handled comments and increased test hardening

Author: ifilonenko

docs/running-on-kubernetes.md

@@ -769,38 +769,38 @@ from the other deployment modes. See the [configuration page](configuration.html
   </td>
 </tr>
 <tr>
-  <td><code>spark.kubernetes.kerberos</code></td> 
+  <td><code>spark.kubernetes.kerberos.enabled</code></td> 
   <td>false</td>
   <td>
-    Specify whether your job is a job that will require a Delegation Token to access HDFS. By default, we
+    Specify whether your job is a job that will require a Kerberos Authorization to access HDFS. By default, we
     will assume that you will not require secure HDFS access. 
   </td>
 </tr>
 <tr>
   <td><code>spark.kubernetes.kerberos.keytab</code></td> 
   <td>(none)</td>
   <td>
-    Assuming you have set <code>spark.kubernetes.kerberos</code> to be true. This will let you specify 
+    Assuming you have set <code>spark.kubernetes.kerberos.enabled</code> to be true. This will let you specify 
     the location of your Kerberos keytab to be used in order to access Secure HDFS. This is optional as you 
-    may login by running <code>kinit -kt</code> before running the spark-submit, and the submission client
+    may login by running <code>kinit</code> before running the spark-submit, and the submission client
     will look within your local TGT cache to resolve this. 
   </td>
 </tr>
 <tr>
   <td><code>spark.kubernetes.kerberos.principal</code></td> 
   <td>(none)</td>
   <td>
-    Assuming you have set <code>spark.kubernetes.kerberos</code> to be true. This will let you specify 
+    Assuming you have set <code>spark.kubernetes.kerberos.enabled</code> to be true. This will let you specify 
     your Kerberos principal that you wish to use to access Secure HDFS. This is optional as you 
-    may login by running <code>kinit -kt</code> before running the spark-submit, and the submission client
+    may login by running <code>kinit</code> before running the spark-submit, and the submission client
     will look within your local TGT cache to resolve this. 
   </td>
 </tr>
 <tr>
   <td><code>spark.kubernetes.kerberos.tokensecret.name</code></td> 
   <td>(none)</td>
   <td>
-    Assuming you have set <code>spark.kubernetes.kerberos</code> to be true. This will let you specify 
+    Assuming you have set <code>spark.kubernetes.kerberos.enabled</code> to be true. This will let you specify 
     the name of the secret where your existing delegation token data is stored. You must also specify the 
     label <code>spark.kubernetes.kerberos.tokensecret.name</code> where your data is stored on the secret. 
   </td>
@@ -809,7 +809,7 @@ from the other deployment modes. See the [configuration page](configuration.html
   <td><code>spark.kubernetes.kerberos.tokensecret.label</code></td> 
   <td>spark.kubernetes.kerberos.dt.label</td>
   <td>
-    Assuming you have set <code>spark.kubernetes.kerberos</code> to be true. This will let you specify 
+    Assuming you have set <code>spark.kubernetes.kerberos.enabled</code> to be true. This will let you specify 
     the label within the pre-specified secret where the data of your existing delegation token data is stored. 
     We have a default value of <code>spark.kubernetes.kerberos.dt.label</code> should you not include it. But
     you should always include this if you are proposing a pre-existing secret contain the delegation token data.

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/HadoopConfBootstrap.scala

@@ -32,8 +32,8 @@ import org.apache.spark.internal.Logging
  */
 private[spark] trait HadoopConfBootstrap {
  /**
-  * Bootstraps a main container with the ConfigMaps mounted as volumes and an ENV variable
-  * pointing to the mounted file.
+  * Bootstraps a main container with the ConfigMaps containing Hadoop config files
+  * mounted as volumes and an ENV variable pointing to the mounted file.
   */
   def bootstrapMainContainerAndVolumes(
     originalPodWithMainContainer: PodWithMainContainer)
@@ -68,11 +68,11 @@ private[spark] class HadoopConfBootstrapImpl(
       originalPodWithMainContainer.mainContainer)
       .addNewVolumeMount()
         .withName(HADOOP_FILE_VOLUME)
-        .withMountPath(HADOOP_FILE_DIR)
+        .withMountPath(HADOOP_CONF_DIR_PATH)
         .endVolumeMount()
       .addNewEnv()
-        .withName(HADOOP_CONF_DIR)
-        .withValue(HADOOP_FILE_DIR)
+        .withName(ENV_HADOOP_CONF_DIR)
+        .withValue(HADOOP_CONF_DIR_PATH)
         .endEnv()
       .build()
     originalPodWithMainContainer.copy(

