Fix: Configurable Docker image of xcom_sidecar

[pegasas]

Description
The iamge of xcom_sidecar is not cunfigurable (code: xcom_sidecar.py#36). In our situation we can not access the "alpine" image from the docker image registry. Then the pod will not be started because the pulling of image failed.

Therefore it would be very nice that the image of xcom_sidecar is configurable so that we can pass an image hosted by our registry.

I see there was a merged PR about this feature #26766. But the changes was deleted in the commit a1f5a54.

Could you please review it and add this feature again? Thanks!

Use case/motivation
Usecase:

Use KubernetesPodOperator with do_xcom_push=True in an environment which can not access docker image registry.

Related issues
PR #26766 deleted in a1f5a54

---

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our pre-commits will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: [email protected]
  Slack: https://s.apache.org/airflow-slack

[pegasas]

related to issue: #32805

[jscheffl]

I just made a dry run code-reading (yet) would take 1-2 days until I'd be able to do a full test.

Besides one comment where I expect that a default matching to todays hard coded values is expected, I miss any kind of documentation. We don't want the users having to read the code to discover all secret options. Can you add some?

[pegasas]

I just made a dry run code-reading (yet) would take 1-2 days until I'd be able to do a full test.

Besides one comment where I expect that a default matching to todays hard coded values is expected, I miss any kind of documentation. We don't want the users having to read the code to discover all secret options. Can you add some?

Hi, @jens-scheffler-bosch ,

the document has been added in previous pull request https://github.com/apache/airflow/pull/26766/files
at

airflow/docs/apache-airflow-providers-cncf-kubernetes/connections/kubernetes.rst

Line 70 in 8940453

Xcom sidecar image

[jscheffl]

I just made a dry run code-reading (yet) would take 1-2 days until I'd be able to do a full test.
Besides one comment where I expect that a default matching to todays hard coded values is expected, I miss any kind of documentation. We don't want the users having to read the code to discover all secret options. Can you add some?

Hi, @jens-scheffler-bosch ,

the document has been added in previous pull request https://github.com/apache/airflow/pull/26766/files at

airflow/docs/apache-airflow-providers-cncf-kubernetes/connections/kubernetes.rst

Line 70 in 8940453

Xcom sidecar image

Ah, I see. Was not aware of this "legacy". Still for a user hard to find so not knowing about this feature maybe you rather stumble over it by crawling the source.
Nevertheless adding the resource documentation and an example (JSON might not be obvious for all) would still be good.

[jscheffl]

Tested and the exposure of the image and resource spec works.
I'd wish for a bit better documentation but other than this (has not been better in the past) I would vote for getting it merged.

Note: I'm not a committer so my approval is just a emotional support, has no value :-D

[potiuk]

Note: I'm not a committer so my approval is just a emotional support, has no value :-D

Quite the opposite. It does have a value as committer see it and read the comments and reviews/approval :)

The change looks good. But I have one comment here.

It would be a bit of a problem IF we would not have clarified our security model recently - see https://airflow.apache.org/docs/apache-airflow/stable/security/index.html and "Capabilities of authenticated UI users".

Without this clarification added - this change could be seen as security issue, because the user who could configure the connection, could also configure a completely different image and perform Remote Code Execution (which is quite surprising for the user who - from the first glance - can just configure connections).

But in our Security model we have it clear that this is expected:

Connection configuration users: They configure connections and potentially execute code on workers during DAG execution. Trust is required to prevent misuse of these privileges. They have full access to sensitive credentials stored in connections and can modify them. Access to sensitive information through connection configuration should be trusted not to be abused. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability.

So yeah. It looks good (in this context).

[pegasas]

Note: I'm not a committer so my approval is just a emotional support, has no value :-D

Quite the opposite. It does have a value as committer see it and read the comments and reviews/approval :)

The change looks good. But I have one comment here.

It would be a bit of a problem IF we would not have clarified our security model recently - see https://airflow.apache.org/docs/apache-airflow/stable/security/index.html and "Capabilities of authenticated UI users".

Without this clarification added - this change could be seen as security issue, because the user who could configure the connection, could also configure a completely different image and perform Remote Code Execution (which is quite surprising for the user who - from the first glance - can just configure connections).

But in our Security model we have it clear that this is expected:

Connection configuration users: They configure connections and potentially execute code on workers during DAG execution. Trust is required to prevent misuse of these privileges. They have full access to sensitive credentials stored in connections and can modify them. Access to sensitive information through connection configuration should be trusted not to be abused. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability.

So yeah. It looks good (in this context).

Thank @potiuk and @jens-scheffler-bosch for clarification!

[boring-cyborg]

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

[eladkal]

Thank you @pegasas !

[pegasas]

Thank you @pegasas !

Thanks @eladkal for spending your precious time on my first review!
Also Thanks @jens-scheffler-bosch and @potiuk for your guidance!