Airflow webserver UI

This PS adds deployment with Airflow webserver UI in viewer mode
protected by base http autorization and exposed via ingress.

Change-Id: I5692eecf5a9af2930f8cce98b7a1e430f26b5a1b
Signed-off-by: Sergiy Markin <smarkin@mirantis.com>

.gitignore

@@ -133,3 +133,4 @@ latest
 src/bin/shipyard_airflow/shipyard_airflow/config
 src/bin/shipyard_airflow/shipyard_airflow/webserver_config.py
 airflow-runtime
+shipyard.yaml

charts/shipyard/Chart.yaml

@@ -16,7 +16,8 @@
 apiVersion: v1
 description: A Helm chart for Shipyard and Airflow
 name: shipyard
-version: 0.2.0
+version: 0.2.1
+appVersion: 2.6.2
 keywords:
 - shipyard
 - airflow

charts/shipyard/templates/bin/_apache.sh.tpl

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ev
+
+COMMAND="${@:-start}"
+
+function start () {
+
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/httpd/apache2/envvars
+  fi
+  # Apache gets grumpy about PID files pre-existing
+  rm -f /etc/httpd/logs/httpd.pid
+
+  if [ -f /usr/local/apache2/conf/.htpasswd ]; then
+    htpasswd -b /usr/local/apache2/conf/.htpasswd "$AIRFLOW_USERNAME" "$AIRFLOW_PASSWORD"
+  else
+    htpasswd -cb /usr/local/apache2/conf/.htpasswd "$AIRFLOW_USERNAME" "$AIRFLOW_PASSWORD"
+  fi
+
+  #Launch Apache on Foreground
+  exec httpd -DFOREGROUND
+}
+
+function stop () {
+  apachectl -k graceful-stop
+}
+
+$COMMAND

charts/shipyard/templates/configmap-airflow-bin.yaml

@@ -21,6 +21,8 @@ kind: ConfigMap
 metadata:
   name: airflow-bin
 data:
+  apache.sh: |
+{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   rabbit-init.sh: |+
 {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
   airflow-db-init.sh: |+

charts/shipyard/templates/configmap-airflow-etc.yaml

@@ -46,3 +46,16 @@ metadata:
 data:
   airflow.cfg: |+
 {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.airflow | indent 4 }}
+  webserver_config.py: |+
+    """Default configuration for the Airflow webserver."""
+    from __future__ import annotations
+    import os
+    from airflow.www.fab_security.manager import AUTH_DB
+    basedir = os.path.abspath(os.path.dirname(__file__))
+    WTF_CSRF_ENABLED = True
+    WTF_CSRF_TIME_LIMIT = None
+    AUTH_TYPE = AUTH_DB
+    AUTH_ROLE_ADMIN = 'Viewer'
+    AUTH_ROLE_PUBLIC = 'Viewer'
+
+

