[SPARK-27702][K8S] Allow using some alternatives for service accounts

[Udbhav30]

What changes were proposed in this pull request?

To allow alternatives to serviceaccounts

Why are the changes needed?

Although we provide some authentication configuration, such as spark.kubernetes.authenticate.driver.mounted.oauthTokenFile, spark.kubernetes.authenticate.driver.mounted.caCertFile, etc.
But there is a bug as we forced the service account so when we use one of them, driver still use the KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH file, and the error look like bellow:

the KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH serviceAccount not exists

Does this PR introduce any user-facing change?

Yes user can now use spark.kubernetes.authenticate.driver.mounted.caCertFile
or token file by spark.kubernetes.authenticate.driver.mounted.oauthTokenFile

How was this patch tested?

Manually passed the certificates using spark.kubernetes.authenticate.driver.mounted.caCertFile
or token file by spark.kubernetes.authenticate.driver.mounted.oauthTokenFile if there is no default service account available.

[dongjoon-hyun]

@Udbhav30 . Could you add a test case this your PR?

[dongjoon-hyun]

Gentle ping, @Udbhav30 .

[Udbhav30]

@dongjoon-hyun sorry for the late reply , yes i will check how can i add a test-case for it and update you

[Udbhav30]

Hii @dongjoon-hyun i am unable to simulate this from minikube as there will always be a default service account so i am not sure if i could write any test case for this. if you have any suggestions please let me know.
thanks

[skonto]

do we need to document anything here?

[Udbhav30]

do we need to document anything here?

It is already covered as part of tokens and certificate passed by users (eg: kubernetesAuthConfPrefix.OAUTH_TOKEN_CONF_SUFFIX) and also during SPARK-25887 that it can be auto configured in Fabric client using kube-config file. Please let me know if any suggestions thanks.

[dongjoon-hyun]

ok to test

[SparkQA]

Test build #106550 has finished for PR 24601 at commit f1e8207.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/testing-k8s-prb-make-spark-distribution-unified/11791/

[SparkQA]

Kubernetes integration test status success
URL: https://amplab.cs.berkeley.edu/jenkins/job/testing-k8s-prb-make-spark-distribution-unified/11791/

[Udbhav30]

Hii @dongjoon-hyun can you please check if we can merge this.

[dongjoon-hyun]

Sorry for being later, @Udbhav30 . If then, could you describe the test procedure in the How was this patch tested? section of PR description? For example, how to create new service account and how to use that?

i am unable to simulate this from minikube as there will always be a default service account so i am not sure if i could write any test case for this.

[Udbhav30]

could you describe the test procedure in the How was this patch tested? section of PR description? For example, how to create new service account and how to use that?

Sure! thanks @dongjoon-hyun
Yes i have updated in PR if there is no service account how user can have alternatives to it.

[wackxu]

What is the status of this PR? Can we merge this? in some multi-tenant k8s cluster, we do not use service account for authenticate. so we should allow using some alternatives for service accounts, such as kubeconfig, oauthToken.

[wackxu]

@dongjoon-hyun @liyinan926

[wackxu]

Could you take a look at this? @dongjoon-hyun @liyinan926

[SparkQA]

Test build #117112 has finished for PR 24601 at commit 3c9e2d8.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[wackxu]

Although we provide some authentication configuration, such as spark.kubernetes.authenticate.driver.mounted.oauthTokenFile, spark.kubernetes.authenticate.driver.mounted.caCertFile, etc. When we use one of them, dirver still use the KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH file, and the error look like bellow:

the KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH serviceAccount not exists

so we need to determine whether KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH exists. If it does not exist, other configurations are allowed to use, such as spark.kubernetes.authenticate.driver.mounted.oauthTokenFile.

[Udbhav30]

Hi @dongjoon-hyun @liyinan926 can you please review this PR

[dongjoon-hyun]

The current logic looks like this.

1. The difference of this logic is returning None when the file doesn't exist.
2. However, None is not used when the given oauthTokenFileConf points a valid file because it's called as orElse.

    val oauthTokenFile = sparkConf.getOption(oauthTokenFileConf)
      .map(new File(_))
      .orElse(defaultServiceAccountToken)

Is the above correct?

[dongjoon-hyun]

The existing code already tries to use the given file first. Where did you check the following?

If it does not exist, other configurations are allowed to use, such as spark.kubernetes.authenticate.driver.mounted.oauthTokenFile.

[Udbhav30]

The existing code already tries to use the given file first. Where did you check the following?

If it does not exist, other configurations are allowed to use, such as spark.kubernetes.authenticate.driver.mounted.oauthTokenFile.

Yes but still as we are passing 'KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH' to create the kubernetesClient , the kubernetes fabric client will use that service account path and will throw error as @wackxu mentioned.

[wackxu]

@Udbhav30 @dongjoon-hyun That is what I means. Let's merge this as soon as possible

[dongjoon-hyun]

Retest this please.

[SparkQA]

Test build #117346 has finished for PR 24601 at commit 3c9e2d8.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/22106/

[SparkQA]

Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/22106/

[wackxu]

@dongjoon-hyun Could you take a look at this? Thank you.

[AmplabJenkins]

Can one of the admins verify this patch?

[wackxu]

@dongjoon-hyun Hi, Could you take a look at this? This is a bugfix about driver authenticate and we can use other authentication without this.

[gengliangwang]

cc @jiangxb1987

[wackxu]

Kindly ping @dongjoon-hyun @jiangxb1987 @liyinan926 for take a look, thanks.

[github-actions]

We're closing this PR because it hasn't been updated in a while. This isn't a judgement on the merit of the PR in any way. It's just a way of keeping the PR queue manageable.
If you'd like to revive this PR, please reopen it and ask a committer to remove the Stale tag!

[dongjoon-hyun]

I removed Stale tag. The community was too busy for Apache Spark 3.0.0. Sorry about that. Now it is released finally, I will review this improvement PR again.

[dongjoon-hyun]

+1, LGTM. Thank you, @Udbhav30 .
Merged to master for Apache Spark 3.1.0.

[Udbhav30]

I removed Stale tag. The community was too busy for Apache Spark 3.0.0. Sorry about that. Now it is released finally, I will review this improvement PR again.

thanks!!