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala

@@ -545,7 +545,7 @@ package object config extends Logging {
         " your existing delegation token is stored. This removes the need" +
         " for the job user to provide any keytab for launching a job")
       .stringConf
-      .createWithDefault("spark.kubernetes.kerberos.dt.label")
+      .createOptional
 
   private[spark] def resolveK8sMaster(rawMasterString: String): String = {
     if (!rawMasterString.startsWith("k8s://")) {

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/constants.scala

@@ -98,8 +98,8 @@ package object constants {
 
   // Hadoop Configuration
   private[spark] val HADOOP_FILE_VOLUME = "hadoop-properties"
-  private[spark] val HADOOP_FILE_DIR = "/etc/hadoop"
-  private[spark] val HADOOP_CONF_DIR = "HADOOP_CONF_DIR"
+  private[spark] val HADOOP_CONF_DIR_PATH = "/etc/hadoop/conf"
+  private[spark] val ENV_HADOOP_CONF_DIR = "HADOOP_CONF_DIR"
   private[spark] val HADOOP_CONF_DIR_LOC = "spark.kubernetes.hadoop.conf.dir"
   private[spark] val HADOOP_CONFIG_MAP_SPARK_CONF_NAME =
     "spark.kubernetes.hadoop.executor.hadoopconfigmapname"

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/DriverConfigurationStepsOrchestrator.scala

@@ -98,18 +98,12 @@ private[spark] class DriverConfigurationStepsOrchestrator(
     val kubernetesCredentialsStep = new DriverKubernetesCredentialsStep(
         submissionSparkConf, kubernetesResourceNamePrefix)
     val hadoopConfigSteps =
-      if (hadoopConfDir.isEmpty) {
-        Option.empty[DriverConfigurationStep]
-      } else {
-        val hadoopStepsOrchestrator = new HadoopStepsOrchestrator(
-          namespace,
-          hadoopConfigMapName,
-          submissionSparkConf,
-          hadoopConfDir)
-        val hadoopConfSteps =
-          hadoopStepsOrchestrator.getHadoopSteps()
-        Some(new HadoopConfigBootstrapStep(hadoopConfSteps, hadoopConfigMapName))
-      }
+      hadoopConfDir.map { conf =>
+        val hadoopStepsOrchestrator =
+          new HadoopStepsOrchestrator(namespace, hadoopConfigMapName, submissionSparkConf, conf)
+        val hadoopConfSteps = hadoopStepsOrchestrator.getHadoopSteps()
+        Some(new HadoopConfigBootstrapStep(hadoopConfSteps, hadoopConfigMapName))}
+      .getOrElse(Option.empty[DriverConfigurationStep])
     val pythonStep = mainAppResource match {
       case PythonMainAppResource(mainPyResource) =>
         Option(new PythonStep(mainPyResource, additionalPythonFiles, filesDownloadPath))

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/HadoopConfigBootstrapStep.scala

@@ -49,9 +49,9 @@ private[spark] class HadoopConfigBootstrapStep(
     val configMap =
       new ConfigMapBuilder()
         .withNewMetadata()
-        .withName(hadoopConfigMapName)
-        .endMetadata()
-          .addToData(currentHadoopSpec.configMapProperties.asJava)
+          .withName(hadoopConfigMapName)
+          .endMetadata()
+        .addToData(currentHadoopSpec.configMapProperties.asJava)
       .build()
     val executorSparkConf = driverSpec.driverSparkConf.clone()
       .set(HADOOP_CONFIG_MAP_SPARK_CONF_NAME, hadoopConfigMapName)

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopConfMounterStep.scala

@@ -34,7 +34,7 @@ private[spark] class HadoopConfMounterStep(
     hadoopConfigMapName: String,
     hadoopConfigurationFiles: Seq[File],
     hadoopConfBootstrapConf: HadoopConfBootstrap,
-    hadoopConfDir: Option[String])
+    hadoopConfDir: String)
   extends HadoopConfigurationStep {
 
    override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
@@ -51,8 +51,7 @@ private[spark] class HadoopConfMounterStep(
          hadoopConfigurationFiles.map(file =>
            (file.toPath.getFileName.toString, readFileToString(file))).toMap,
        additionalDriverSparkConf = hadoopConfigSpec.additionalDriverSparkConf ++
-        hadoopConfDir.map(conf_dir => Map(HADOOP_CONF_DIR_LOC -> conf_dir)).getOrElse(
-          Map.empty[String, String])
+        Map(HADOOP_CONF_DIR_LOC -> hadoopConfDir)
      )
   }
 }