charts/shipyard/templates/deployment-airflow-webserver-ui.yaml

@@ -0,0 +1,153 @@
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.deployment_airflow_webserver_ui }}
+{{- $envAll := . }}
+{{- $labels :=  tuple $envAll "airflow_webserver_ui" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $serviceAccountName := "airflow-webserver-ui" }}
+{{- $airflowProxyPort := tuple "airflow_webserver_ui" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $airflowUserSecret := .Values.secrets.airflow_webserver_ui.admin }}
+{{ tuple $envAll "airflow_server" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $mounts_airflow_webserver_ui := .Values.pod.mounts.airflow_webserver_ui.airflow_webserver_ui }}
+{{- $mounts_airflow_webserver_ui_init := .Values.pod.mounts.airflow_webserver_ui.init_container }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: airflow-webserver-ui
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  replicas: {{ .Values.pod.replicas.airflow_webserver_ui.airflow_webserver_ui }}
+  selector:
+    matchLabels:
+{{ $labels | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ $labels | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "airflow-webserver-ui" "containerNames" (list "init" "airflow-webserver-ui") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "airflow_webserver_ui" "airflow_webserver_ui" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ dict "envAll" $envAll "application" "airflow_webserver_ui" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.airflow.node_selector_key }}: {{ .Values.labels.airflow.node_selector_value }}
+      restartPolicy: Always
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.airflow.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "airflow_server" $mounts_airflow_webserver_ui_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: apache-proxy
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "dashboard" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/apache.sh
+            - start
+          ports:
+            - name: http
+              containerPort: {{ $airflowProxyPort }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ $airflowProxyPort }}
+            initialDelaySeconds: 20
+            periodSeconds: 30
+          env:
+            - name: AIRFLOW_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $airflowUserSecret }}
+                  key: AIRFLOW_USERNAME
+            - name: AIRFLOW_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $airflowUserSecret }}
+                  key: AIRFLOW_PASSWORD
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: airflow-bin
+              mountPath: /tmp/apache.sh
+              subPath: apache.sh
+              readOnly: true
+            - name: apache-etc
+              mountPath: /usr/local/apache2/conf/httpd.conf
+              subPath: httpd.conf
+              readOnly: true
+        - name: airflow-webserver-ui
+          image: {{ .Values.images.tags.airflow }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.airflow_webserver_ui.airflow_webserver_ui | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "airflow-webserver-ui" "container" "airflow_webserver_ui" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+          - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.secrets.postgresql_airflow_db.user }}
+                key: AIRFLOW_DATABASE_URI
+          args: ["webserver"]
+          volumeMounts:
+            - name: airflow-etc
+              mountPath: {{ .Values.conf.airflow_webserver_config_file.path }}
+              subPath: webserver_config.py
+              readOnly: true
+            - name: airflow-etc
+              mountPath: {{ .Values.conf.airflow_config_file.path }}
+              subPath: airflow.cfg
+              readOnly: true
+            - name: airflow-usr
+              mountPath: {{ .Values.conf.airflow_unittests_file.path }}
+              subPath: unittests.cfg
+              readOnly: true
+            - name: shipyard-etc
+              mountPath: /usr/local/airflow/plugins/shipyard.conf
+              subPath: shipyard.conf
+              readOnly: true
+            - name: airflow-logs
+              mountPath: {{ .Values.conf.airflow.logging.base_log_folder }}
+{{ if $mounts_airflow_webserver_ui.volumeMounts }}{{ toYaml $mounts_airflow_webserver_ui.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: airflow-etc
+          configMap:
+            name: airflow-etc
+            defaultMode: 0444
+        - name: apache-etc
+          secret:
+            secretName: apache-etc
+            defaultMode: 0444
+        - name: airflow-usr
+          configMap:
+            name: airflow-usr
+            defaultMode: 0444
+        - name: shipyard-etc
+          configMap:
+            name: shipyard-etc
+            defaultMode: 0444
+        - name: airflow-bin
+          configMap:
+            name: airflow-bin
+            defaultMode: 0555
+        - name: airflow-logs
+          emptyDir: {}
+{{ if $mounts_airflow_webserver_ui.volumes }}{{ toYaml $mounts_airflow_webserver_ui.volumes | indent 8 }}{{ end }}
+{{- end }}

charts/shipyard/templates/ingress-airflow-webserver-ui.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_shipyard_api .Values.network.airflow_webserver_ui.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "airflow_webserver_ui" "backendServiceType" "airflow_webserver_ui" "backendPort" "api" -}}
+{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
+{{- end }}

charts/shipyard/templates/secret-airflow-creds.yaml

@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_airflow_webserver_ui }}
+{{- $envAll := . }}
+{{- $secretName := index $envAll.Values.secrets.airflow_webserver_ui.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  AIRFLOW_USERNAME: {{ .Values.endpoints.airflow_webserver_ui.auth.admin.username | b64enc }}
+  AIRFLOW_PASSWORD: {{ .Values.endpoints.airflow_webserver_ui.auth.admin.password | b64enc }}
+  BIND_DN: {{ .Values.endpoints.ldap.auth.admin.bind | b64enc }}
+  BIND_PASSWORD: {{ .Values.endpoints.ldap.auth.admin.password | b64enc }}
+{{- end }}

