Skip to content

Commit

Permalink
Chart: Create a random secret for Webserver's flask secret key (#17142)
Browse files Browse the repository at this point in the history 
After apache/airflow#16754 -- it is important that both Webserver and Worker have the same config value for `[webserver] secret_key` or else you will see the following error:

```
*** Fetching from: https://worker.worker-svc.default.svc.cluster.local:8793/log/<dag>/<task>/2021-07-15T11:51:59.190528+00:00/1.log
*** Failed to fetch log file from worker. 403 Client Error: FORBIDDEN for url: https://worker.worker-svc.default.svc.cluster.local:8793/log/<dag>/<task>/2021-07-15T11:51:59.190528+00:00/1.log
For more information check: https://httpstatuses.com/403
```

This happens because Airflow generates a random value for them if value isn't provided, which causes a random string generated on webserver and worker. Hence they don't match, resulting in the error.

This PR creates a K8s Secret object and creates a key for that setting and pass it as Env Var similar to what we do with Fernet Key.

GitOrigin-RevId: 7842de0ff124dd6a2696ec82bf6423455164df5b
  • Loading branch information
@kaxil
kaxil authored and Cloud Composer Team committed Jan 27, 2023
1 parent ee1b7c4 commit 6e6d811
Show file tree
Hide file tree
Showing 6 changed files with 75 additions and 1 deletion.
9 changes: 9 additions & 0 deletions chart/templates/_helpers.yaml
View file
Expand Up @@ -52,6 +52,11 @@ If release name contains chart name it will be used as a full name.
secretKeyRef:
name: {{ template "airflow_metadata_secret" . }}
key: connection
- name: AIRFLOW__WEBSERVER__SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ template "webserver_secret_key_secret" . }}
key: webserver-secret-key
{{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
- name: AIRFLOW__CELERY__CELERY_RESULT_BACKEND
valueFrom:
Expand Down Expand Up @@ -256,6 +261,10 @@ If release name contains chart name it will be used as a full name.
{{ default (printf "%s-fernet-key" .Release.Name) .Values.fernetKeySecretName }}
{{- end }}

{{ define "webserver_secret_key_secret" -}}
{{ default (printf "%s-webserver-secret-key" .Release.Name) .Values.webserverSecretKeySecretName }}
{{- end }}

{{ define "redis_password_secret" -}}
{{ default (printf "%s-redis-password" .Release.Name) .Values.redis.passwordSecretName }}
{{- end }}
Expand Down
39 changes: 39 additions & 0 deletions chart/templates/secrets/webserver-secret-key-secret.yaml
View file
@@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

############################################
## Airflow Webserver Flask Secret Key Secret
############################################
{{- if not .Values.webserverSecretKeySecretName }}
{{ $generated_secret_key := (randAlphaNum 32 | b64enc) }}
kind: Secret
apiVersion: v1
metadata:
name: {{ .Release.Name }}-webserver-secret-key
labels:
tier: airflow
component: webserver
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
type: Opaque
data:
webserver-secret-key: {{ (default $generated_secret_key .Values.webserverSecretKey) | b64enc | quote }}
{{- end }}
4 changes: 3 additions & 1 deletion chart/tests/test_basic_helm_chart.py
View file
Expand Up @@ -25,7 +25,7 @@

from tests.helm_template_generator import render_chart

OBJECT_COUNT_IN_BASIC_DEPLOYMENT = 35
OBJECT_COUNT_IN_BASIC_DEPLOYMENT = 36


class TestBaseChartTest(unittest.TestCase):
Expand Down Expand Up @@ -56,6 +56,7 @@ def test_basic_deployments(self):
('Secret', 'TEST-BASIC-airflow-result-backend'),
('Secret', 'TEST-BASIC-broker-url'),
('Secret', 'TEST-BASIC-fernet-key'),
('Secret', 'TEST-BASIC-webserver-secret-key'),
('Secret', 'TEST-BASIC-postgresql'),
('Secret', 'TEST-BASIC-redis-password'),
('ConfigMap', 'TEST-BASIC-airflow-config'),
Expand Down Expand Up @@ -190,6 +191,7 @@ def test_labels_are_valid(self):
(f"{release_name}-statsd", "Service", "statsd"),
(f"{release_name}-statsd-policy", "NetworkPolicy", "statsd-policy"),
(f"{release_name}-webserver", "Deployment", "webserver"),
(f"{release_name}-webserver-secret-key", "Secret", "webserver"),
(f"{release_name}-webserver", "Service", "webserver"),
(f"{release_name}-webserver-policy", "NetworkPolicy", "airflow-webserver-policy"),
(f"{release_name}-worker", "Service", "worker"),
Expand Down
1 change: 1 addition & 0 deletions chart/tests/test_rbac.py
View file
Expand Up @@ -47,6 +47,7 @@
('Secret', 'TEST-RBAC-broker-url'),
('Secret', 'TEST-RBAC-fernet-key'),
('Secret', 'TEST-RBAC-redis-password'),
('Secret', 'TEST-RBAC-webserver-secret-key'),
('Job', 'TEST-RBAC-create-user'),
('Job', 'TEST-RBAC-run-airflow-migrations'),
('CronJob', 'TEST-RBAC-cleanup'),
Expand Down
18 changes: 18 additions & 0 deletions chart/values.schema.json
View file
Expand Up @@ -775,6 +775,24 @@
"x-docsSection": "Airflow",
"default": null
},
"webserverSecretKey": {
"description": "The Flask secret key for Airflow Webserver to encrypt browser session.",
"type": [
"string",
"null"
],
"x-docsSection": "Common",
"default": null
},
"webserverSecretKeySecretName": {
"description": "The Secret name containing Flask secret_key for the Webserver.",
"type": [
"string",
"null"
],
"x-docsSection": "Airflow",
"default": null
},
"kerberos": {
"description": "Kerberos configurations for airflow",
"type": "object",
Expand Down
5 changes: 5 additions & 0 deletions chart/values.yaml
View file
Expand Up @@ -267,6 +267,10 @@ data:
fernetKey: ~
fernetKeySecretName: ~

# Flask secret key for Airflow Webserver: `[webserver] secret_key` in airflow.cfg
webserverSecretKey: ~
webserverSecretKeySecretName: ~

# In order to use kerberos you need to create secret containing the keytab file
# The secret name should follow naming convention of the application where resources are
# name {{ .Release-name }}-<POSTFIX>. In case of the keytab file, the postfix is "kerberos-keytab"
Expand Down Expand Up @@ -1059,6 +1063,7 @@ postgresql:
#
# a: '{{ "{{ not a template }}" }}'
#
# Do not set config containing secrets via plain text values, use Env Var or k8s secret object
# yamllint disable rule:line-length
config:
core:
Expand Down

0 comments on commit 6e6d811

Please sign in to comment.