": "string",
"default": "/etc/krb5.conf"
},
"keytabBase64Content": {
"description": "Kerberos keytab base64 encoded content.",
"type": [
"string",
"null"
],
"default": null
},
"keytabPath": {
"description": "Path to mount the keytab for refreshing credentials in the kerberos sidecar.",
"type": "string",
Expand Down
6 changes: 6 additions & 0 deletions chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -327,11 +327,17 @@ webserverSecretKeySecretName: ~
#
# kubectl create secret generic {{ .Release.name }}-kerberos-keytab --from-file=kerberos.keytab
#
#
# Alternatively, instead of manually creating the secret, it is possible to specify
# kerberos.keytabBase64Content parameter. This parameter should contain base64 encoded keytab.
#

kerberos:
enabled: false
ccacheMountPath: /var/kerberos-ccache
ccacheFileName: cache
configPath: /etc/krb5.conf
keytabBase64Content: ~
keytabPath: /etc/airflow.keytab
principal: [email protected]
reinitFrequency: 3600
Expand Down

0 comments on commit 4b0aeb9

Please sign in to comment.