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopKerberosKeytabResolverStep.scala

@@ -55,11 +55,11 @@ private[spark] class HadoopKerberosKeytabResolverStep(
    private var originalCredentials: Credentials = _
    private var dfs : FileSystem = _
    private var renewer: String = _
-   private var renewedCredentials: Credentials = _
-   private var renewedTokens: Iterable[Token[_ <: TokenIdentifier]] = _
+   private var credentials: Credentials = _
+   private var tokens: Iterable[Token[_ <: TokenIdentifier]] = _
    override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
     val hadoopConf = SparkHadoopUtil.get.newConfiguration(submissionSparkConf)
-    logInfo(s"Hadoop Configuration: ${hadoopConf.toString}")
+    logDebug(s"Hadoop Configuration: ${hadoopConf.toString}")
     if (!UserGroupInformation.isSecurityEnabled) logError("Hadoop not configuration with Kerberos")
     val maybeJobUserUGI =
       for {
@@ -70,7 +70,7 @@ private[spark] class HadoopKerberosKeytabResolverStep(
         // Reliant on [Spark-20328] for changing to YARN principal
         submissionSparkConf.set("spark.yarn.principal", principal)
         submissionSparkConf.set("spark.yarn.keytab", keytab.toURI.toString)
-        logInfo("Logged into KDC with keytab using Job User UGI")
+        logDebug("Logged into KDC with keytab using Job User UGI")
         UserGroupInformation.loginUserFromKeytabAndReturnUGI(
           principal,
           keytab.toURI.toString)
@@ -80,27 +80,27 @@ private[spark] class HadoopKerberosKeytabResolverStep(
     // It is necessary to run as jobUserUGI because logged in user != Current User
     jobUserUGI.doAs(new PrivilegedExceptionAction[Void] {
       override def run(): Void = {
-        logInfo(s"Retrieved Job User UGI: $jobUserUGI")
+        logDebug(s"Retrieved Job User UGI: $jobUserUGI")
         originalCredentials = jobUserUGI.getCredentials
-        logInfo(s"Original tokens: ${originalCredentials.toString}")
-        logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
-        logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
+        logDebug(s"Original tokens: ${originalCredentials.toString}")
+        logDebug(s"All tokens: ${originalCredentials.getAllTokens}")
+        logDebug(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
         dfs = FileSystem.get(hadoopConf)
         // This is not necessary with [Spark-20328] since we would be using
         // Spark core providers to handle delegation token renewal
         renewer = jobUserUGI.getShortUserName
-        logInfo(s"Renewer is: $renewer")
-        renewedCredentials = new Credentials(originalCredentials)
-        dfs.addDelegationTokens(renewer, renewedCredentials)
-        renewedTokens = renewedCredentials.getAllTokens.asScala
-        logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
-        logInfo(s"All renewed tokens: ${renewedTokens.mkString(",")}")
-        logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
+        logDebug(s"Renewer is: $renewer")
+        credentials = new Credentials(originalCredentials)
+        dfs.addDelegationTokens(renewer, credentials)
+        tokens = credentials.getAllTokens.asScala
+        logDebug(s"Tokens: ${credentials.toString}")
+        logDebug(s"All tokens: ${tokens.mkString(",")}")
+        logDebug(s"All secret keys: ${credentials.getAllSecretKeys}")
         null
       }})
-    if (renewedTokens.isEmpty) logError("Did not obtain any Delegation Tokens")
-    val data = serialize(renewedCredentials)
-    val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf).getOrElse(Long.MaxValue)
+    if (tokens.isEmpty) logError("Did not obtain any Delegation Tokens")
+    val data = serialize(credentials)
+    val renewalTime = getTokenRenewalInterval(tokens, hadoopConf).getOrElse(Long.MaxValue)
     val currentTime: Long = System.currentTimeMillis()
     val initialTokenLabelName = s"$KERBEROS_SECRET_LABEL_PREFIX-$currentTime-$renewalTime"
     val secretDT =

