From 04d628712380759aba77800504fb58f7df31798e Mon Sep 17 00:00:00 2001 From: Siddharthan P S Date: Tue, 10 Mar 2026 10:40:45 -0400 Subject: [PATCH 1/4] Fix git-sync rotated credentials support in Helm chart --- chart/templates/_helpers.yaml | 27 +++++++++------ .../dag-processor-deployment.yaml | 3 ++ .../scheduler/scheduler-deployment.yaml | 3 ++ .../triggerer/triggerer-deployment.yaml | 3 ++ .../templates/workers/worker-deployment.yaml | 3 ++ chart/values.schema.json | 2 +- chart/values.yaml | 6 +++- .../airflow_core/test_dag_processor.py | 33 +++++++++++++++++++ .../other/test_git_sync_scheduler.py | 19 ++++++++--- .../other/test_git_sync_triggerer.py | 31 +++++++++++++++++ .../helm_tests/other/test_git_sync_worker.py | 31 +++++++++++++++++ 11 files changed, 144 insertions(+), 17 deletions(-) diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml index 42848a9e22e14..56e5728d9ce0d 100644 --- a/chart/templates/_helpers.yaml +++ b/chart/templates/_helpers.yaml @@ -204,6 +204,14 @@ If release name contains chart name it will be used as a full name. defaultMode: 288 {{- end }} +{{/* Git credentials volume */}} +{{- define "git_sync_credentials_volume" }} +- name: git-sync-credentials + secret: + secretName: {{ .Values.dags.gitSync.credentialsSecret | quote }} + defaultMode: 288 +{{- end }} + {{/* Git sync container */}} {{- define "git_sync_container" }} - name: {{ .Values.dags.gitSync.containerName }}{{ if .is_init }}-init{{ end }} @@ -247,16 +255,10 @@ If release name contains chart name it will be used as a full name. secretKeyRef: name: {{ .Values.dags.gitSync.credentialsSecret | quote }} key: GITSYNC_USERNAME - - name: GIT_SYNC_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.dags.gitSync.credentialsSecret | quote }} - key: GIT_SYNC_PASSWORD - - name: GITSYNC_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.dags.gitSync.credentialsSecret | quote }} - key: GITSYNC_PASSWORD + - name: GIT_SYNC_PASSWORD_FILE + value: "/etc/git-secret/credentials/GIT_SYNC_PASSWORD" + - name: GITSYNC_PASSWORD_FILE + value: "/etc/git-secret/credentials/GITSYNC_PASSWORD" {{- end }} - name: GIT_SYNC_REV value: {{ .Values.dags.gitSync.rev | quote }} @@ -351,6 +353,11 @@ If release name contains chart name it will be used as a full name. subPath: known_hosts {{- end }} {{- end }} + {{- if .Values.dags.gitSync.credentialsSecret }} + - name: git-sync-credentials + mountPath: /etc/git-secret/credentials + readOnly: true + {{- end }} {{- if .Values.dags.gitSync.extraVolumeMounts }} {{- tpl (toYaml .Values.dags.gitSync.extraVolumeMounts) . | nindent 2 }} {{- end }} diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml b/chart/templates/dag-processor/dag-processor-deployment.yaml index c5045e6ecefea..1f25567a4184b 100644 --- a/chart/templates/dag-processor/dag-processor-deployment.yaml +++ b/chart/templates/dag-processor/dag-processor-deployment.yaml @@ -270,6 +270,9 @@ spec: {{- if and .Values.dags.gitSync.enabled (or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey) }} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} + {{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.credentialsSecret }} + {{- include "git_sync_credentials_volume" . | indent 8 }} + {{- end }} {{- if .Values.volumes }} {{- toYaml .Values.volumes | nindent 8 }} {{- end }} diff --git a/chart/templates/scheduler/scheduler-deployment.yaml b/chart/templates/scheduler/scheduler-deployment.yaml index 3514180c874c5..2e901c75aeb4a 100644 --- a/chart/templates/scheduler/scheduler-deployment.yaml +++ b/chart/templates/scheduler/scheduler-deployment.yaml @@ -344,6 +344,9 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} + {{- if .Values.dags.gitSync.credentialsSecret }} + {{- include "git_sync_credentials_volume" . | indent 8 }} + {{- end }} {{- end }} {{- end }} {{- if .Values.volumes }} diff --git