airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Chart: Fix cluster-wide RBAC naming clash when using multiple multiNamespace releases with the same name

Open mewa opened this issue 2 years ago • 5 comments

Currently, when deploying multiple releases that share the same release name in different namespaces deployment is failing due to a naming clash of the cluster-scoped RBAC resources.

This PR introduces changes that make sure that ClusterRoles and ClusterRoleBindings are uniquely named according to both the release name, as well as the release namespace, thus solving the naming clash.

Steps to reproduce current behavior:

  1. Create namespace airflow-a
  2. Install helm chart release named airflow into namespace airflow-a with multiNamespaceMode: true
  3. Create namespace airflow-b
  4. Install helm chart release named airflow into namespace airflow-b with multiNamespaceMode: true
  5. Installing the helm chart will fail due to a naming clash of the cluster-wide RBAC resources

Related: #31613 (closed, resubmitting with updated tests)

^ Add meaningful description above Read the Pull Request Guidelines for more information. In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed. In case of a new dependency, check compliance with the ASF 3rd Party License Policy. In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

mewa avatar Feb 06 '24 12:02 mewa

Multinamespace is not yet fully supported. It should be added with https://github.com/apache/airflow/pull/35639

eladkal avatar Feb 06 '24 12:02 eladkal

Multinamespace is not yet fully supported. It should be added with #35639

I took a quick look at it and they seem to support different scenarios. I believe the above PR means to introduce fine-grained RBAC controls when using multiNamespaceMode, to have better control over security when deploying a single Airflow instance to run workloads across multiple namespaces.

Whereas, this PR fixes the behaviour with the existing multiNamespaceMode where it's only possible to have a single such deployment per cluster. The scenario here is to have multiple Airflow instances (in different namespaces), each of which runs workloads across multiple namespaces.

mewa avatar Feb 06 '24 12:02 mewa

@amoghrajesh It already defaults to false

https://github.com/apache/airflow/blob/4c3732850f5f1c640eefad7f1bc7dbc80c6b76f9/chart/values.yaml#L2389-L2391

mewa avatar Feb 12 '24 12:02 mewa

Static checks are failing

eladkal avatar Feb 15 '24 06:02 eladkal

I updated the newsfragment to satisfy the checks. I also moved it to significant type since it involves renaming of the resources.

mewa avatar Feb 20 '24 09:02 mewa

Ah... We already had a lot of eyes I see..

potiuk avatar Mar 14 '24 22:03 potiuk

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

boring-cyborg[bot] avatar Mar 21 '24 14:03 boring-cyborg[bot]

Thanks @mewa! Congrats on your first commit 🍺

jedcunningham avatar Mar 21 '24 14:03 jedcunningham