charts/shipyard/templates/secret-airflow-webserver-ui-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_airflow_webserver_ui_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "airflow_webserver_ui" "backendServiceType" "airflow_webserver_ui" ) }}
+{{- end }}

charts/shipyard/templates/secret-apache-etc.yaml

@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_apache_etc }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: apache-etc
+type: Opaque
+data:
+  # NOTE(portdirect): this must be last, to work round helm ~2.7 bug.
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
+{{- end }}

charts/shipyard/templates/secret-ingress-tls.yaml

@@ -16,4 +16,6 @@ limitations under the License.
 
 {{- if .Values.manifests.secret_ingress_tls }}
 {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "shipyard" "backendServiceType" "shipyard" ) }}
+---
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "airflow_webserver_ui" "backendServiceType" "airflow_webserver_ui" ) }}
 {{- end }}

charts/shipyard/templates/service-airflow-webserver-ui.yaml

@@ -0,0 +1,44 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_airflow_webserver_ui }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "airflow_webserver_ui" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    {{ if .Values.network.shipyard.enable_node_port }}
+    - name: api
+      protocol: TCP
+      nodePort: {{ .Values.network.airflow_webserver_ui.node_port }}
+      port: {{ tuple "airflow_webserver_ui" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      targetPort: {{ tuple "airflow_webserver_ui" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ else }}
+    - name: api
+      protocol: TCP
+      port: {{ tuple "airflow_webserver_ui" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      targetPort: {{ tuple "airflow_webserver_ui" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "airflow_webserver_ui" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.airflow_webserver_ui.enable_node_port }}
+  type: NodePort
+  {{ end }}
+{{- end }}

charts/shipyard/values.yaml

@@ -21,6 +21,9 @@ labels:
   shipyard:
     node_selector_key: ucp-control-plane
     node_selector_value: enabled
+  airflow_webserver_ui:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
   airflow:
     node_selector_key: ucp-control-plane
     node_selector_value: enabled
@@ -31,12 +34,13 @@ labels:
 images:
   tags:
     airflow: quay.io/airshipit/airflow:latest-ubuntu_focal
+    apache_proxy: docker.io/library/httpd:2.4
     shipyard: quay.io/airshipit/shipyard:latest-ubuntu_focal
-    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
-    shipyard_db_init: docker.io/postgres:14.5
-    shipyard_db_auxiliary: docker.io/postgres:14.5
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    shipyard_db_init: docker.io/postgres:14.8
+    shipyard_db_auxiliary: docker.io/postgres:14.8
     shipyard_db_sync: quay.io/airshipit/shipyard:latest-ubuntu_focal
-    airflow_db_init: docker.io/postgres:14.5
+    airflow_db_init: docker.io/postgres:14.8
     rabbit_init: docker.io/rabbitmq:3.7-management
     airflow_db_sync: quay.io/airshipit/airflow:latest-ubuntu_focal
     ks_user: docker.io/openstackhelm/heat:ocata
@@ -74,6 +78,22 @@ network:
       name: airflow-worker
       port: 8793
       enable_node_port: false
+  airflow_webserver_ui:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+        nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_clear_headers "Server";
+          more_set_headers "X-Content-Type-Options: 'nosniff'";
+          more_set_headers "X-Frame-Options: 'deny'";
+    node_port: 31902
+    enable_node_port: false
 
