search

airflow-helm / charts

The User-Community Airflow Helm Chart is the standard way to deploy Apache Airflow on Kubernetes with Helm. Originally created in 2017, it has since helped thousands of companies create production-ready deployments of Airflow on Kubernetes.
https://github.com/airflow-helm/charts/tree/main/charts/airflow
Apache License 2.0
647 stars 475 forks source link

support vault sidecar-injection with `airflow.usersTemplates` #363

Open thesuperzapper opened 3 years ago

thesuperzapper commented 3 years ago

We support referencing Secrets/Configmaps with airflow.usersTemplates, which allows users to integrate with their HashiCorp Vault using tools like kubernetes-external-secrets.

However, the first-class method of secret injection in Vault is the sidecar-injection method, which makes use of annotations that tell vault to sync a file into a Pods filesystem.

We should let users reference a file in the Pods filesystem with airflow.usersTemplates, for example:

airflow:
  users:
    - username: admin
      password: ${MY_PASSWORD}
      role: Admin
      email: admin@example.com
      firstName: admin
      lastName: admin

  usersTemplates:
    MY_PASSWORD:
      kind: file
      path: /vault/secrets/MY_PASSWORD

  sync:
    podAnnotations:
      vault.hashicorp.com/agent-inject: "true"
      vault.hashicorp.com/role: "airflow"
      vault.hashicorp.com/agent-inject-secret-MY_PASSWORD: "airflow/users/admin/password"

We should also:

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

thesuperzapper commented 3 years ago

Bumping for bot.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.