czerbinati opened a new issue, #22914:
URL: https://github.com/apache/airflow/issues/22914
### Official Helm Chart version
1.2.0
### Apache Airflow version
2.0.1
### Kubernetes Version
1.21
### Helm Chart configuration
Hi all, I'm trying to mount a private key as a secret in worker nodes, and
for that I'm using the extraVolume section for workers, where i define the name:
```
- name: airflow-ssh-secret
secret:
secretName: airflow-ssh-secret
defaultMode: 0400
```
And then the extraVolumeMounts:
```
- name: airflow-ssh-secret
mountPath: "/opt/airflow/keys/airflow-ssh-secret"
readOnly: true
```
I'm also running the value file with the follwing uid and gid (I customized
a bit the docker image):
```
uid: 15012
gid: 5000
```
I generated the secret with this command:
```
kubectl create secret generic airflow-ssh-secret
--from-file=ssh-privatekey=airflow_sec -n airflow
```
Where `airflow_sec` is a private key in OpenSSH format
### Docker Image customisations
The docker image is the official one from the repository:
```
FROM apache/airflow:2.0.1
```
With the difference that I changed uid and gid for the standard user like
this:
```
RUN groupadd -g 5000 groupname && \
usermod -u 15012 -g 5000 airflow && \
groupadd -g 15023 ftp && \
usermod -a -G 15023 airflow && \
find / -xdev -user 50000 -exec chown -h airflow {} \; && \
find / -xdev -group $(id -g airflow) -exec chgrp -h groupname {} \;
```
And installed a few packages from a requirements file as pasted below:
```
apache-airflow[crypto,celery,jdbc,password,redis,ssh,oracle]==2.0.1
psycopg2-binary==2.8.6
SQLAlchemy==1.3.23
pyarrow==4.0.0
xlrd==2.0.1
openpyxl==3.0.7
apache-airflow-providers-jdbc==1.0.1
apache-airflow-providers-oracle==1.1.0
azure-storage-file-share==12.6.0
```
### What happened
I'm deploying on an AKS (Azure Kubernetes Service) cluster in the namespace
called `airflow`, every deploy goes fine, but when we run a DAG that uses the
SFTPOperator we receive the following error:
```
[2022-03-23 11:18:18,680] {taskinstance.py:1455} ERROR - Error while
transferring None, error: not a valid RSA private key file
Traceback (most recent call last):
File
"/home/airflow/.local/lib/python3.6/site-packages/airflow/providers/sftp/operators/sftp.py",
line 123, in execute
self.ssh_hook = SSHHook(ssh_conn_id=self.ssh_conn_id)
File
"/home/airflow/.local/lib/python3.6/site-packages/airflow/providers/ssh/hooks/ssh.py",
line 132, in __init__
self.pkey = paramiko.RSAKey.from_private_key(StringIO(private_key))
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/pkey.py",
line 256, in from_private_key
key = cls(file_obj=file_obj, password=password)
File
"/home/airflow/.local/lib/python3.6/site-packages/paramiko/rsakey.py", line 52,
in __init__
self._from_private_key(file_obj, password)
File
"/home/airflow/.local/lib/python3.6/site-packages/paramiko/rsakey.py", line
179, in _from_private_key
data = self._read_private_key("RSA", file_obj, password)
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/pkey.py",
line 324, in _read_private_key
raise SSHException("not a valid {} private key file".format(tag))
paramiko.ssh_exception.SSHException: not a valid RSA private key file
```
I checked the key if it was working correctly and it was, since I can
connect to the server using the `ssh` command inside the pod as you can see
here below:
```
airflow@airflow-worker-1:/opt/airflow$ ssh -i
/opt/airflow/keys/airflow-ssh-secret/ssh-privatekey [email protected]
Linux somesftp.com 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 11 16:01:28 2022 from some_ip_here
sftp_user@somesftp:~$
```
The Paramiko Version obtained with `pip show paramiko` is:
```
airflow@airflow-worker-1:/opt/airflow$ pip show paramiko
Name: paramiko
Version: 2.7.2
Summary: SSH2 protocol library
Home-page: https://github.com/paramiko/paramiko/
Author: Jeff Forcier
Author-email: [email protected]
License: LGPL
Location: /home/airflow/.local/lib/python3.6/site-packages
Requires: bcrypt, pynacl, cryptography
Required-by: sshtunnel, pysftp, apache-airflow-providers-ssh,
apache-airflow-providers-sftp
```
So it should support OpenSSH RSA private key, this is the format of the
secret key.
Could it be because permissions on file mount are not correct?
I tried every single mount variations on `defaultMode`, binary, octal and
decimal, every mode will result in this:
```
lrwxrwxrwx 1 root groupname 21 Mar 22 16:29 ssh-privatekey ->
..data/ssh-privatekey
```
### What you think should happen instead
It should connect with the SFTP service without error, as the base library
for the SFTP is the same as SSH
### How to reproduce
Using the helm chart version 1.2.0 with airflow version 2.0.1 and try to
mount a SSH private key in worker pods, with the same libraries as above and
the same command for `kubectl create secret`
The variable that contains the path to the keyfile is defined in Airflow
Variables section of the webserver, and then used in the DAG simply refering to
the name
### Anything else
This problem happens everytime we use the SFTPOperator.
Sorry if there could be some errors or maybe not a well structured English,
I'm trying to do my best to give you a full description for this error, if
there are further clarification needed, I'm available.
Thanks a lot.
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
