-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathairflow-core.yaml
123 lines (105 loc) · 4.74 KB
/
airflow-core.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Based on discussion with ecosystem team (Pris), we have
# decided to create airflow-core package in enterprise as
# it is installed with `--user` unlike system site packages.
# This is done to match with upstream apache/airflow:slim-latest
# and address customer needs.
package:
name: airflow-core
version: 2.10.4
epoch: 100
description: Minimal Airflow core - Platform to programmatically author, schedule, and monitor workflows
dependencies:
runtime:
- bash
- busybox
- curl
- cyrus-sasl
- findutils
- glibc-locale-en
- glibc-locales
- gnupg-utils
- gzip
- mariadb
- openssl
- postgresql-client
- python-${{vars.py-version}}
copyright:
- license: Apache-2.0
# As of now airflow is primarily available for python 3.12 and will break for python 3.13
# For ref: https://airflow.apache.org/blog/airflow-2.9.0
vars:
py-version: 3.12
environment:
contents:
packages:
- busybox
- patch
- py${{vars.py-version}}-build-bin
- py${{vars.py-version}}-pip
- python-${{vars.py-version}}
- python-${{vars.py-version}}-dev
pipeline:
- uses: git-checkout
with:
repository: https://github.com/apache/airflow
tag: ${{package.version}}
expected-commit: c083e456fa02c6cb32cdbe0c9ed3c3b2380beccd
- runs: |
# Install airflow core, the upstream sets this as directory
export PYTHONUSERBASE=${{targets.destdir}}/home/airflow/.local
pip install --no-cache-dir --user apache-airflow[core]==${{package.version}}
#GHSA-8w49-h785-mj3c/GHSA-8495-4g3g-x7pr/GHSA-27mf-ghqm-j3j8 fixes
pip install --no-cache-dir --user aiohttp>=3.10.11 tornado>=6.4.2
pip install --no-cache-dir --user --force-reinstall packaging statsd
# Patch to effectively handle instances of md5 used for non-security purposes in airflow
# by adding usedforsecurity=False in hashlib wrapper.
# We can't use patch pipeline as we use pip install method
# which makes us patch after installation in site-packages
patch -p1 -d "${{targets.destdir}}/home/airflow/.local/lib/python3.12/site-packages" < handle-md5.patch
# CVE-2024-6345 GHSA-cx63-2mw6-8hw5
# setuptools comes from airflow/providers/google/provider.yaml having
# gcloud-aio-auth>=4.0.0,<5.0.0 . gcloud-aio-auth 4 is backlevel and has
# setuptools in it's pyproject.toml 'tool.poetry.dependencies'
# The tldr; For that case it is not needed in runtime.
pip uninstall --yes setuptools
# For CVE-2024-34069 GHSA-2g68-c3qc-8985
# Vulnerability affects werkzeugto < 3.0.3 however airflow is unable to upgrade to werkzeugto 3+ https://github.com/apache/airflow/blob/2d53c1089f78d8d1416f51af60e1e0354781
# We can't bump werkzeug for now due to this known upstream issue https://github.com/pallets/flask/issues/5279
find . -name '__pycache__' -exec rm -rf {} +
# We can't re-use airflow-compat subpackage from airflow package in wolfi/os because it invoke full airflow and hence bloats size
subpackages:
- name: ${{package.name}}-compat
dependencies:
runtime:
- ${{package.name}}
pipeline:
- runs: |
# Symlink libstdc++ from usr/lib to /usr/lib/$(uname -m)-linux-gnu/
mkdir -p ${{targets.subpkgdir}}/usr/lib/$(uname -m)-linux-gnu
ln -sf /usr/lib/libstdc++.so.6 ${{targets.subpkgdir}}/usr/lib/$(uname -m)-linux-gnu/
- name: ${{package.name}}-oci-entrypoint
description: Entrypoint for using airflow-core in OCI containers
dependencies:
runtime:
- ${{package.name}}
pipeline:
- runs: |
mkdir -p ${{targets.contextdir}}/opt/airflow/dags
mkdir -p ${{targets.contextdir}}/opt/airflow/logs
mkdir -p ${{targets.contextdir}}/scripts/docker
# The first time you run Airflow, it will create a file called `airflow.cfg` in
# `$AIRFLOW_HOME` directory
# However, for production case it is advised to generate the configuration
export PYTHONPATH=${{targets.destdir}}/home/airflow/.local/lib/python${{vars.py-version}}/site-packages
${{targets.destdir}}/home/airflow/.local/bin/airflow config list --defaults > ${{targets.contextdir}}/opt/airflow/"airflow.cfg"
cp airflow/config_templates/default_webserver_config.py ${{targets.contextdir}}/
install -Dm755 scripts/docker/entrypoint_prod.sh ${{targets.contextdir}}/entrypoint
install -Dm755 scripts/docker/clean-logs.sh ${{targets.contextdir}}/clean-logs
install -Dm755 scripts/docker/airflow-scheduler-autorestart.sh ${{targets.contextdir}}/airflow-scheduler-autorestart
update:
enabled: true
ignore-regex-patterns:
- 'rc\d+$'
- 'helm-chart*'
github:
identifier: apache/airflow