AWS Secrets manager in helm chart for metadataConnection
Opened this issue · 0 comments
malaa-sa commented
Checks
- I have checked for existing issues.
- This report is about the
User-Community Airflow Helm Chart
.
Chart Version
1.12.0
Kubernetes Version
eks 1.28
Helm Version
version.BuildInfo{Version:"v3.14.0", GitCommit:"3fc9f4b2638e76f26739cd77c7017139be81d0ea", GitTreeState:"clean", GoVersion:"go1.21.6"}
Description
I am trying to find a way to pass RDS credentials to metadataConnection. It works with manual definition. However, when I try to pass the values through external secrets, it doesn't work and results in a podCreation error.
I created the below kubernetes external secret
Store:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: tf-eks-airflow-store
namespace: airflow
spec:
provider:
aws:
service: SecretsManager
region: eu-west-1
auth:
jwt:
serviceAccountRef:
name: airflow-worker
External secret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tf-eks-airflow-db-secret
namespace: airflow
spec:
refreshInterval: 1h
secretStoreRef:
name: tf-eks-airflow-store
kind: SecretStore
target:
name: tf-eks-airflow-db-secret
creationPolicy: Owner
data:
- secretKey: user
remoteRef:
key: tf-eks-airflow-db-secret
property: db_user
- secretKey: pass
remoteRef:
key: tf-eks-airflow-db-secret
property: db_password
- secretKey: protocol
remoteRef:
key: tf-eks-airflow-db-secret
property: db_protocol
- secretKey: port
remoteRef:
key: tf-eks-airflow-db-secret
property: db_port
- secretKey: db
remoteRef:
key: tf-eks-airflow-db-secret
property: db_name
- secretKey: host
remoteRef:
key: tf-eks-airflow-db-secret
property: db_host
- secretKey: sslmode
remoteRef:
key: tf-eks-airflow-db-secret
property: db_sslmode
Describe:
kubectl describe secret/tf-eks-airflow-db-secret -n airflow
Name: tf-disco-eks-airflow-db-secret
Namespace: airflow
Labels: reconcile.external-secrets.io/created-by=165bb0f700f243e43dc09fdc3b8c41f4
Annotations: reconcile.external-secrets.io/data-hash: 46e2369a206811c3a36d3dbeecb5a7d3
Type: Opaque
Data
====
port: 4 bytes
protocol: 10 bytes
sslmode: 7 bytes
user: 15 bytes
db: 10 bytes
host: 47 bytes
pass: 19 bytes
in values.yaml
metadataConnection:
user: airflow_db_user
protocol: postgresql
host: disco-app-db.disco-production.svc.cluster.local
port: 5432
db: airflow_db
sslmode: disable
existingSecret: tf-eks-airflow-db-secret
pass: pass
I also tried using extraEnvFrom
, but also didn't work
extraEnvFrom: |
- secretRef:
name: tf-disco-eks-app-api-secret
Relevant Logs
╰─ kubectl get all --namespace=airflow ─╯
NAME READY STATUS RESTARTS AGE
pod/airflow-redis-0 1/1 Running 0 24h
pod/airflow-run-airflow-migrations-wp88d 0/1 CreateContainerConfigError 0 19m
pod/airflow-scheduler-6b68955d6d-dbf5r 3/3 Running 0 24h
pod/airflow-scheduler-7597c6ddfd-46dzr 0/3 Init:CreateContainerConfigError 0 19m
pod/airflow-triggerer-0 0/3 Init:CreateContainerConfigError 0 31m
pod/airflow-webserver-55f6b49599-vldsz 0/1 Init:CreateContainerConfigError 0 19m
pod/airflow-webserver-fcd5bf797-szq52 1/1 Running 1 (24h ago) 24h
pod/airflow-worker-0 0/3 Pending 0 24h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/airflow-redis ClusterIP 172.20.132.34 <none> 6379/TCP 3d23h
service/airflow-triggerer ClusterIP None <none> 8794/TCP 3d23h
service/airflow-webserver ClusterIP 172.20.138.79 <none> 8080/TCP 3d23h
service/airflow-worker ClusterIP None <none> 8793/TCP 3d23h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/airflow-scheduler 1/1 1 1 3d23h
deployment.apps/airflow-webserver 1/1 1 1 3d23h
NAME DESIRED CURRENT READY AGE
replicaset.apps/airflow-scheduler-6b68955d6d 1 1 1 3d23h
replicaset.apps/airflow-scheduler-6c745966b4 0 0 0 31m
replicaset.apps/airflow-scheduler-7597c6ddfd 1 1 0 19m
replicaset.apps/airflow-scheduler-8699c5bb55 0 0 0 22m
replicaset.apps/airflow-webserver-55f6b49599 1 1 0 19m
replicaset.apps/airflow-webserver-6f9c9d4db4 0 0 0 22m
replicaset.apps/airflow-webserver-d45dcd959 0 0 0 31m
replicaset.apps/airflow-webserver-fcd5bf797 1 1 1 3d23h
NAME READY AGE
statefulset.apps/airflow-redis 1/1 3d23h
statefulset.apps/airflow-triggerer 0/1 3d23h
statefulset.apps/airflow-worker 0/1 3d23h
NAME COMPLETIONS DURATION AGE
job.batch/airflow-run-airflow-migrations 0/1 19m 19m
--
kubectl get secrets,secretstore -n airflow ─╯
NAME TYPE DATA AGE
secret/airflow-broker-url Opaque 1 3d23h
secret/airflow-fernet-key Opaque 1 3d23h
secret/airflow-metadata Opaque 1 23m
secret/airflow-redis-password Opaque 1 3d23h
secret/airflow-ssh-git-key Opaque 1 11d
secret/airflow-ssh-git-secret Opaque 1 11d
secret/airflow-ssh-git-secrets Opaque 1 11d
secret/airflow-webserver-secret-key Opaque 1 3d23h
secret/letsencrypt-production kubernetes.io/tls 2 9d
secret/sh.helm.release.v1.airflow.v1 helm.sh/release.v1 1 3d23h
secret/sh.helm.release.v1.airflow.v2 helm.sh/release.v1 1 32m
secret/sh.helm.release.v1.airflow.v3 helm.sh/release.v1 1 23m
secret/sh.helm.release.v1.airflow.v4 helm.sh/release.v1 1 20m
secret/tf-eks-airflow-db-secret Opaque 7 66m
secret/tf-eks-airflow-sshkeysecret-secret Opaque 1 11d
secret/tf-eks-airflow-webserver-secret-key Opaque 1 5d2h
NAME AGE STATUS CAPABILITIES READY
secretstore.external-secrets.io/tf-eks-airflow-store 11d Valid ReadWrite True
Custom Helm Values
No response