 dependencies:
   static:
@@ -208,6 +228,32 @@ endpoints:
       #   tls:
       #     crt: null
       #     key: null
+  airflow_webserver_ui:
+    name: airflow-webserver-ui
+    hosts:
+      default: airflow-int
+      public: airflow-api
+    port:
+      api:
+        default: 80
+        public: 80
+    auth:
+      admin:
+        username: airflow
+        password: password
+    path:
+      default: /
+    scheme:
+      default: http
+    host_fqdn_override:
+      default: null
+      # NOTE(bryan-strassner): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
   airflow_worker:
     name: airflow-worker
     hosts:
@@ -307,6 +353,22 @@ endpoints:
     port:
       memcache:
         default: 11211
+  ldap:
+    hosts:
+      default: ldap
+    auth:
+      admin:
+        bind: "cn=admin,dc=cluster,dc=local"
+        password: password
+    host_fqdn_override:
+      default: null
+    path:
+      default: "/ou=People,dc=cluster,dc=local"
+    scheme:
+      default: ldap
+    port:
+      ldap:
+        default: 389
 
 secrets:
   identity:
@@ -321,12 +383,118 @@ secrets:
   postgresql_airflow_db:
     admin: airflow-db-admin
     user: airflow-db-user
+  airflow_webserver_ui:
+    admin: airflow-admin-creds
   tls:
     shipyard:
       shipyard:
         public: shipyard-tls-public
+    airflow_webserver_ui:
+      airflow_webserver_ui:
+        public: airflow-tls-public
+
 
