Permitting airflow kerberos to run in different modes

airflow/config_templates/config.yml

@@ -2350,6 +2350,14 @@ triggerer:
 kerberos:
   description: ~
   options:
+    mode:
+      description: |
+        Specify the mode in which kerberos container will run, can be sidecar mode vs init container mode.
+        The sidecar mode runs indefinitely but the init container mode performs kinit once and exits.
+      version_added: 2.7.3
+      type: string
+      example: ~
+      default: "sidecar"
     ccache:
       description: |
         Location of your ccache file once kinit has been performed.

airflow/security/kerberos.py

@@ -46,6 +46,10 @@
 
 log = logging.getLogger(__name__)
 
+SIDECAR_MODE = "sidecar"
+INIT_MODE = "init"
+DEFAULT_MODE = SIDECAR_MODE
+
 
 def get_kerberos_principle(principal: str | None) -> str:
     """Retrieve Kerberos principal. Fallback to principal from Airflow configuration if not provided."""
@@ -188,6 +192,16 @@ def run(principal: str | None, keytab: str):
         log.warning("Keytab renewer not starting, no keytab configured")
         sys.exit(0)
 
-    while True:
+    mode = conf.get("kerberos", "mode")
+    if mode != INIT_MODE or mode != SIDECAR_MODE:
+        mode = DEFAULT_MODE
+
+    log.info("Using airflow kerberos mode: %s", mode)
+
+    if mode == SIDECAR_MODE:
+        while True:
+            renew_from_kt(principal, keytab)
+            time.sleep(conf.getint("kerberos", "reinit_frequency"))
+    else:
         renew_from_kt(principal, keytab)
         time.sleep(conf.getint("kerberos", "reinit_frequency"))

docs/apache-airflow/security/kerberos.rst

@@ -100,6 +100,12 @@ Launch the ticket renewer by
     # run ticket renewer
     airflow kerberos
 
+To support more advanced deployment models for using kerberos in an init fashion or sidecar fashion, you can specify the mode
+field in your config.yml, specify mode as either "init" or "sidecar".
+
+* Sidecar: The airflow kerberos process will run forever
+* Init: The airflow kerberos will run once and exit. In case of failure the main container won't spin up.
+
 Hadoop
 ^^^^^^