This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4dbe9b207c3 Add workers.celery.kerberosInitContainer field (#60427)
4dbe9b207c3 is described below
commit 4dbe9b207c3cc5250852f093078ec03fea34b4a3
Author: Henry Chen <[email protected]>
AuthorDate: Fri Jan 16 06:12:10 2026 +0800
Add workers.celery.kerberosInitContainer field (#60427)
---
chart/templates/NOTES.txt | 8 ++
chart/templates/workers/worker-deployment.yaml | 6 +-
chart/values.schema.json | 85 +++++++++++++++++++++-
chart/values.yaml | 20 +++++
.../tests/helm_tests/airflow_core/test_worker.py | 61 ++++++++++++++++
5 files changed, 177 insertions(+), 3 deletions(-)
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 4cf3844a499..7ac3cdd624c 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -204,6 +204,14 @@ DEPRECATION WARNING:
{{- end }}
+{{- if not (empty .Values.workers.kerberosInitContainer) }}
+
+ DEPRECATION WARNING:
+ `workers.kerberosInitContainer` has been renamed to
`workers.celery.kerberosInitContainer`.
+ Please change your values as support for the old name will be dropped in a
future release.
+
+{{- end }}
+
{{- if ne (.Values.workers.args | toJson) (list "bash" "-c" "exec \\\nairflow
{{ semverCompare \">=2.0.0\" .Values.airflowVersion | ternary \"celery worker\"
\"worker\" }}" | toJson) }}
DEPRECATION WARNING:
diff --git a/chart/templates/workers/worker-deployment.yaml
b/chart/templates/workers/worker-deployment.yaml
index 8258cf9fd2d..d7480e9efc1 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -191,12 +191,14 @@ spec:
subPath: {{ .Values.logs.persistence.subPath }}
{{- end }}
{{- end }}
- {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion)
.Values.workers.kerberosInitContainer.enabled }}
+ {{- $kerberosInitContainerEnabled := or
(.Values.workers.celery.kerberosInitContainer).enabled
(.Values.workers.kerberosInitContainer).enabled }}
+ {{- $kerberosInitContainerResources :=
(.Values.workers.celery.kerberosInitContainer).resources | default
(.Values.workers.kerberosInitContainer).resources | default dict }}
+ {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion)
$kerberosInitContainerEnabled }}
- name: kerberos-init
image: {{ template "airflow_image" . }}
imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
args: ["kerberos", "-o"]
- resources: {{- toYaml
.Values.workers.kerberosInitContainer.resources | nindent 12 }}
+ resources: {{- toYaml $kerberosInitContainerResources | nindent 12 }}
volumeMounts:
- name: logs
mountPath: {{ template "airflow_logs" . }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 5d065e032af..70ddde7a430 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -2171,7 +2171,7 @@
}
},
"kerberosInitContainer": {
- "description": "Kerberos init container for Airflow Celery
workers and pods created with pod-template-file.",
+ "description": "Kerberos init container for Airflow Celery
workers and pods created with pod-template-file (deprecated, use
`workers.celery.kerberosInitContainer` instead).",
"type": "object",
"additionalProperties": false,
"properties": {
@@ -2958,6 +2958,89 @@
}
}
}
+ },
+ "kerberosInitContainer": {
+ "description": "Kerberos init container for
Airflow Celery workers.",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable Kerberos init
container.",
+ "type": "boolean",
+ "default": false
+ },
+ "resources": {
+ "description": "Resources on kerberos init
container.",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "limits": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ }
+ ],
+ "$ref":
"#/definitions/io.k8s.api.core.v1.ResourceRequirements"
+ },
+ "containerLifecycleHooks": {
+ "description": "Container Lifecycle Hooks
definition for the kerberos init container. If not set, the values from global
`containerLifecycleHooks` will be used.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.Lifecycle",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "postStart": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo postStart
handler > /usr/share/message"
+ ]
+ }
+ },
+ "preStop": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-c",