a/chart/templates/triggerer/triggerer-deployment.yaml b/chart/templates/triggerer/triggerer-deployment.yaml index 41a2f0d3d5501..52e552ea7b4af 100644 --- a/chart/templates/triggerer/triggerer-deployment.yaml +++ b/chart/templates/triggerer/triggerer-deployment.yaml @@ -300,6 +300,9 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | nindent 8 }} {{- end }} + {{- if .Values.dags.gitSync.credentialsSecret }} + {{- include "git_sync_credentials_volume" . | nindent 8 }} + {{- end }} {{- end }} {{- if .Values.volumes }} {{- toYaml .Values.volumes | nindent 8 }} diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml index c810581bf7485..5aab9639fbaff 100644 --- a/chart/templates/workers/worker-deployment.yaml +++ b/chart/templates/workers/worker-deployment.yaml @@ -482,6 +482,9 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} + {{- if .Values.dags.gitSync.credentialsSecret }} + {{- include "git_sync_credentials_volume" . | indent 8 }} + {{- end }} {{- end }} {{- if .Values.logs.persistence.enabled }} - name: logs diff --git a/chart/values.schema.json b/chart/values.schema.json index 0891db13bd5f7..abf218e572f0c 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -10801,7 +10801,7 @@ } }, "credentialsSecret": { - "description": "Name of a Secret containing the repo `GIT_SYNC_USERNAME` and `GIT_SYNC_PASSWORD`.", + "description": "Name of a Secret containing `GIT_SYNC_USERNAME`, `GITSYNC_USERNAME`, `GIT_SYNC_PASSWORD`, and `GITSYNC_PASSWORD` keys. The password keys are mounted as files and used via `*_PASSWORD_FILE` env vars so rotated credentials can be re-read.", "type": [ "string", "null" diff --git a/chart/values.yaml b/chart/values.yaml index 15fa5aeefdb4b..8a4b86e8f4b70 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3558,7 +3558,11 @@ dags: # # For git-sync v4 # GITSYNC_USERNAME: # GITSYNC_PASSWORD: - # and specify the name of the secret below + # and specify the name of the secret below. + # + # The secret will be mounted into git-sync at /etc/git-secret/credentials + # and passwords will be read from files so rotated tokens can be picked up + # without restarting the git-sync container. # # credentialsSecret: git-credentials # diff --git a/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py b/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py index 75879ebd9883f..32cc3e5b49b53 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py @@ -802,6 +802,39 @@ def test_validate_if_ssh_params_are_added_with_git_ssh_key(self): "secret": {"secretName": "release-name-ssh-secret", "defaultMode": 288}, } in jmespath.search("spec.template.spec.volumes", docs[0]) + def test_should_set_password_file_env_variables_when_credentials_secret_is_configured(self): + docs = render_chart( + values={ + "dagProcessor": {"enabled": True}, + "dags": { + "gitSync": { + "enabled": True, + "credentialsSecret": "user-pass-secret", + }, + "persistence": {"enabled": False}, + }, + }, + show_only=["templates/dag-processor/dag-processor-deployment.yaml"], + ) + + assert { + "name": "GIT_SYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GIT_SYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "name": "GITSYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "mountPath": "/etc/git-secret/credentials", + "name": "git-sync-credentials", + "readOnly": True, + } in jmespath.search("spec.template.spec.containers[1].volumeMounts", docs[0]) + assert { + "name": "git-sync-credentials", + "secret": {"defaultMode": 288, "secretName": "user-pass-secret"}, + } in jmespath.search("spec.template.spec.volumes", docs[0]) + class TestDagProcessorLogGroomer(LogGroomerTestBase): """DAG processor log groomer.""" diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py b/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py index 71b5f69abd0f6..11530a81c37d4 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py @@ -284,7 +284,7 @@ def test_validate_sshkeysecret_not_added_when_persistence_is_enabled(self): ) assert "git-sync-ssh-key" not in jmespath.search("spec.template.spec.volumes[].name", docs[0]) - def test_should_set_username_and_pass_env_variables(self): + def test_should_set_username_and_password_file_env_variables(self): docs = render_chart( values={ "airflowVersion": "2.11.0", @@ -304,8 +304,8 @@ def test_should_set_username_and_pass_env_variables(self): "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_USERNAME"}}, } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) assert { - "name": "GIT_SYNC_PASSWORD", - "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_PASSWORD"}}, + "name": "GIT_SYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GIT_SYNC_PASSWORD", } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) # Testing git-sync v4 @@ -314,9 +314,18 @@ def test_should_set_username_and_pass_env_variables(self): "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_USERNAME"}}, } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) assert { - "name": "GITSYNC_PASSWORD", - "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_PASSWORD"}}, + "name": "GITSYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "mountPath": "/etc/git-secret/credentials", + "name": "git-sync-credentials", + "readOnly": True, + } in jmespath.search("spec.template.spec.containers[1].volumeMounts", docs[0]) + assert { + "name": "git-sync-credentials", + "secret": {"defaultMode": 288, "secretName": "user-pass-secret"}, + } in jmespath.search("spec.template.spec.volumes", docs[0]) def test_should_set_the_volume_claim_correctly_when_using_an_existing_claim(self): docs = render_chart( diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py b/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py index 15a2a3b49b38c..ab8b9eef94bfc 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py @@ -77,6 +77,37 @@ def test_validate_if_ssh_params_are_added_with_git_ssh_key(self): "secret": {"secretName": "release-name-ssh-secret", "defaultMode": 288}, } in jmespath.search("spec.template.spec.volumes", docs[0]) + def test_should_set_password_file_env_variables_when_credentials_secret_is_configured(self): + docs = render_chart( + values={ + "dags": { + "gitSync": { + "enabled": True, + "credentialsSecret": "user-pass-secret", + } + } + }, + show_only=["templates/triggerer/triggerer-deployment.yaml"], + ) + + assert { + "name": "GIT_SYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GIT_SYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "name": "GITSYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "mountPath": "/etc/git-secret/credentials", + "name": "git-sync-credentials", + "readOnly": True, + } in jmespath.search("spec.template.spec.containers[1].volumeMounts", docs[0]) + assert { + "name": "git-sync-credentials", + "secret": {"defaultMode": 288, "secretName": "user-pass-secret"}, + } in jmespath.search("spec.template.spec.volumes", docs[0]) + def test_liveness_probe_configuration(self): livenessProbe = { "failureThreshold": 10, diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_worker.py b/helm-tests/tests/helm_tests/other/test_git_sync_worker.py index 03fdfc1217c7c..cb227ca664572 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_worker.