Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm RBAC Best Practices #14152

Merged
merged 25 commits into from
Apr 30, 2021
Merged

Helm RBAC Best Practices #14152

merged 25 commits into from
Apr 30, 2021

Conversation

DerekHeldtWerle
Copy link
Contributor

This PR builds off of and supersedes @jaydesl's work on his PR to move forward with properly following helm's rbac best practices. This PR updates every potential pod that can be deployed to include the option to either create or use an existing service account. This is the first step towards supporting environments where users have the PodSecurityPolicy admission controller enabled without forcing such users to provide any additional permissions to the default service account in the namespace this is deployed to.

closes: #11755
related: #13643

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

@boring-cyborg boring-cyborg bot added the area:helm-chart Airflow Helm Chart label Feb 9, 2021
@boring-cyborg
Copy link

boring-cyborg bot commented Feb 9, 2021

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst)
Here are some useful points:

  • Pay attention to the quality of your code (flake8, pylint and type annotations). Our pre-commits will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it’s a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: [email protected]
    Slack: https://s.apache.org/airflow-slack

@DerekHeldtWerle DerekHeldtWerle changed the title Fix/rbac Helm RBAC Best Practices Feb 9, 2021
@DerekHeldtWerle DerekHeldtWerle mentioned this pull request Feb 9, 2021
Closed
@DerekHeldtWerle DerekHeldtWerle marked this pull request as draft February 9, 2021 20:40
ashb
ashb previously requested changes Feb 10, 2021
View reviewed changes
chart/templates/_helpers.yaml Show resolved Hide resolved
chart/templates/_helpers.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/pod-cleanup-role.yaml Show resolved Hide resolved
@github-actions
Copy link

The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.

@DerekHeldtWerle DerekHeldtWerle marked this pull request as ready for review February 10, 2021 19:57
@jaydesl
Copy link
Contributor

jaydesl commented Feb 11, 2021

Thanks for carrying this @DerekHeldtWerle !

@DerekHeldtWerle DerekHeldtWerle requested a review from ashb March 1, 2021 18:35
@github-actions
Copy link

The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.

@DerekHeldtWerle
Copy link
Contributor Author

@ashb, did you have anything else that needs to be addressed for this PR?

@mik-laj mik-laj requested a review from XD-DENG March 31, 2021 00:23
@mik-laj
Copy link
Member

mik-laj commented Apr 3, 2021

@kaxil @ashb Can I ask for a second look?

@DerekHeldtWerle
Copy link
Contributor Author

@ashb, @mik-laj, @kaxil This has been rebased with master again. Let me know if there's anything that needs to be addressed.

@kaxil
Copy link
Member

kaxil commented Apr 12, 2021
edited
Loading

@ashb, @mik-laj, @kaxil This has been rebased with master again. Let me know if there's anything that needs to be addressed.

I will take a look in coming days, thanks

@github-actions
Copy link

The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.

DerekHeldtWerle and others added 11 commits April 30, 2021 15:20
@DerekHeldtWerle
remove serviceAccountAnnotations in favor of <service>.serviceaccount…
8006251 
….annotations, add items to new docs location
@DerekHeldtWerle
adds cleanup sa annotations, missing job annotations from values.yaml…
52a3769 
…, update docs with redis, jobs, and cleanup options
@DerekHeldtWerle @ianstanton
Update chart/values.schema.json
6a4d59e 
Co-authored-by: Ian Stanton <[email protected]>
@DerekHeldtWerle @ianstanton
Update chart/values.yaml
7e8d02d 
Co-authored-by: Ian Stanton <[email protected]>
@DerekHeldtWerle
Adds test for service account annotations
c1f1ad1
@DerekHeldtWerle
split jobs into createUserJob and migrateDatabaseJob, address other P…
627aee1 
…R comments
@DerekHeldtWerle
update docs to include createUserJob and migrateDatabaseJob
d717574
@DerekHeldtWerle
rebase with master and fix tests
521c93c
@DerekHeldtWerle
remove unused jobs.serviceAccountName from helpers.yaml
9460b8b
@DerekHeldtWerle
change name of CLEANUP_DEPLOYMENT_KIND_NAME_TUPLES to DEPLOYMENT_NO_R…
3a9a580 
…BAC_NO_SA_KIND_NAME_TUPLES
@DerekHeldtWerle
fix static checks
659be35
@kaxil
Copy link
Member

kaxil commented Apr 30, 2021

Unit test is failing: https://github.com/apache/airflow/pull/14152/checks?check_run_id=2479497469#step:6:3089

could not find template templates/create-user-job.yaml in chart\n'

Pushed a fix: 9ca3d21

@DerekHeldtWerle
Copy link
Contributor Author

@kaxil beat me to it before I had seen you had pushed up your fix 😆

@github-actions
Copy link

The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.

kaxil
kaxil reviewed Apr 30, 2021
View reviewed changes
docs/helm-chart/parameters-ref.rst Outdated Show resolved Hide resolved
docs/helm-chart/parameters-ref.rst Outdated Show resolved Hide resolved
docs/helm-chart/parameters-ref.rst Outdated Show resolved Hide resolved
docs/helm-chart/parameters-ref.rst Outdated Show resolved Hide resolved
@kaxil kaxil dismissed ashb’s stale review April 30, 2021 23:05

Stale Review

@github-actions
Copy link

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest master or amend the last commit of the PR, and push it with --force-with-lease.

@github-actions github-actions bot added the okay to merge It's ok to merge this PR as it does not require more tests label Apr 30, 2021
@kaxil kaxil merged commit 8655d66 into apache:master Apr 30, 2021
@kaxil
Copy link
Member

kaxil commented Apr 30, 2021

Thanks @DerekHeldtWerle 🎉

@DerekHeldtWerle DerekHeldtWerle deleted the fix/rbac branch April 30, 2021 23:40
ianstanton
ianstanton reviewed May 3, 2021
View reviewed changes
Copy link
Contributor

@ianstanton ianstanton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

This was referenced May 3, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstandish dstandish dstandish left review comments

@mik-laj mik-laj mik-laj approved these changes

@ianstanton ianstanton ianstanton left review comments

@kaxil kaxil kaxil approved these changes

@dimberman dimberman Awaiting requested review from dimberman

@ashb ashb Awaiting requested review from ashb

@vikramkoka vikramkoka Awaiting requested review from vikramkoka

@XD-DENG XD-DENG Awaiting requested review from XD-DENG

Assignees
No one assigned
Labels
area:helm-chart Airflow Helm Chart okay to merge It's ok to merge this PR as it does not require more tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RBAC and more customization in Helm Chart
8 participants
@DerekHeldtWerle @jaydesl @mik-laj @kaxil @ianstanton @ashb @dimberman @dstandish