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopStepsOrchestrator.scala

@@ -19,7 +19,7 @@ package org.apache.spark.deploy.kubernetes.submit.submitsteps.hadoopsteps
 import java.io.File
 
 import org.apache.spark.SparkConf
-import org.apache.spark.deploy.kubernetes.HadoopConfBootstrapImpl
+import org.apache.spark.deploy.kubernetes.{HadoopConfBootstrapImpl, OptionRequirements}
 import org.apache.spark.deploy.kubernetes.config._
 
 
@@ -30,16 +30,35 @@ private[spark] class HadoopStepsOrchestrator(
   namespace: String,
   hadoopConfigMapName: String,
   submissionSparkConf: SparkConf,
-  hadoopConfDir: Option[String]) {
-  private val maybeKerberosSupport = submissionSparkConf.get(KUBERNETES_KERBEROS_SUPPORT)
+  hadoopConfDir: String) {
+  private val isKerberosEnabled = submissionSparkConf.get(KUBERNETES_KERBEROS_SUPPORT)
   private val maybePrincipal = submissionSparkConf.get(KUBERNETES_KERBEROS_PRINCIPAL)
   private val maybeKeytab = submissionSparkConf.get(KUBERNETES_KERBEROS_KEYTAB)
     .map(k => new File(k))
   private val maybeExistingSecret = submissionSparkConf.get(KUBERNETES_KERBEROS_DT_SECRET_NAME)
   private val maybeExistingSecretLabel =
     submissionSparkConf.get(KUBERNETES_KERBEROS_DT_SECRET_LABEL)
-  private val hadoopConfigurationFiles = hadoopConfDir.map(conf => getHadoopConfFiles(conf))
-     .getOrElse(Seq.empty[File])
+  private val hadoopConfigurationFiles = getHadoopConfFiles(hadoopConfDir)
+
+   require(maybeKeytab.forall( _ => isKerberosEnabled ),
+     "You must enable Kerberos support if you are specifying a Kerberos Keytab")
+
+   require(maybeExistingSecret.forall( _ => isKerberosEnabled ),
+     "You must enable Kerberos support if you are specifying a Kerberos Secret")
+
+   OptionRequirements.requireBothOrNeitherDefined(
+     maybeKeytab,
+     maybePrincipal,
+    "If a Kerberos keytab is specified you must also specify a Kerberos principal",
+     "If a Kerberos principal is specified you must also specify a Kerberos keytab")
+
+   OptionRequirements.requireBothOrNeitherDefined(
+     maybeExistingSecret,
+     maybeExistingSecretLabel,
+     "If a secret storing a Kerberos Delegation Token is specified you must also" +
+     " specify the label where the data is stored",
+     "If a secret label where the data of the Kerberos Delegation Token is specified" +
+       " you must also specify the name of the secret")
 
   def getHadoopSteps(): Seq[HadoopConfigurationStep] = {
     val hadoopConfBootstrapImpl = new HadoopConfBootstrapImpl(
@@ -51,11 +70,11 @@ private[spark] class HadoopStepsOrchestrator(
       hadoopConfBootstrapImpl,
       hadoopConfDir)
     val maybeKerberosStep =
-      if (maybeKerberosSupport) {
+      if (isKerberosEnabled) {
         maybeExistingSecret.map(secretLabel => Some(new HadoopKerberosSecretResolverStep(
          submissionSparkConf,
           secretLabel,
-          maybeExistingSecretLabel))).getOrElse(Some(
+          maybeExistingSecretLabel.get))).getOrElse(Some(
             new HadoopKerberosKeytabResolverStep(
               submissionSparkConf,
               maybePrincipal,
@@ -65,6 +84,7 @@ private[spark] class HadoopStepsOrchestrator(
       }
     Seq(hadoopConfMounterStep) ++ maybeKerberosStep.toSeq
   }
+
   private def getHadoopConfFiles(path: String) : Seq[File] = {
      def isFile(file: File) = if (file.isFile) Some(file) else None
      val dir = new File(path)

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/initcontainer/InitContainerConfigurationStepsOrchestrator.scala

@@ -62,6 +62,7 @@ private[spark] class InitContainerConfigurationStepsOrchestrator(
     submissionSparkConf.get(RESOURCE_STAGING_SERVER_INTERNAL_SSL_ENABLED)
       .orElse(submissionSparkConf.get(RESOURCE_STAGING_SERVER_SSL_ENABLED))
       .getOrElse(false)
+
   OptionRequirements.requireNandDefined(
     maybeResourceStagingServerInternalClientCert,
     maybeResourceStagingServerInternalTrustStore,