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_worker.py @@ -168,6 +168,37 @@ def test_validate_if_ssh_params_are_added_with_git_ssh_key(self): "secret": {"secretName": "release-name-ssh-secret", "defaultMode": 288}, } in jmespath.search("spec.template.spec.volumes", docs[0]) + def test_should_set_password_file_env_variables_when_credentials_secret_is_configured(self): + docs = render_chart( + values={ + "dags": { + "gitSync": { + "enabled": True, + "credentialsSecret": "user-pass-secret", + } + } + }, + show_only=["templates/workers/worker-deployment.yaml"], + ) + + assert { + "name": "GIT_SYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GIT_SYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "name": "GITSYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", + } in jmespath.search("spec.template.spec.containers[1].env", docs[0]) + assert { + "mountPath": "/etc/git-secret/credentials", + "name": "git-sync-credentials", + "readOnly": True, + } in jmespath.search("spec.template.spec.containers[1].volumeMounts", docs[0]) + assert { + "name": "git-sync-credentials", + "secret": {"defaultMode": 288, "secretName": "user-pass-secret"}, + } in jmespath.search("spec.template.spec.volumes", docs[0]) + def test_container_lifecycle_hooks(self): docs = render_chart( values={ From a14494060bb6acc4d0b29e074dfc6d12d0e29df1 Mon Sep 17 00:00:00 2001 From: Siddharthan P S Date: Tue, 10 Mar 2026 12:12:19 -0400 Subject: [PATCH 2/4] Fix airflow_aux git-sync credentials test for password file envs --- .../helm_tests/airflow_aux/test_pod_template_file.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py index a1f0f03aa1dbe..6bf62ac251d0f 100644 --- a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py +++ b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py @@ -274,8 +274,8 @@ def test_should_set_username_and_pass_env_variables(self): "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_USERNAME"}}, } in jmespath.search("spec.initContainers[0].env", docs[0]) assert { - "name": "GIT_SYNC_PASSWORD", - "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_PASSWORD"}}, + "name": "GIT_SYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GIT_SYNC_PASSWORD", } in jmespath.search("spec.initContainers[0].env", docs[0]) # Testing git-sync v4 @@ -284,8 +284,8 @@ def test_should_set_username_and_pass_env_variables(self): "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_USERNAME"}}, } in jmespath.search("spec.initContainers[0].env", docs[0]) assert { - "name": "GITSYNC_PASSWORD", - "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_PASSWORD"}}, + "name": "GITSYNC_PASSWORD_FILE", + "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", } in jmespath.search("spec.initContainers[0].env", docs[0]) def test_should_set_the_dags_volume_claim_correctly_when_using_an_existing_claim(self): From 2197b76226c5014b2f4204d0b5c9c190577ff2ce Mon Sep 17 00:00:00 2001 From: Siddharthan P S Date: Tue, 10 Mar 2026 13:38:19 -0400 Subject: [PATCH 3/4] Bump default git-sync image to v4.6.0 for password-file rotation support --- chart/values.schema.json | 2 +- chart/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/values.schema.json b/chart/values.schema.json index abf218e572f0c..dd39961916c71 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -1076,7 +1076,7 @@ "tag": { "description": "The gitSync image tag.", "type": "string", - "default": "v4.4.2" + "default": "v4.6.0" }, "pullPolicy": { "description": "The gitSync image pull policy.", diff --git a/chart/values.yaml b/chart/values.yaml index 8a4b86e8f4b70..e6154e63a6470 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -124,7 +124,7 @@ images: pullPolicy: IfNotPresent gitSync: repository: registry.k8s.io/git-sync/git-sync - tag: v4.4.2 + tag: v4.6.0 pullPolicy: IfNotPresent # Select certain nodes for airflow pods. From 573731d81b2104c2b9606e07fd14b3540f286d50 Mon Sep 17 00:00:00 2001 From: Siddharthan P S Date: Tue, 10 Mar 2026 17:05:15 -0400 Subject: [PATCH 4/4] Make git-sync password-file mode opt-in and add pod-template support --- .../pod-template-file.kubernetes-helm-yaml | 3 ++ chart/templates/_helpers.yaml | 17 ++++++- .../dag-processor-deployment.yaml | 2 +- .../scheduler/scheduler-deployment.yaml | 2 +- .../triggerer/triggerer-deployment.yaml | 2 +- .../templates/workers/worker-deployment.yaml | 2 +- chart/values.schema.json | 