diff --git a/chart/UPDATING.md b/chart/UPDATING.md index 6efb4d2697fc..835cefc5cc2b 100644 --- a/chart/UPDATING.md +++ b/chart/UPDATING.md @@ -56,6 +56,12 @@ The default Airflow version that is installed with the Chart is now ``2.1.0``, p This chart has dropped support for [Helm 2 as it has been deprecated](https://helm.sh/blog/helm-v2-deprecation-timeline/) and no longer receiving security updates since November 2020. +### `webserver.extraNetworkPolicies` and `flower.extraNetworkPolicies` parameters have been renamed + +`webserver.extraNetworkPolicies` and `flower.extraNetworkPolicies` have been renamed to `webserver.networkPolicy.ingress.from` and `flower.networkPolicy.ingress.from`, respectively. Their values and behavior are the same. + +The old parameter names will continue to work, however support for them will be removed in a future release so please update your values file. + ### Removed `dags.gitSync.root`, `dags.gitSync.dest`, and `dags.gitSync.excludeWebserver` parameters The `dags.gitSync.root` and `dags.gitSync.dest` parameters didn't provide any useful behaviors to chart users so they have been removed. diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index 60a80f95902f..49ad09719f12 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -79,3 +79,20 @@ Information on how to set knownHosts can be found here: https://airflow.apache.org/docs/helm-chart/latest/production-guide.html#knownhosts {{- end }} + +{{- if .Values.flower.extraNetworkPolicies }} + +DEPRECATION WARNING: + `flower.extraNetworkPolicies` has been renamed to `flower.networkPolicy.peers`. + Please change your values as support for the old name will be dropped in a future release. + +{{- end }} + + +{{- if .Values.webserver.extraNetworkPolicies }} + +DEPRECATION WARNING: + `webserver.extraNetworkPolicies` has been renamed to `webserver.networkPolicy.peers`. + Please change your values as support for the old name will be dropped in a future release. + +{{- end }} diff --git a/chart/templates/flower/flower-networkpolicy.yaml b/chart/templates/flower/flower-networkpolicy.yaml index 3518338c6d4c..d9bf0f89da7c 100644 --- a/chart/templates/flower/flower-networkpolicy.yaml +++ b/chart/templates/flower/flower-networkpolicy.yaml @@ -21,6 +21,7 @@ {{- if .Values.flower.enabled }} {{- $celery_executors := list "CeleryExecutor" "CeleryKubernetesExecutor"}} {{- if and .Values.networkPolicies.enabled (has .Values.executor $celery_executors) }} +{{- $from := or .Values.flower.networkPolicy.ingress.from .Values.flower.extraNetworkPolicies }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -42,13 +43,17 @@ spec: release: {{ .Release.Name }} policyTypes: - Ingress -{{- if .Values.flower.extraNetworkPolicies }} +{{- if $from }} ingress: - from: -{{ toYaml .Values.flower.extraNetworkPolicies | indent 6 }} +{{ toYaml $from | indent 6 }} ports: - - protocol: TCP - port: {{ .Values.ports.flowerUI }} + {{ range .Values.flower.networkPolicy.ingress.ports }} + - + {{- range $key, $val := . }} + {{ $key }}: {{ tpl (toString $val) $ }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/chart/templates/webserver/webserver-networkpolicy.yaml b/chart/templates/webserver/webserver-networkpolicy.yaml index 591a38c20266..65d0cb18eeb8 100644 --- a/chart/templates/webserver/webserver-networkpolicy.yaml +++ b/chart/templates/webserver/webserver-networkpolicy.yaml @@ -19,6 +19,7 @@ ## Airflow Webserver NetworkPolicy ################################# {{- if .Values.networkPolicies.enabled }} +{{- $from := or .Values.webserver.networkPolicy.ingress.from .Values.webserver.extraNetworkPolicies }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -40,12 +41,16 @@ spec: release: {{ .Release.Name }} policyTypes: - Ingress -{{- if .Values.webserver.extraNetworkPolicies }} +{{- if $from }} ingress: - from: -{{ toYaml .Values.webserver.extraNetworkPolicies | indent 6 }} +{{ toYaml $from | indent 6 }} ports: - - protocol: TCP - port: {{ .Values.ports.airflowUI }} + {{ range .Values.webserver.networkPolicy.ingress.ports }} + - + {{- range $key, $val := . }} + {{ $key }}: {{ tpl (toString $val) $ }} + {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/chart/tests/test_flower.py b/chart/tests/test_flower.py index ef44513084b6..bdfb48150fd1 100644 --- a/chart/tests/test_flower.py +++ b/chart/tests/test_flower.py @@ -321,3 +321,86 @@ def test_ports_overrides(self, ports, expected_ports): ) assert expected_ports == jmespath.search("spec.ports", docs[0]) + + +class TestFlowerNetworkPolicy: + def test_off_by_default(self): + docs = render_chart( + show_only=["templates/flower/flower-networkpolicy.yaml"], + ) + assert 0 == len(docs) + + def test_defaults(self): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "flower": { + "networkPolicy": { + "ingress": { + "from": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] + } + } + }, + }, + show_only=["templates/flower/flower-networkpolicy.yaml"], + ) + + assert 1 == len(docs) + assert "NetworkPolicy" == docs[0]["kind"] + assert [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] == jmespath.search( + "spec.ingress[0].from", docs[0] + ) + assert [{"port": "flower-ui"}] == jmespath.search("spec.ingress[0].ports", docs[0]) + + @pytest.mark.parametrize( + "ports, expected_ports", + [ + ( + [{"name": "{{ .Release.Name }}", "protocol": "UDP", "port": "{{ .Values.ports.flowerUI }}"}], + [{"name": "RELEASE-NAME", "protocol": "UDP", "port": 5555}], + ), + ([{"name": "only_sidecar", "port": "sidecar"}], [{"name": "only_sidecar", "port": "sidecar"}]), + ( + [ + {"name": "flower-ui", "port": "{{ .Values.ports.flowerUI }}"}, + {"name": "sidecar", "port": 80}, + ], + [ + {"name": "flower-ui", "port": 5555}, + {"name": "sidecar", "port": 80}, + ], + ), + ], + ) + def test_ports_overrides(self, ports, expected_ports): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "flower": { + "networkPolicy": { + "ingress": { + "from": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}], + "ports": ports, + } + } + }, + }, + show_only=["templates/flower/flower-networkpolicy.yaml"], + ) + + assert expected_ports == jmespath.search("spec.ingress[0].ports", docs[0]) + + def test_deprecated_from_param(self): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "flower": { + "extraNetworkPolicies": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] + }, + }, + show_only=["templates/flower/flower-networkpolicy.yaml"], + ) + + assert [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] == jmespath.search( + "spec.ingress[0].from", docs[0] + ) diff --git a/chart/tests/test_webserver.py b/chart/tests/test_webserver.py index 9bf54f22994b..17d37a205877 100644 --- a/chart/tests/test_webserver.py +++ b/chart/tests/test_webserver.py @@ -511,3 +511,85 @@ def test_webserver_config_configmap(self): "CSRF_ENABLED = True # RELEASE-NAME" == jmespath.search('data."webserver_config.py"', docs[0]).strip() ) + + +class WebserverNetworkPolicyTest(unittest.TestCase): + def test_off_by_default(self): + docs = render_chart( + show_only=["templates/webserver/webserver-networkpolicy.yaml"], + ) + assert 0 == len(docs) + + def test_defaults(self): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "webserver": { + "networkPolicy": { + "ingress": { + "from": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] + } + } + }, + }, + show_only=["templates/webserver/webserver-networkpolicy.yaml"], + ) + + assert 1 == len(docs) + assert "NetworkPolicy" == docs[0]["kind"] + assert [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] == jmespath.search( + "spec.ingress[0].from", docs[0] + ) + assert [{"port": "airflow-ui"}] == jmespath.search("spec.ingress[0].ports", docs[0]) + + @parameterized.expand( + [ + ( + [{"name": "{{ .Release.Name }}", "protocol": "UDP", "port": "{{ .Values.ports.airflowUI }}"}], + [{"name": "RELEASE-NAME", "protocol": "UDP", "port": 8080}], + ), + ([{"name": "only_sidecar", "port": "sidecar"}], [{"name": "only_sidecar", "port": "sidecar"}]), + ( + [ + {"name": "flower-ui", "port": "{{ .Values.ports.airflowUI }}"}, + {"name": "sidecar", "port": 80}, + ], + [ + {"name": "flower-ui", "port": 8080}, + {"name": "sidecar", "port": 80}, + ], + ), + ], + ) + def test_ports_overrides(self, ports, expected_ports): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "webserver": { + "networkPolicy": { + "ingress": { + "from": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}], + "ports": ports, + } + } + }, + }, + show_only=["templates/webserver/webserver-networkpolicy.yaml"], + ) + + assert expected_ports == jmespath.search("spec.ingress[0].ports", docs[0]) + + def test_deprecated_from_param(self): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "webserver": { + "extraNetworkPolicies": [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] + }, + }, + show_only=["templates/webserver/webserver-networkpolicy.yaml"], + ) + + assert [{"namespaceSelector": {"matchLabels": {"release": "myrelease"}}}] == jmespath.search( + "spec.ingress[0].from", docs[0] + ) diff --git a/chart/values.schema.json b/chart/values.schema.json index 9c2dd942eb89..dead16564e7f 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -1626,10 +1626,43 @@ } }, "extraNetworkPolicies": { - "description": "Additional NetworkPolicies as needed.", + "description": "Additional NetworkPolicies as needed (Deprecated - renamed to `webserver.networkPolicy.ingress.from`).", "type": "array", "default": [] }, + "networkPolicy": { + "description": "Webserver NetworkPolicy configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "ingress": { + "description": "Webserver NetworkPolicy ingress configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "from": { + "description": "Peers for webserver NetworkPolicy ingress.", + "type": "array", + "default": [] + }, + "ports": { + "description": "Ports for webserver NetworkPolicy ingress (if `from` is set).", + "type": "array", + "default": [ + { + "port": "airflow-ui" + } + ], + "examples": [ + { + "port": "sidecar" + } + ] + } + } + } + } + }, "resources": { "description": "Resources for webserver pods.", "type": "object", @@ -1827,10 +1860,43 @@ ] }, "extraNetworkPolicies": { - "description": "Additional NetworkPolicies as needed.", + "description": "Additional NetworkPolicies as needed (Deprecated - renamed to `flower.networkPolicy.ingress.from`).", "type": "array", "default": [] }, + "networkPolicy": { + "description": "Flower NetworkPolicy configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "ingress": { + "description": "Flower NetworkPolicy ingress configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "from": { + "description": "Peers for flower NetworkPolicy ingress.", + "type": "array", + "default": [] + }, + "ports": { + "description": "Ports for flower NetworkPolicy ingress (if `from` is set).", + "type": "array", + "default": [ + { + "port": "flower-ui" + } + ], + "examples": [ + { + "port": "sidecar" + } + ] + } + } + } + } + }, "resources": { "description": "Resources for Flower pods.", "type": "object", diff --git a/chart/values.yaml b/chart/values.yaml index 50fa828436c1..4f9db128725d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -628,8 +628,15 @@ webserver: # Allow overriding Update Strategy for Webserver strategy: ~ - # Additional network policies as needed + # Additional network policies as needed (Deprecated - renamed to `webserver.networkPolicy.ingress.from`) extraNetworkPolicies: [] + networkPolicy: + ingress: + # Peers for webserver NetworkPolicy ingress + from: [] + # Ports for webserver NetworkPolicy ingress (if `from` is set) + ports: + - port: airflow-ui resources: {} # limits: @@ -720,8 +727,16 @@ flower: exec \ airflow {{ semverCompare ">=2.0.0" .Values.airflowVersion | ternary "celery flower" "flower" }} - # Additional network policies as needed + # Additional network policies as needed (Deprecated - renamed to `flower.networkPolicy.ingress.from`) extraNetworkPolicies: [] + networkPolicy: + ingress: + # Peers for flower NetworkPolicy ingress + from: [] + # Ports for flower NetworkPolicy ingress (if ingressPeers is set) + ports: + - port: flower-ui + resources: {} # limits: # cpu: 100m