 conf:
+  httpd: |
+    ServerRoot "/usr/local/apache2"
+
+    Listen 80
+
+    LoadModule mpm_event_module modules/mod_mpm_event.so
+    LoadModule authn_file_module modules/mod_authn_file.so
+    LoadModule authn_core_module modules/mod_authn_core.so
+    LoadModule authz_host_module modules/mod_authz_host.so
+    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+    LoadModule authz_user_module modules/mod_authz_user.so
+    LoadModule authz_core_module modules/mod_authz_core.so
+    LoadModule access_compat_module modules/mod_access_compat.so
+    LoadModule auth_basic_module modules/mod_auth_basic.so
+    LoadModule ldap_module modules/mod_ldap.so
+    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+    LoadModule reqtimeout_module modules/mod_reqtimeout.so
+    LoadModule filter_module modules/mod_filter.so
+    LoadModule proxy_html_module modules/mod_proxy_html.so
+    LoadModule log_config_module modules/mod_log_config.so
+    LoadModule env_module modules/mod_env.so
+    LoadModule headers_module modules/mod_headers.so
+    LoadModule setenvif_module modules/mod_setenvif.so
+    LoadModule version_module modules/mod_version.so
+    LoadModule proxy_module modules/mod_proxy.so
+    LoadModule proxy_connect_module modules/mod_proxy_connect.so
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+    LoadModule remoteip_module modules/mod_remoteip.so
+    LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+    LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+    LoadModule unixd_module modules/mod_unixd.so
+    LoadModule status_module modules/mod_status.so
+    LoadModule autoindex_module modules/mod_autoindex.so
+
+    <IfModule unixd_module>
+    User daemon
+    Group daemon
+    </IfModule>
+
+    <Directory />
+        AllowOverride none
+        Require all denied
+    </Directory>
+
+    <Files ".ht*">
+        Require all denied
+    </Files>
+
+    ErrorLog /dev/stderr
+
+    LogLevel warn
+
+    <IfModule log_config_module>
+        LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+        LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+        <IfModule logio_module>
+          LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+        </IfModule>
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout common
+        CustomLog /dev/stdout combined
+        CustomLog /dev/stdout proxy env=forwarded
+    </IfModule>
+
+    <Directory "/usr/local/apache2/cgi-bin">
+        AllowOverride None
+        Options None
+        Require all granted
+    </Directory>
+
+    <IfModule headers_module>
+        RequestHeader unset Proxy early
+    </IfModule>
+
+    <IfModule proxy_html_module>
+    Include conf/extra/proxy-html.conf
+    </IfModule>
+
+    <VirtualHost *:80>
+      RemoteIPHeader X-Original-Forwarded-For
+
+      ProxyPreserveHost On
+      ProxyPass / http://localhost:8080/
+      ProxyPassReverse / http://localhost:8080/
+
+      <Proxy *>
+          AuthName "Airflow"
+          AuthType Basic
+          AuthBasicProvider file ldap
+          AuthUserFile /usr/local/apache2/conf/.htpasswd
+          AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+          AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+          AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+          Require valid-user
+      </Proxy>
+    </VirtualHost>
   uwsgi:
     # for more info about these default overrides please read
     # https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html
@@ -461,6 +629,8 @@ conf:
       deployment_version_commit: Skip
   airflow_config_file:
     path: /usr/local/airflow/airflow.cfg
+  airflow_webserver_config_file:
+    path: /usr/local/airflow/webserver_config.py
   airflow_unittests_file:
     path: /usr/local/airflow/unittests.cfg
   airflow:
@@ -762,6 +932,10 @@ pod:
     airflow-scheduler:
       init: runtime/default
       airflow-scheduler: runtime/default
+    airflow-webserver-ui:
+      init: runtime/default
+      apache-proxy: runtime/default
+      airflow-webserver-ui: runtime/default
     shipyard-db-auxiliary:
       init: runtime/default
       shipyard-db-auxiliary: runtime/default
@@ -797,6 +971,15 @@ pod:
         airflow_scheduler:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+    airflow_webserver_ui:
+      container:
+        apache_proxy:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+        airflow_webserver_ui:
+          runAsUser: 1000
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     airflow_worker:
       pod:
         runAsUser: 1000
@@ -856,6 +1039,9 @@ pod:
       init_container: null
       airflow_worker:
       airflow_scheduler:
+    airflow_webserver_ui:
+      airflow_webserver_ui:
+      init_container: null
     shipyard:
       init_container: null
       shipyard:
@@ -880,6 +1066,8 @@ pod:
     airflow:
       worker: 2
       scheduler: 2
+    airflow_webserver_ui:
+      airflow_webserver_ui: 1
   probes:
     airflow_worker:
       airflow_worker:
@@ -939,6 +1127,18 @@ pod:
         requests:
           memory: "128Mi"
           cpu: "100m"
+    apache_proxy:
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+    airflow_webserver_ui:
+      airflow_webserver_ui:
+        limits:
+          memory: "128Mi"
+          cpu: "100m"
     shipyard_api:
       limits:
         memory: "128Mi"
@@ -1040,9 +1240,11 @@ manifests:
   # TODO: Set this to false only if a new deployment, or if the worker pod is
   #   running the scheduler
   deployment_airflow_scheduler: true
+  deployment_airflow_webserver_ui: true
   deployment_shipyard: true
   statefulset_airflow_worker: true
   ingress_shipyard_api: true
+  ingress_airflow_webserver_ui: true
   job_shipyard_db_init: true
   job_shipyard_db_auxiliary: true
   job_shipyard_db_sync: true
@@ -1052,6 +1254,8 @@ manifests:
   job_ks_endpoints: true
   job_ks_service: true
   job_ks_user: true
+  secret_apache_etc: true
+  secret_airflow_webserver_ui: true
   secret_airflow_db: true
   secret_shipyard_db: true
   secret_ingress_tls: true
@@ -1059,6 +1263,8 @@ manifests:
   secret_rabbitmq: true
   service_shipyard: true
   service_shipyard_ingress: true
+  service_airflow_webserver_ui: true
+  service_airflow_webserver_ui_ingress: true
   service_airflow_worker: true
   service_discovery_airflow_worker: true
   test_shipyard_api: true

tools/gate/playbooks/airskiff-deploy.yaml

@@ -22,6 +22,7 @@
     - ensure-pip
     - ensure-docker
 
+
   tasks:
 
     - name: Install Packaging python module for tools/airship