9 +++- chart/values.yaml | 13 +++--- .../airflow_aux/test_pod_template_file.py | 44 +++++++++++++++++++ .../airflow_core/test_dag_processor.py | 1 + .../other/test_git_sync_scheduler.py | 1 + .../other/test_git_sync_triggerer.py | 1 + .../helm_tests/other/test_git_sync_worker.py | 1 + 13 files changed, 85 insertions(+), 13 deletions(-) diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml b/chart/files/pod-template-file.kubernetes-helm-yaml index 25c2de6f81318..e885f3aeb91d0 100644 --- a/chart/files/pod-template-file.kubernetes-helm-yaml +++ b/chart/files/pod-template-file.kubernetes-helm-yaml @@ -257,6 +257,9 @@ spec: {{- if and .Values.dags.gitSync.enabled (or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey) }} {{- include "git_sync_ssh_key_volume" . | nindent 2 }} {{- end }} + {{- if and .Values.dags.gitSync.enabled (not .Values.dags.persistence.enabled) .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} + {{- include "git_sync_credentials_volume" . | nindent 2 }} + {{- end }} - configMap: name: {{ include "airflow_config" . }} name: config diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml index 56e5728d9ce0d..3030cf7c78e0e 100644 --- a/chart/templates/_helpers.yaml +++ b/chart/templates/_helpers.yaml @@ -204,7 +204,7 @@ If release name contains chart name it will be used as a full name. defaultMode: 288 {{- end }} -{{/* Git credentials volume */}} +{{/* Git credentials volume */}} {{- define "git_sync_credentials_volume" }} - name: git-sync-credentials secret: @@ -255,10 +255,23 @@ If release name contains chart name it will be used as a full name. secretKeyRef: name: {{ .Values.dags.gitSync.credentialsSecret | quote }} key: GITSYNC_USERNAME + {{- if .Values.dags.gitSync.usePasswordFile }} - name: GIT_SYNC_PASSWORD_FILE value: "/etc/git-secret/credentials/GIT_SYNC_PASSWORD" - name: GITSYNC_PASSWORD_FILE value: "/etc/git-secret/credentials/GITSYNC_PASSWORD" + {{- else }} + - name: GIT_SYNC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.dags.gitSync.credentialsSecret | quote }} + key: GIT_SYNC_PASSWORD + - name: GITSYNC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.dags.gitSync.credentialsSecret | quote }} + key: GITSYNC_PASSWORD + {{- end }} {{- end }} - name: GIT_SYNC_REV value: {{ .Values.dags.gitSync.rev | quote }} @@ -353,7 +366,7 @@ If release name contains chart name it will be used as a full name. subPath: known_hosts {{- end }} {{- end }} - {{- if .Values.dags.gitSync.credentialsSecret }} + {{- if and .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} - name: git-sync-credentials mountPath: /etc/git-secret/credentials readOnly: true diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml b/chart/templates/dag-processor/dag-processor-deployment.yaml index 1f25567a4184b..f02e6f44af1a1 100644 --- a/chart/templates/dag-processor/dag-processor-deployment.yaml +++ b/chart/templates/dag-processor/dag-processor-deployment.yaml @@ -270,7 +270,7 @@ spec: {{- if and .Values.dags.gitSync.enabled (or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey) }} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} - {{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.credentialsSecret }} + {{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} {{- include "git_sync_credentials_volume" . | indent 8 }} {{- end }} {{- if .Values.volumes }} diff --git a/chart/templates/scheduler/scheduler-deployment.yaml b/chart/templates/scheduler/scheduler-deployment.yaml index 2e901c75aeb4a..b7a5ad422bca3 100644 --- a/chart/templates/scheduler/scheduler-deployment.yaml +++ b/chart/templates/scheduler/scheduler-deployment.yaml @@ -344,7 +344,7 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} - {{- if .Values.dags.gitSync.credentialsSecret }} + {{- if and $localOrDagProcessorDisabled .Values.dags.gitSync.enabled .