Support driver pod kubernetes credentials mounting in V2 #246
Conversation
|
rerun unit tests please |
| " authenticating against Kubernetes. Typically this is configured by spark-submit from" + | ||
| " mounting a secret from the submitting machine into the pod, and hence this" + | ||
| " configuration is marked as internal, but this can also be set manually to" + | ||
| " use a certificate that is mounted into the driver pod via other means.") |
| " authenticating against Kubernetes. Typically this is configured by spark-submit from" + | ||
| " mounting a secret from the submitting machine into the pod, and hence this" + | ||
| " configuration is marked as internal, but this can also be set manually to" + | ||
| " use a certificate that is mounted into the driver pod via other means.") |
| * This client is primarily designed in a piecewise manner, where different aspects of the driver's | ||
| * execution are managed by separate components. This allows each component to be tested | ||
| * individually. The component providers are dependency-injected into the client via the | ||
| * constructor, thus allowing the providers to be stubbed out in testing the client class. |
| } | ||
|
|
||
| override def createCredentialsSecret(): Option[Secret] = { | ||
| val allSecretData = resolveSecretData( |
There was a problem hiding this comment.
nit: drop resolveSecretData onto the next line so it lines up with the other resolveSecretDatas
|
|
||
| /** | ||
| * Mount any Kubernetes credentials from the submitting machine's disk into the | ||
| * driver pod. |
There was a problem hiding this comment.
note that the credentialsSecret passed in here is the output of createCredentialsSecret(), allowing implementations of this trait to not have to save state between method invocations
| // Tests with local dependencies with the mounted dependency manager. | ||
| test("Uploading local dependencies should create Kubernetes secrets and config map") { | ||
| val initContainerConfigMap = getInitContainerConfigMap() | ||
| val initContainerSecret = getInitContainerSecret() |
There was a problem hiding this comment.
after this change is initContainerSecret's type ConfigMap or a () -> ConfigMap function that creates it?
What's Spark style? cc @tnachen
| } | ||
|
|
||
| private def getInitContainerSecret(): Secret = { | ||
| private def getInitContainerSecret: Secret = { |
There was a problem hiding this comment.
I think Spark style is to not use getX for getters.
http://docs.scala-lang.org/style/naming-conventions.html#methods
| APP_ID, KubernetesCredentials(None, None, None, None), None, None, None, None) | ||
|
|
||
| // Test matrices | ||
| private val TEST_MATRIX_EXPECTED_SPARK_CONFS = Table( |
| kubernetesTestComponents.clientConfig.getClientCertFile) | ||
| sparkConf.set(KUBERNETES_DRIVER_CA_CERT_FILE, | ||
| kubernetesTestComponents.clientConfig.getCaCertFile) | ||
| runSparkAppAndVerifyCompletion(SparkLauncher.NO_RESOURCE) |
There was a problem hiding this comment.
this verifies that the spark app finishes when these confs are set, but I'm not sure it verifies that the key/cert files are used when requesting (e.g. this conf could just be ignored and the test would still pass). How can we test those?
| basePod, driverContainer.getName, driverPodKubernetesCredentialsSecret) | ||
| nonDriverPodKubernetesResources ++= driverPodKubernetesCredentialsSecret.toSeq | ||
| val sparkConfWithDriverPodKubernetesCredentialLocations = | ||
| driverPodKubernetesCredentialsMounter.setDriverPodKubernetesCredentialLocations(sparkConf) |
There was a problem hiding this comment.
I wonder if it's better to have this be all one method that returns a tuple of values, some new and some updated, and then apply those appropriately. E.g. (driverPodWithMountedCreds, sparkConfWithMountedCredLocations)
Would that save any complexity here?
mccheah
force-pushed
the
submission-v2-kubernetes-credentials
branch
from
95fa714 to
940bc9e
Compare
mccheah
changed the base branch from
init-container-downloads-remote-files
to
init-containers-on-executors-with-remote-files
|
rerun unit tests please |
|
rerun integration test please |
mccheah
force-pushed
the
submission-v2-kubernetes-credentials
branch
from
dc19d14 to
c2bbe6f
Compare
mccheah
changed the base branch from
init-containers-on-executors-with-remote-files
to
branch-2.1-kubernetes
ash211
changed the title
| runSparkPiAndVerifyCompletion(SparkLauncher.NO_RESOURCE) | ||
| } | ||
|
|
||
| test("Use client key and client cert file when requesting executors") { |
There was a problem hiding this comment.
is minikube configured at this point to require auth via the key/cert and CA cert files? Theoretically this test could pass because nothing happens to the config, rather than that the config is set and used in the request to the apiserver which requires the auth config
There was a problem hiding this comment.
I was under the impression it either needs the service account token or the client key-cert pair. It's unfortunately difficult to test just this in isolation since we fall back to using the service account token if the user does not provide other credentials.
There was a problem hiding this comment.
Oh yeah, we'd need to configure minikube specially for this, or inspect minikube output to verify this. Without a reasonably available way to verify this, I think the test is good as is.
[NOSQUASH] Resync from apache-spark-on-k8s upstream
2 participants
Implements #192 for submission v2.