From 4b0aeb926c055fc36740363d6e438ab7c2165d71 Mon Sep 17 00:00:00 2001 From: Aakcht Date: Fri, 5 Nov 2021 20:03:47 +0300 Subject: [PATCH] Allow specifying kerberos keytab in the chart (#19054) --- chart/templates/secrets/kerberos-keytab.yaml | 35 +++++++++++++++++++ .../templates/workers/worker-deployment.yaml | 1 + chart/tests/test_kerberos.py | 35 ++++++++++++++++++- chart/values.schema.json | 8 +++++ chart/values.yaml | 6 ++++ 5 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 chart/templates/secrets/kerberos-keytab.yaml diff --git a/chart/templates/secrets/kerberos-keytab.yaml b/chart/templates/secrets/kerberos-keytab.yaml new file mode 100644 index 0000000000000..e41a9e259e989 --- /dev/null +++ b/chart/templates/secrets/kerberos-keytab.yaml @@ -0,0 +1,35 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +{{ if .Values.kerberos.keytabBase64Content }} +apiVersion: v1 +metadata: + name: {{ include "kerberos_keytab_secret" . | quote }} + labels: + tier: airflow + component: webserver + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +data: + kerberos.keytab: {{ .Values.kerberos.keytabBase64Content }} +kind: Secret +type: Opaque +{{ end }} diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml index de6b4c64622a3..666ba067bdf58 100644 --- a/chart/templates/workers/worker-deployment.yaml +++ b/chart/templates/workers/worker-deployment.yaml @@ -68,6 +68,7 @@ spec: checksum/result-backend-secret: {{ include (print $.Template.BasePath "/secrets/result-backend-connection-secret.yaml") . | sha256sum }} checksum/pgbouncer-config-secret: {{ include (print $.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }} checksum/webserver-secret-key: {{ include (print $.Template.BasePath "/secrets/webserver-secret-key-secret.yaml") . | sha256sum }} + checksum/kerberos-keytab: {{ include (print $.Template.BasePath "/secrets/kerberos-keytab.yaml") . | sha256sum }} checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }} checksum/extra-configmaps: {{ include (print $.Template.BasePath "/configmaps/extra-configmaps.yaml") . | sha256sum }} checksum/extra-secrets: {{ include (print $.Template.BasePath "/secrets/extra-secrets.yaml") . | sha256sum }} diff --git a/chart/tests/test_kerberos.py b/chart/tests/test_kerberos.py index fbf8e709b6a2c..b3ffb7ddd974b 100644 --- a/chart/tests/test_kerberos.py +++ b/chart/tests/test_kerberos.py @@ -31,7 +31,7 @@ def test_kerberos_not_mentioned_in_render_if_disabled(self): obj for obj in k8s_objects if obj["metadata"]["name"] != "NO-KERBEROS-airflow-config" ] k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider) - assert "kerberos" not in k8s_objects_to_consider_str + assert k8s_objects_to_consider_str.count("kerberos") == 1 def test_kerberos_envs_available_in_worker_with_persistence(self): docs = render_chart( @@ -95,3 +95,36 @@ def test_keberos_sidecar_resources_are_not_added_by_default(self): show_only=["templates/workers/worker-deployment.yaml"], ) assert jmespath.search("spec.template.spec.containers[0].resources", docs[0]) == {} + + def test_kerberos_keytab_secret_available(self): + docs = render_chart( + values={ + "executor": "CeleryExecutor", + "kerberos": { + "enabled": True, + "keytabBase64Content": "dGVzdGtleXRhYg==", + "configPath": "/etc/krb5.conf", + "ccacheMountPath": "/var/kerberos-ccache", + "ccacheFileName": "ccache", + }, + }, + show_only=["templates/secrets/kerberos-keytab.yaml"], + ) + + assert jmespath.search('data."kerberos.keytab"', docs[0]) == "dGVzdGtleXRhYg==" + + def test_kerberos_keytab_secret_unavailable_when_not_specified(self): + docs = render_chart( + values={ + "executor": "CeleryExecutor", + "kerberos": { + "enabled": True, + "configPath": "/etc/krb5.conf", + "ccacheMountPath": "/var/kerberos-ccache", + "ccacheFileName": "ccache", + }, + }, + show_only=["templates/secrets/kerberos-keytab.yaml"], + ) + + assert 0 == len(docs) diff --git a/chart/values.schema.json b/chart/values.schema.json index d847a3dcee262..3f5cdc20201a2 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -862,6 +862,14 @@ "type": "string", "default": "/etc/krb5.conf" }, + "keytabBase64Content": { + "description": "Kerberos keytab base64 encoded content.", + "type": [ + "string", + "null" + ], + "default": null + }, "keytabPath": { "description": "Path to mount the keytab for refreshing credentials in the kerberos sidecar.", "type": "string", diff --git a/chart/values.yaml b/chart/values.yaml index 3c5b04cb2c8d0..b558a936f8c97 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -327,11 +327,17 @@ webserverSecretKeySecretName: ~ # # kubectl create secret generic {{ .Release.name }}-kerberos-keytab --from-file=kerberos.keytab # +# +# Alternatively, instead of manually creating the secret, it is possible to specify +# kerberos.keytabBase64Content parameter. This parameter should contain base64 encoded keytab. +# + kerberos: enabled: false ccacheMountPath: /var/kerberos-ccache ccacheFileName: cache configPath: /etc/krb5.conf + keytabBase64Content: ~ keytabPath: /etc/airflow.keytab principal: airflow@FOO.COM reinitFrequency: 3600