diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst index 3e5ffc51da6f0..2ce003aa77b28 100644 --- a/chart/docs/production-guide.rst +++ b/chart/docs/production-guide.rst @@ -788,12 +788,12 @@ This container-specific approach ensures that: Configuration Options ^^^^^^^^^^^^^^^^^^^^^ -The service account token volume configuration is available for the scheduler component and includes the following options: +The service account token volume configuration is available for the scheduler and cleanup component and includes the following options: .. code-block:: yaml :caption: values.yaml - scheduler: + (scheduler|cleanup): serviceAccount: automountServiceAccountToken: false serviceAccountTokenVolume: diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml index 3445f256a0f3f..92bc1186e7cf7 100644 --- a/chart/templates/_helpers.yaml +++ b/chart/templates/_helpers.yaml @@ -1151,3 +1151,54 @@ Usage: {{- end -}} {{- toYaml $newValues -}} {{- end -}} + + +{{/* +serviceAccountTokenVolume mount + +Usage: + {{ include "serviceAccountTokenVolumeMount" (list . .Values.scheduler.serviceAccount) }} +*/}} +{{- define "serviceAccountTokenVolumeMount" -}} + {{- $root := index . 0 -}} + {{- $sa := index . 1 -}} + {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not $sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }} +- name: {{ $sa.serviceAccountTokenVolume.volumeName }} + mountPath: {{ $sa.serviceAccountTokenVolume.mountPath }} + readOnly: true + {{- end }} +{{- end -}} + +{{/* +serviceAccountTokenVolume + +Usage: + {{ include "serviceAccountTokenVolume" (list . .Values.scheduler.serviceAccount) }} +*/}} +{{- define "serviceAccountTokenVolume" -}} + {{- $root := index . 0 -}} + {{- $sa := index . 1 -}} + {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not $sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }} +- name: {{ $sa.serviceAccountTokenVolume.volumeName }} + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + {{- if $sa.serviceAccountTokenVolume.audience }} + audience: {{ $sa.serviceAccountTokenVolume.audience }} + {{- end }} + expirationSeconds: {{ $sa.serviceAccountTokenVolume.expirationSeconds }} + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} +{{- end -}} diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml b/chart/templates/cleanup/cleanup-cronjob.yaml index 70cb53862d1cb..9314e933c29a6 100644 --- a/chart/templates/cleanup/cleanup-cronjob.yaml +++ b/chart/templates/cleanup/cleanup-cronjob.yaml @@ -110,6 +110,7 @@ spec: {{- if .Values.volumeMounts }} {{- toYaml .Values.volumeMounts | nindent 16 }} {{- end }} + {{- include "serviceAccountTokenVolumeMount" (list . .Values.cleanup.serviceAccount) | nindent 16 }} resources: {{- toYaml .Values.cleanup.resources | nindent 16 }} volumes: - name: config @@ -118,4 +119,6 @@ spec: {{- if .Values.volumes }} {{- toYaml .Values.volumes | nindent 12 }} {{- end }} + {{- include "serviceAccountTokenVolume" (list . .Values.cleanup.serviceAccount) | nindent 12 }} + {{- end }} diff --git a/chart/templates/scheduler/scheduler-deployment.yaml b/chart/templates/scheduler/scheduler-deployment.yaml index 3ba9d89dae495..294975fab0a76 100644 --- a/chart/templates/scheduler/scheduler-deployment.yaml +++ b/chart/templates/scheduler/scheduler-deployment.yaml @@ -246,11 +246,7 @@ spec: {{- if .Values.scheduler.extraVolumeMounts }} {{- tpl (toYaml .Values.scheduler.extraVolumeMounts) . | nindent 12 }} {{- end }} - {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true") (not .Values.scheduler.serviceAccount.automountServiceAccountToken) .Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }} - - name: {{ .Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }} - mountPath: {{ .Values.scheduler.serviceAccount.serviceAccountTokenVolume.mountPath }} - readOnly: true - {{- end }} + {{- include "serviceAccountTokenVolumeMount" (list . .Values.scheduler.serviceAccount) | nindent 12 }} {{- if and $localOrDagProcessorDisabled .Values.dags.gitSync.enabled }} {{- include "git_sync_container" . | indent 8 }} {{- end }} @@ -334,29 +330,7 @@ spec: {{- if .Values.scheduler.extraVolumes }} {{- tpl (toYaml .Values.scheduler.extraVolumes) . | nindent 8 }} {{- end }} - {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true") (not .Values.scheduler.serviceAccount.automountServiceAccountToken) .Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }} - - name: {{ .Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }} - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - {{- if .Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }} - audience: {{ .Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }} - {{- end }} - expirationSeconds: {{ .Values.scheduler.serviceAccount.serviceAccountTokenVolume.expirationSeconds }} - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- end }} + {{- include "serviceAccountTokenVolume" (list . .Values.scheduler.serviceAccount) | nindent 8 }} {{- if .Values.logs.persistence.enabled }} - name: logs persistentVolumeClaim: diff --git a/chart/values.schema.json b/chart/values.schema.json index 4a645d85c22db..97a2995b2727b 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -10300,10 +10300,47 @@ "additionalProperties": false, "properties": { "automountServiceAccountToken": { - "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods", + "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods. When false, you can use `serviceAccountTokenVolume` to manually configure service account token volume for pod-launching executors.", "type": "boolean", "default": true }, + "serviceAccountTokenVolume": { + "description": "Configuration for manual service account token volume. Only used when automountServiceAccountToken is false and for pod-launching executors. (CeleryExecutor, KubernetesExecutor)", + "type": "object", + "additionalProperties": false, + "properties": { + "enabled": { + "description": "Enable manual service account token volume configuration.", + "type": "boolean", + "default": false + }, + "mountPath": { + "description": "Path where the service account token volume will be mounted.", + "type": "string", + "default": "/var/run/secrets/kubernetes.io/serviceaccount" + }, + "volumeName": { + "description": "Name of the service account token volume.", + "type": "string", + "default": "kube-api-access" + }, + "expirationSeconds": { + "description": "Token expiration time in seconds.", + "type": "integer", + "minimum": 600, + "maximum": 7776000, + "default": 3600 + }, + "audience": { + "description": "Intended audience of the token. Optional - defaults to the identifier of the Kubernetes API server.", + "type": [ + "string", + "null" + ], + "default": null + } + } + }, "create": { "description": "Specifies whether a ServiceAccount should be created.", "type": "boolean", diff --git a/chart/values.yaml b/chart/values.yaml index 0df514c93ece7..f380fcb173c6a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3755,6 +3755,25 @@ cleanup: # Annotations to add to cleanup CronJob Kubernetes Service Account. annotations: {} + # Service Account Token Volume configuration + # This is only used when `automountServiceAccountToken` is 'false' + # and allows manual configuration of the Service Account token volume + serviceAccountTokenVolume: + # Enable manual Service Account token volume configuration + enabled: false + + # Path where the Service Account token should be mounted + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + + # Name of the volume + volumeName: kube-api-access + + # Token expiration in seconds + expirationSeconds: 3600 + + # Audience for the token + audience: ~ + # When not set, the values defined in the global `securityContext` will be used # (deprecated, use `cleanup.securityContexts` instead) securityContext: {}