Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Airflow DAGs unable to read credentials from k8s secret #504

Closed
aliaksandr-d opened this issue Sep 28, 2018 · 3 comments · Fixed by #515
Closed

Airflow DAGs unable to read credentials from k8s secret #504

aliaksandr-d opened this issue Sep 28, 2018 · 3 comments · Fixed by #515
Assignees
@aliaksandr-d
Labels
bug [Fixed] for any bug fixes.

Comments

@aliaksandr-d
Copy link
Member

Currently Airflow Hooks are trying to get credentials connections from K8s secrets, but it's forbidden for them to read any secrets from k8s. Need to update RBAC
@aliaksandr-d aliaksandr-d added the bug [Fixed] for any bug fixes. label Sep 28, 2018
@aliaksandr-d aliaksandr-d self-assigned this Sep 28, 2018
@kirillmakhonin
Copy link
Member

As we discussed previously DAGs can load credentials in two ways:

  1. AWS creds using kube2iam
  2. Non-aws creds using Airflow Connections. Airflow Connections are configurable using deployment secret (section airflow.connections)

@aliaksandr-d
Copy link
Member Author

@kirillmakhonin airflow.connections are set only during cluster creation and legion deployment. we need the ability to update non-aws credentials without cluster recreation and not in Airflow UI. The idea is that non-aws credentials can be stored in k8s secret, that is updated directly.

@aliaksandr-d
Copy link
Member Author

After discussion with @dsuslov , we decided to store all connections credentials in one k8s secret map.
It requires:

  1. hooks update to read credentials from one k8s secret
  2. worker rbac update to give access to a single k8s secret.

leshchanka-aliaksandr pushed a commit that referenced this issue Oct 3, 2018
@allesh-clmb
[#504] update k8s_hook to read yaml data from one secret file
976f657
leshchanka-aliaksandr pushed a commit that referenced this issue Oct 4, 2018
@allesh-clmb
[#504] refactor k8s_hook
4dbb636
leshchanka-aliaksandr pushed a commit that referenced this issue Oct 4, 2018
@allesh-clmb
[#504] allow dags to interact with k8s secrets
c1ebea8
leshchanka-aliaksandr pushed a commit that referenced this issue Oct 4, 2018
@allesh-clmb
[#504] allow dags to interact with k8s secrets
503ee8b
Merged
aliaksandr-d added a commit that referenced this issue Oct 16, 2018
@aliaksandr-d
[#504] CHanged a way to store crednetials in Secret. Now store a conn…
ea78e68 
…ections in separate keys
aliaksandr-d pushed a commit that referenced this issue Oct 16, 2018
@allesh-clmb @aliaksandr-d
[#504] update k8s_hook to read yaml data from one secret file
33c3d3b
aliaksandr-d pushed a commit that referenced this issue Oct 16, 2018
@allesh-clmb @aliaksandr-d
[#504] refactor k8s_hook
db56866
aliaksandr-d pushed a commit that referenced this issue Oct 16, 2018
@allesh-clmb @aliaksandr-d
[#504] allow dags to interact with k8s secrets
514a9c9
aliaksandr-d added a commit that referenced this issue Oct 16, 2018
@aliaksandr-d
[#504] CHanged a way to store crednetials in Secret. Now store a conn…
2e39b5f 
…ections in separate keys
aliaksandr-d added a commit that referenced this issue Oct 18, 2018
@aliaksandr-d
[#504] Added helm chart for airflow-credentials secret creation
2d36a95
aliaksandr-d pushed a commit that referenced this issue Oct 18, 2018
@allesh-clmb @aliaksandr-d
[#504] update k8s_hook to read yaml data from one secret file
eaa416f
aliaksandr-d pushed a commit that referenced this issue Oct 18, 2018
@allesh-clmb @aliaksandr-d
[#504] refactor k8s_hook
b163ba2
aliaksandr-d pushed a commit that referenced this issue Oct 18, 2018
@allesh-clmb @aliaksandr-d
[#504] allow dags to interact with k8s secrets
cc3bb19
aliaksandr-d added a commit that referenced this issue Oct 18, 2018
@aliaksandr-d
[#504] CHanged a way to store crednetials in Secret. Now store a conn…
fc4a211 
…ections in separate keys
aliaksandr-d added a commit that referenced this issue Oct 18, 2018
@aliaksandr-d
[#504] Added helm chart for airflow-credentials secret creation
06bc105
aliaksandr-d pushed a commit that referenced this issue Oct 19, 2018
@allesh-clmb @aliaksandr-d
[#504] update k8s_hook to read yaml data from one secret file
6d7f2cb
aliaksandr-d pushed a commit that referenced this issue Oct 19, 2018
@allesh-clmb @aliaksandr-d
[#504] refactor k8s_hook
efe072f
aliaksandr-d pushed a commit that referenced this issue Oct 19, 2018
@allesh-clmb @aliaksandr-d
[#504] allow dags to interact with k8s secrets
2019432
aliaksandr-d added a commit that referenced this issue Oct 19, 2018
@aliaksandr-d
[#504] CHanged a way to store crednetials in Secret. Now store a conn…
903a4a6 
…ections in separate keys
aliaksandr-d added a commit that referenced this issue Oct 19, 2018
@aliaksandr-d
[#504] Added helm chart for airflow-credentials secret creation
b4621d9
aliaksandr-d pushed a commit that referenced this issue Oct 23, 2018
@allesh-clmb @aliaksandr-d
[#504] update k8s_hook to read yaml data from one secret file
2e2e6ad
aliaksandr-d pushed a commit that referenced this issue Oct 23, 2018
@allesh-clmb @aliaksandr-d
[#504] refactor k8s_hook
570e6bc
aliaksandr-d pushed a commit that referenced this issue Oct 23, 2018
@allesh-clmb @aliaksandr-d
[#504] allow dags to interact with k8s secrets
6950977
aliaksandr-d added a commit that referenced this issue Oct 23, 2018
@aliaksandr-d
[#504] CHanged a way to store crednetials in Secret. Now store a conn…
59a2611 
…ections in separate keys
aliaksandr-d added a commit that referenced this issue Oct 23, 2018
@aliaksandr-d
[#504] Added helm chart for airflow-credentials secret creation
b38ebf3
dsuslov pushed a commit that referenced this issue Oct 23, 2018
@allesh-clmb
[#504] Airflow DAGs unable to read credentials from k8s secret (#515)
b737f4b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aliaksandr-d aliaksandr-d

Labels
bug [Fixed] for any bug fixes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[#504] Airflow DAGs unable to read credentials from k8s secret legion-platform/legion
2 participants
@kirillmakhonin @aliaksandr-d