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} {{- include "git_sync_credentials_volume" . | indent 8 }} {{- end }} {{- end }} diff --git a/chart/templates/triggerer/triggerer-deployment.yaml b/chart/templates/triggerer/triggerer-deployment.yaml index 52e552ea7b4af..dc59a8110ee3f 100644 --- a/chart/templates/triggerer/triggerer-deployment.yaml +++ b/chart/templates/triggerer/triggerer-deployment.yaml @@ -300,7 +300,7 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | nindent 8 }} {{- end }} - {{- if .Values.dags.gitSync.credentialsSecret }} + {{- if and .Values.dags.gitSync.enabled (not .Values.dags.persistence.enabled) .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} {{- include "git_sync_credentials_volume" . | nindent 8 }} {{- end }} {{- end }} diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml index 5aab9639fbaff..737e3f81a252f 100644 --- a/chart/templates/workers/worker-deployment.yaml +++ b/chart/templates/workers/worker-deployment.yaml @@ -482,7 +482,7 @@ spec: {{- if or .Values.dags.gitSync.sshKeySecret .Values.dags.gitSync.sshKey}} {{- include "git_sync_ssh_key_volume" . | indent 8 }} {{- end }} - {{- if .Values.dags.gitSync.credentialsSecret }} + {{- if and .Values.dags.gitSync.enabled (not .Values.dags.persistence.enabled) .Values.dags.gitSync.credentialsSecret .Values.dags.gitSync.usePasswordFile }} {{- include "git_sync_credentials_volume" . | indent 8 }} {{- end }} {{- end }} diff --git a/chart/values.schema.json b/chart/values.schema.json index dd39961916c71..2cdab3d044dfe 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -1076,7 +1076,7 @@ "tag": { "description": "The gitSync image tag.", "type": "string", - "default": "v4.6.0" + "default": "v4.4.2" }, "pullPolicy": { "description": "The gitSync image pull policy.", @@ -10801,13 +10801,18 @@ } }, "credentialsSecret": { - "description": "Name of a Secret containing `GIT_SYNC_USERNAME`, `GITSYNC_USERNAME`, `GIT_SYNC_PASSWORD`, and `GITSYNC_PASSWORD` keys. The password keys are mounted as files and used via `*_PASSWORD_FILE` env vars so rotated credentials can be re-read.", + "description": "Name of a Secret containing git credentials (`GIT_SYNC_USERNAME`/`GIT_SYNC_PASSWORD` and optionally `GITSYNC_USERNAME`/`GITSYNC_PASSWORD`).", "type": [ "string", "null" ], "default": null }, + "usePasswordFile": { + "description": "When true and `credentialsSecret` is set, mount the credentials secret and pass password keys via `*_PASSWORD_FILE` env vars.", + "type": "boolean", + "default": false + }, "sshKey": { "description": "SSH private key", "type": [ diff --git a/chart/values.yaml b/chart/values.yaml index e6154e63a6470..cc21d2cfeb784 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -124,7 +124,7 @@ images: pullPolicy: IfNotPresent gitSync: repository: registry.k8s.io/git-sync/git-sync - tag: v4.6.0 + tag: v4.4.2 pullPolicy: IfNotPresent # Select certain nodes for airflow pods. @@ -3560,12 +3560,15 @@ dags: # GITSYNC_PASSWORD: # and specify the name of the secret below. # - # The secret will be mounted into git-sync at /etc/git-secret/credentials - # and passwords will be read from files so rotated tokens can be picked up - # without restarting the git-sync container. - # # credentialsSecret: git-credentials # + # If set to true, credentialsSecret will also be mounted into git-sync at + # /etc/git-secret/credentials and password keys will be passed via + # GIT_SYNC_PASSWORD_FILE/GITSYNC_PASSWORD_FILE. + # + # usePasswordFile: true + usePasswordFile: false + # # # If you are using an ssh clone url, you can load # the ssh private key to a k8s secret like the one below diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py index 6bf62ac251d0f..23575bf9f57eb 100644 --- a/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py +++ b/helm-tests/tests/helm_tests/airflow_aux/test_pod_template_file.py @@ -261,6 +261,7 @@ def test_should_set_username_and_pass_env_variables(self): "gitSync": { "enabled": True, "credentialsSecret": "user-pass-secret", + "usePasswordFile": True, "sshKeySecret": None, } } @@ -287,6 +288,49 @@ def test_should_set_username_and_pass_env_variables(self): "name": "GITSYNC_PASSWORD_FILE", "value": "/etc/git-secret/credentials/GITSYNC_PASSWORD", } in jmespath.search("spec.initContainers[0].env", docs[0]) + assert { + "mountPath": "/etc/git-secret/credentials", + "name": "git-sync-credentials", + "readOnly": True, + } in jmespath.search("spec.initContainers[0].volumeMounts", docs[0]) + assert { + "name": "git-sync-credentials", + "secret": {"defaultMode": 288, "secretName": "user-pass-secret"}, + } in jmespath.search("spec.volumes", docs[0]) + + def test_should_set_username_and_pass_env_variables_by_default(self): + docs = render_chart( + values={ + "dags": { + "gitSync": { + "enabled": True, + "credentialsSecret": "user-pass-secret", + "sshKeySecret": None, + } + } + }, + show_only=["templates/pod-template-file.yaml"], + chart_dir=self.temp_chart_dir, + ) + + assert { + "name": "GIT_SYNC_USERNAME", + "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_USERNAME"}}, + } in jmespath.search("spec.initContainers[0].env", docs[0]) + assert { + "name": "GIT_SYNC_PASSWORD", + "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GIT_SYNC_PASSWORD"}}, + } in jmespath.search("spec.initContainers[0].env", docs[0]) + + assert { + "name": "GITSYNC_USERNAME", + "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_USERNAME"}}, + } in jmespath.search("spec.initContainers[0].env", docs[0]) + assert { + "name": "GITSYNC_PASSWORD", + "valueFrom": {"secretKeyRef": {"name": "user-pass-secret", "key": "GITSYNC_PASSWORD"}}, + } in jmespath.search("spec.initContainers[0].env", docs[0]) + assert "git-sync-credentials" not in jmespath.search("spec.volumes[].name", docs[0]) def test_should_set_the_dags_volume_claim_correctly_when_using_an_existing_claim(self): docs = render_chart( diff --git a/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py b/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py index 32cc3e5b49b53..7261e6e454fbf 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_dag_processor.py @@ -810,6 +810,7 @@ def test_should_set_password_file_env_variables_when_credentials_secret_is_confi "gitSync": { "enabled": True, "credentialsSecret": "user-pass-secret", + "usePasswordFile": True, }, "persistence": {"enabled": False}, }, diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py b/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py index 11530a81c37d4..a28b13a2e20c2 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_scheduler.py @@ -292,6 +292,7 @@ def test_should_set_username_and_password_file_env_variables(self): "gitSync": { "enabled": True, "credentialsSecret": "user-pass-secret", + "usePasswordFile": True, "sshKeySecret": None, } }, diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py b/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py index ab8b9eef94bfc..aa224dbb4334f 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_triggerer.py @@ -84,6 +84,7 @@ def test_should_set_password_file_env_variables_when_credentials_secret_is_confi "gitSync": { "enabled": True, "credentialsSecret": "user-pass-secret", + "usePasswordFile": True, } } }, diff --git a/helm-tests/tests/helm_tests/other/test_git_sync_worker.py b/helm-tests/tests/helm_tests/other/test_git_sync_worker.py index cb227ca664572..134ee1967d796 100644 --- a/helm-tests/tests/helm_tests/other/test_git_sync_worker.py +++ b/helm-tests/tests/helm_tests/other/test_git_sync_worker.py @@ -175,6 +175,7 @@ def test_should_set_password_file_env_variables_when_credentials_secret_is_confi "gitSync": { "enabled": True, "credentialsSecret": "user-pass-secret", + "usePasswordFile": True, } } },