+ "echo preStop handler
> /usr/share/message"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "securityContexts": {
+ "description": "Security context
definition for the kerberos init container. If not set, the values from global
`securityContexts` will be used.",
+ "type": "object",
+ "x-docsSection": "Kubernetes",
+ "properties": {
+ "container": {
+ "description": "Container security
context definition for the kerberos init container.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.SecurityContext",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+
"allowPrivilegeEscalation": false,
+ "capabilities": {
+ "drop": [
+ "ALL"
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
}
}
},
diff --git a/chart/values.yaml b/chart/values.yaml
index 7d7881f2eee..6a3c2f122f2 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -873,6 +873,7 @@ workers:
containerLifecycleHooks: {}
# Kerberos init container configuration for Airflow Celery workers and pods
created with pod-template-file
+ # (deprecated, use `workers.celery.kerberosInitContainer` instead)
kerberosInitContainer:
# Enable kerberos init container
enabled: false
@@ -1161,6 +1162,25 @@ workers:
securityContexts:
container: {}
+ # Kerberos init container configuration for Airflow Celery workers
+ kerberosInitContainer:
+ # Enable kerberos init container
+ enabled: false
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Detailed default security context for kerberos init container on
container level
+ securityContexts:
+ container: {}
+
+ # Container level lifecycle hooks
+ containerLifecycleHooks: {}
+
kubernetes:
# Command to use in pod-template-file (templated)
command: ~
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
index 9e81844c7fe..8a7abae7ec4 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
@@ -968,6 +968,67 @@ class TestWorker:
assert initContainers[1]["name"] == "kerberos-init"
assert initContainers[1]["args"] == ["kerberos", "-o"]
+ @pytest.mark.parametrize(
+ "workers_values",
+ [
+ {"kerberosInitContainer": {"enabled": True}},
+ {"celery": {"kerberosInitContainer": {"enabled": True}}},
+ {
+ "kerberosInitContainer": {"enabled": False},
+ "celery": {"kerberosInitContainer": {"enabled": True}},
+ },
+ ],
+ )
+ def test_airflow_kerberos_init_container_celery_values(self,
workers_values):
+ """Test that workers.celery.kerberosInitContainer configuration works
and takes precedence."""
+ docs = render_chart(
+ values={
+ "airflowVersion": "2.8.0",
+ "workers": {
+ **workers_values,
+ "celery": {
+ **workers_values.get("celery", {}),
+ "persistence": {"fixPermissions": True},
+ },
+ },
+ },
+ show_only=["templates/workers/worker-deployment.yaml"],
+ )
+
+ initContainers = jmespath.search("spec.template.spec.initContainers",
docs[0])
+ # Should have 3 init containers: wait-for-migrations, kerberos-init,
volume-permissions
+ assert len(initContainers) == 3
+ assert initContainers[1]["name"] == "kerberos-init"
+ assert initContainers[1]["args"] == ["kerberos", "-o"]
+
+ def test_airflow_kerberos_init_container_resources(self):
+ """Test that kerberos init container resources can be configured via
workers.celery.kerberosInitContainer."""
+ docs = render_chart(
+ values={
+ "airflowVersion": "2.8.0",
+ "workers": {
+ "celery": {
+ "kerberosInitContainer": {
+ "enabled": True,
+ "resources": {
+ "limits": {"cpu": "100m", "memory": "128Mi"},
+ "requests": {"cpu": "50m", "memory": "64Mi"},
+ },
+ },
+ },
+ },
+ },
+ show_only=["templates/workers/worker-deployment.yaml"],
+ )
+
+ initContainers = jmespath.search("spec.template.spec.initContainers",
docs[0])
+ kerberos_init = next((c for c in initContainers if c["name"] ==
"kerberos-init"), None)
+ assert kerberos_init is not None
+ assert kerberos_init["resources"]["limits"]["cpu"] == "100m"
+ assert kerberos_init["resources"]["limits"]["memory"] == "128Mi"
+ assert kerberos_init["resources"]["requests"]["cpu"] == "50m"
+ assert kerberos_init["resources"]["requests"]["memory"] == "64Mi"
+
@pytest.mark.parametrize(
("airflow_version", "expected_arg"),
[
