airflow with kubernetes

Publié le 17 septembre 2024 par davidhxxx

Remove and reinstall a customized airflow chart

re-install-airflow-chart.sh: 

cat re-install-airflow-chart.sh
#!/bin/bash
helm uninstall person-airflow --keep-history
 
kubectl delete secret person-airflow-broker-url
kubectl delete secret person-airflow-fernet-key
kubectl delete secret person-airflow-redis-password
kubectl delete secret sh.helm.release.v1.person-airflow.v1
kubectl delete secret sh.helm.release.v1.person-airflow.v2
kubectl delete secret sh.helm.release.v1.person-airflow.v3
kubectl delete secret sh.helm.release.v1.person-airflow.v4
kubectl delete secret sh.helm.release.v1.person-airflow.v5
kubectl delete secret sh.helm.release.v1.person-airflow.v6
kubectl delete secret sh.helm.release.v1.person-airflow.v7
 
kubectl delete pvc data-person-airflow-postgresql-0
kubectl delete pvc logs-person-airflow-triggerer-0
kubectl delete pvc logs-person-airflow-worker-0
kubectl delete pvc redis-db-person-airflow-redis-0
 
cd person-airflow-chart/
helm upgrade -i  person-airflow . --debug

Postgres vault configuration

If we want to use a specific schema for airflow, the vault generated user is not the owner by default, so we need to define a vault statement such as below to fix that:
Beware: The last grant is mandatory. 

vault write database/roles/my-role \
    db_name="my-postgresql-database" \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; \
        GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA airflow TO \"{{name}}\"; \
        GRANT USAGE ON ALL SEQUENCES IN SCHEMA airflow TO \"{{name}}\"; \
        GRANT USAGE ON SCHEMA airflow TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"

Another problem we can encounter:

  File "/home/airflow/.local/lib/python3.11/site-packages/hvac/utils.py", line 41, in raise_for_error
    raise exceptions.VaultError.from_status(
hvac.exceptions.InternalServerError: 1 error occurred:
        * failed to execute query: ERROR: row is too big: size 8168, maximum size 8160 (SQLSTATE 54000)
 
, on get http://host.minikube.internal:8200/v1/database/creds/my-role

To fix that we need to delete temporary roles created by vault when we request some credentials :
List temporary vault roles: 

SELECT * FROM information_schema.tables;
select * from pg_roles where rolname like 'v-kubernet%';

We cannot delete this my roles while we didn’t reassign objects own by them to another user/role. Concretely for a generated role, the 3 steps to do are: 

REASSIGN OWNED BY ""v-kubernet-my-role-fvVRJSZULx065SFCCgXl-1725612653" TO postgres;
DROP OWNED BY "v-kubernet-my-role-fvVRJSZULx065SFCCgXl-1725612653";
DROP ROLE "v-kubernet-my-role-fvVRJSZULx065SFCCgXl-1725612653";

We can generate these statements for every role created by vault: 

select 'REASSIGN OWNED BY "' || rolname || '" TO postgres;' ||
' DROP OWNED BY "' || rolname || '";'
' DROP ROLE "' || rolname || '";'
from pg_roles where rolname like 'v-kubernet%';
Ce contenu a été publié dans Non classé. Vous pouvez le mettre en favoris avec ce permalien.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *