This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new bc6eaf2ceda More restrictive chart rendering logic (#63464)
bc6eaf2ceda is described below
commit bc6eaf2ceda51316c294bc3982c4b10213a590b5
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Fri Mar 13 00:04:35 2026 +0100
More restrictive chart rendering logic (#63464)
* Fix api server hpa render
* Fix keda enabled if for pgbouncer network policy
* Fix rendering of flower-secret
* Fix pgbouncer certificate secret rendering
* Fix kerberos keytab secret rendering
* Refactor scc rolebinding tests
* Fix scc rolebanding rendering
---
chart/templates/api-server/api-server-hpa.yaml | 2 +-
.../pgbouncer/pgbouncer-networkpolicy.yaml | 2 +-
.../security-context-constraint-rolebinding.yaml | 13 +-
chart/templates/secrets/flower-secret.yaml | 2 +-
.../templates/secrets/kerberos-keytab-secret.yaml | 2 +-
.../secrets/pgbouncer-certificates-secret.yaml | 2 +-
helm-tests/tests/helm_tests/other/test_flower.py | 15 ++
.../tests/helm_tests/other/test_pgbouncer.py | 69 +++++--
.../tests/helm_tests/security/test_kerberos.py | 14 ++
.../helm_tests/security/test_scc_rolebinding.py | 208 ++++++++++++++++-----
10 files changed, 262 insertions(+), 67 deletions(-)
diff --git a/chart/templates/api-server/api-server-hpa.yaml
b/chart/templates/api-server/api-server-hpa.yaml
index b8830d4b9b1..ee714efd918 100644
--- a/chart/templates/api-server/api-server-hpa.yaml
+++ b/chart/templates/api-server/api-server-hpa.yaml
@@ -20,7 +20,7 @@
################################
## Airflow Api-Server HPA
#################################
-{{- if .Values.apiServer.hpa.enabled }}
+{{- if and .Values.apiServer.enabled .Values.apiServer.hpa.enabled
(semverCompare ">=3.0.0" .Values.airflowVersion) }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
diff --git a/chart/templates/pgbouncer/pgbouncer-networkpolicy.yaml
b/chart/templates/pgbouncer/pgbouncer-networkpolicy.yaml
index f80f3e1264d..8fd2a616f36 100644
--- a/chart/templates/pgbouncer/pgbouncer-networkpolicy.yaml
+++ b/chart/templates/pgbouncer/pgbouncer-networkpolicy.yaml
@@ -24,7 +24,7 @@
{{- if hasKey .Values.workers "celery" }}
{{- $kedaEnabled = or .Values.workers.celery.keda.enabled (and (not (has
.Values.workers.celery.keda.enabled (list true false)))
.Values.workers.keda.enabled) }}
{{- end }}
-{{- $workersKedaEnabled := and $kedaEnabled (has .Values.executor (list
"CeleryExecutor" "CeleryKubernetesExecutor")) }}
+{{- $workersKedaEnabled := and $kedaEnabled (or (contains "CeleryExecutor"
.Values.executor) (contains "CeleryKubernetesExecutor" .Values.executor)) }}
{{- $triggererEnabled := .Values.triggerer.enabled }}
{{- $triggererKedaEnabled := and $triggererEnabled
.Values.triggerer.keda.enabled }}
{{- if and .Values.pgbouncer.enabled .Values.networkPolicies.enabled }}
diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index 40055e8606c..45f95480cd7 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -21,7 +21,6 @@
## Airflow SCC Role Binding
###########################
{{- if and .Values.rbac.create .Values.rbac.createSCCRoleBinding }}
-{{- $hasWorkers := has .Values.executor (list "CeleryExecutor"
"LocalKubernetesExecutor" "KubernetesExecutor" "CeleryKubernetesExecutor") }}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.multiNamespaceMode }}
kind: ClusterRoleBinding
@@ -51,20 +50,26 @@ roleRef:
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
+ {{- if and .Values.webserver.enabled (semverCompare "<3.0.0"
.Values.airflowVersion) }}
- kind: ServiceAccount
name: {{ include "webserver.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
- {{- if $hasWorkers }}
+ {{- end }}
+ {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"LocalKubernetesExecutor" .Values.executor) (contains "KubernetesExecutor"
.Values.executor) (contains "CeleryKubernetesExecutor" .Values.executor) }}
- kind: ServiceAccount
name: {{ include "worker.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
+ {{- if .Values.scheduler.enabled }}
- kind: ServiceAccount
name: {{ include "scheduler.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
+ {{- end }}
+ {{- if and .Values.apiServer.enabled (semverCompare ">=3.0.0"
.Values.airflowVersion) }}
- kind: ServiceAccount
name: {{ include "apiServer.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
+ {{- end }}
{{- if and .Values.statsd.enabled }}
- kind: ServiceAccount
name: {{ include "statsd.serviceAccountName" . }}
@@ -80,12 +85,16 @@ subjects:
name: {{ include "redis.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
+ {{- if .Values.triggerer.enabled }}
- kind: ServiceAccount
name: {{ include "triggerer.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
+ {{- end }}
+ {{- if .Values.migrateDatabaseJob.enabled }}
- kind: ServiceAccount
name: {{ include "migrateDatabaseJob.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
+ {{- end }}
{{- if eq (include "createUserJob.isEnabled" .) "true" }}
- kind: ServiceAccount
name: {{ include "createUserJob.serviceAccountName" . }}
diff --git a/chart/templates/secrets/flower-secret.yaml
b/chart/templates/secrets/flower-secret.yaml
index e402f27dc3b..66395881d19 100644
--- a/chart/templates/secrets/flower-secret.yaml
+++ b/chart/templates/secrets/flower-secret.yaml
@@ -20,7 +20,7 @@
################################
## Flower Secret
#################################
-{{- if (and (not .Values.flower.secretName) .Values.flower.username
.Values.flower.password) }}
+{{- if and .Values.flower.enabled (not .Values.flower.secretName)
.Values.flower.username .Values.flower.password }}
apiVersion: v1
kind: Secret
metadata:
diff --git a/chart/templates/secrets/kerberos-keytab-secret.yaml
b/chart/templates/secrets/kerberos-keytab-secret.yaml
index 6cb90d544b9..cf1bc3ca23f 100644
--- a/chart/templates/secrets/kerberos-keytab-secret.yaml
+++ b/chart/templates/secrets/kerberos-keytab-secret.yaml
@@ -20,7 +20,7 @@
################################
## Kerberos Secret
#################################
-{{- if .Values.kerberos.keytabBase64Content }}
+{{- if and .Values.kerberos.enabled .Values.kerberos.keytabBase64Content }}
apiVersion: v1
kind: Secret
metadata:
diff --git a/chart/templates/secrets/pgbouncer-certificates-secret.yaml
b/chart/templates/secrets/pgbouncer-certificates-secret.yaml
index bd09f704e0f..e826d16a97c 100644
--- a/chart/templates/secrets/pgbouncer-certificates-secret.yaml
+++ b/chart/templates/secrets/pgbouncer-certificates-secret.yaml
@@ -20,7 +20,7 @@
################################
## Pgbouncer Certificate Secret
#################################
-{{- if or .Values.pgbouncer.ssl.ca .Values.pgbouncer.ssl.cert
.Values.pgbouncer.ssl.key }}
+{{- if and .Values.pgbouncer.enabled (or .Values.pgbouncer.ssl.ca
.Values.pgbouncer.ssl.cert .Values.pgbouncer.ssl.key) }}
apiVersion: v1
kind: Secret
metadata:
diff --git a/helm-tests/tests/helm_tests/other/test_flower.py
b/helm-tests/tests/helm_tests/other/test_flower.py
index 502c129a98e..5bc695fdd53 100644
--- a/helm-tests/tests/helm_tests/other/test_flower.py
+++ b/helm-tests/tests/helm_tests/other/test_flower.py
@@ -746,3 +746,18 @@ class TestFlowerSecret:
assert "annotations" in jmespath.search("metadata", docs)
assert jmespath.search("metadata.annotations",
docs)["test_annotation"] == "test_annotation_value"
+
+ def test_not_render_secret_when_flower_disabled(self):
+ docs = render_chart(
+ values={
+ "flower": {
+ "enabled": False,
+ "username": "username",
+ "password": "password",
+ "secretAnnotations": {"test_annotation":
"test_annotation_value"},
+ }
+ },
+ show_only=["templates/secrets/flower-secret.yaml"],
+ )
+
+ assert len(docs) == 0
diff --git a/helm-tests/tests/helm_tests/other/test_pgbouncer.py
b/helm-tests/tests/helm_tests/other/test_pgbouncer.py
index f8b3885cc94..27e0f60378a 100644
--- a/helm-tests/tests/helm_tests/other/test_pgbouncer.py
+++ b/helm-tests/tests/helm_tests/other/test_pgbouncer.py
@@ -615,6 +615,19 @@ class TestPgbouncerConfig:
assert "annotations" in jmespath.search("metadata", docs)
assert jmespath.search("metadata.annotations",
docs)["test_annotation"] == "test_annotation_value"
+ def test_should_not_render_cert_secret_when_pgbouncer_disabled(self):
+ docs = render_chart(
+ values={
+ "pgbouncer": {
+ "enabled": False,
+ "ssl": {"ca": "someca", "cert": "somecert", "key":
"somekey"},
+ },
+ },
+ show_only=["templates/secrets/pgbouncer-certificates-secret.yaml"],
+ )
+
+ assert len(docs) == 0
+
def test_extra_ini_configs(self):
values = {"pgbouncer": {"enabled": True, "extraIni":
"server_round_robin = 1\nstats_period = 30"}}
ini = self._get_pgbouncer_ini(values)
@@ -859,30 +872,52 @@ class TestPgBouncerServiceAccount:
class TestPgbouncerNetworkPolicy:
"""Tests PgBouncer Network Policy."""
- def test_should_create_pgbouncer_network_policy(self):
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryKubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryKubernetesExecutor,KubernetesExecutor",
+ ],
+ )
+ def test_should_create_pgbouncer_network_policy(self, executor):
docs = render_chart(
- values={"pgbouncer": {"enabled": True}, "networkPolicies":
{"enabled": True}},
+ values={
+ "executor": executor,
+ "pgbouncer": {"enabled": True},
+ "networkPolicies": {"enabled": True},
+ },
show_only=["templates/pgbouncer/pgbouncer-networkpolicy.yaml"],
)
assert jmespath.search("kind", docs[0]) == "NetworkPolicy"
assert jmespath.search("metadata.name", docs[0]) ==
"release-name-pgbouncer-policy"
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryKubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryKubernetesExecutor,KubernetesExecutor",
+ ],
+ )
@pytest.mark.parametrize(
"values",
[
- {"executor": "CeleryExecutor", "workers": {"keda": {"enabled":
True}}},
+ {"workers": {"keda": {"enabled": True}}},
{"triggerer": {"keda": {"enabled": True}}},
{
- "executor": "CeleryExecutor",
"workers": {"keda": {"enabled": True}},
"triggerer": {"keda": {"enabled": True}},
},
],
)
- def test_pod_selectors_with_keda_without_namespace_labels(self, values):
+ def test_pod_selectors_with_keda_without_namespace_labels(self, executor,
values):
docs = render_chart(
values={
+ "executor": executor,
"pgbouncer": {"enabled": True},
"networkPolicies": {"enabled": True},
**values,
@@ -895,22 +930,28 @@ class TestPgbouncerNetworkPolicy:
]
@pytest.mark.parametrize(
- "conf",
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryKubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryKubernetesExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "values",
[
# test with workers.keda/workers.celery.keda enabled with
namespace labels
{
- "executor": "CeleryExecutor",
"workers": {
"keda": {"namespaceLabels": {"app": "airflow"}},
"celery": {"keda": {"enabled": True}},
},
},
{
- "executor": "CeleryExecutor",
"workers": {"celery": {"keda": {"enabled": True,
"namespaceLabels": {"app": "airflow"}}}},
},
{
- "executor": "CeleryExecutor",
"workers": {
"keda": {"namespaceLabels": {"airflow": "app"}},
"celery": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
@@ -920,42 +961,38 @@ class TestPgbouncerNetworkPolicy:
{"triggerer": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}}},
# test with workers.keda/workers.celery.keda and triggerer.keda
both enabled with namespace labels
{
- "executor": "CeleryExecutor",
"workers": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
"triggerer": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
},
{
- "executor": "CeleryExecutor",
"workers": {"celery": {"keda": {"enabled": True,
"namespaceLabels": {"app": "airflow"}}}},
"triggerer": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
},
# test with workers.keda/workers.celery.keda and triggerer.keda
both enabled workers
# with namespace labels and triggerer without namespace labels
{
- "executor": "CeleryExecutor",
"workers": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
"triggerer": {"keda": {"enabled": True}},
},
{
- "executor": "CeleryExecutor",
"workers": {"celery": {"keda": {"enabled": True,
"namespaceLabels": {"app": "airflow"}}}},
"triggerer": {"keda": {"enabled": True}},
},
# test with workers.celery.keda and triggerer.keda both enabled
workers without namespace labels
# and triggerer with namespace labels
{
- "executor": "CeleryExecutor",
"workers": {"celery": {"keda": {"enabled": True}}},
"triggerer": {"keda": {"enabled": True, "namespaceLabels":
{"app": "airflow"}}},
},
],
)
- def test_pod_selectors_with_namespace_labels(self, conf):
+ def test_pod_selectors_with_namespace_labels(self, executor, values):
docs = render_chart(
values={
+ "executor": executor,
"pgbouncer": {"enabled": True},
"networkPolicies": {"enabled": True},
- **conf,
+ **values,
},
show_only=["templates/pgbouncer/pgbouncer-networkpolicy.yaml"],
)
diff --git a/helm-tests/tests/helm_tests/security/test_kerberos.py
b/helm-tests/tests/helm_tests/security/test_kerberos.py
index bb23ae67ac1..9978ae86591 100644
--- a/helm-tests/tests/helm_tests/security/test_kerberos.py
+++ b/helm-tests/tests/helm_tests/security/test_kerberos.py
@@ -155,6 +155,20 @@ class TestKerberos:
assert jmespath.search('data."kerberos.keytab"', docs[0]) ==
"dGVzdGtleXRhYg=="
+ def test_kerberos_keytab_secret_unavailable_when_keberos_disabled(self):
+ docs = render_chart(
+ values={
+ "executor": "CeleryExecutor",
+ "kerberos": {
+ "enabled": False,
+ "keytabBase64Content": "dGVzdGtleXRhYg==",
+ },
+ },
+ show_only=["templates/secrets/kerberos-keytab-secret.yaml"],
+ )
+
+ assert len(docs) == 0
+
def test_kerberos_keytab_secret_unavailable_when_not_specified(self):
docs = render_chart(
values={
diff --git a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
index e40bb909beb..664134474c4 100644
--- a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
@@ -24,6 +24,63 @@ from chart_utils.helm_template_generator import render_chart
class TestSCCActivation:
"""Tests SCCs."""
+ def test_zero_subjects_when_all_disabled_airflow_2(self):
+ docs = render_chart(
+ values={
+ "airflowVersion": "2.11.0",
+ "multiNamespaceMode": False,
+ "executor": "LocalExecutor",
+ "data": {"brokerUrlSecretName": "test"},
+ "cleanup": {"enabled": False},
+ "databaseCleanup": {"enabled": False},
+ "flower": {"enabled": False},
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "dagProcessor": {"enabled": False},
+ "webserver": {"enabled": False},
+ "scheduler": {"enabled": False},
+ "statsd": {"enabled": False},
+ "triggerer": {"enabled": False},
+ "redis": {"enabled": False},
+ "migrateDatabaseJob": {"enabled": False},
+ "createUserJob": {"enabled": False},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("kind", docs[0]) == "RoleBinding"
+ assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
+ assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
+ assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+ assert jmespath.search("subjects", docs[0]) is None
+
+ def test_zero_subjects_when_all_disabled(self):
+ docs = render_chart(
+ values={
+ "multiNamespaceMode": False,
+ "executor": "LocalExecutor",
+ "data": {"brokerUrlSecretName": "test"},
+ "cleanup": {"enabled": False},
+ "databaseCleanup": {"enabled": False},
+ "flower": {"enabled": False},
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "dagProcessor": {"enabled": False},
+ "apiServer": {"enabled": False},
+ "scheduler": {"enabled": False},
+ "statsd": {"enabled": False},
+ "triggerer": {"enabled": False},
+ "redis": {"enabled": False},
+ "migrateDatabaseJob": {"enabled": False},
+ "createUserJob": {"enabled": False},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("kind", docs[0]) == "RoleBinding"
+ assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
+ assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
+ assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+ assert jmespath.search("subjects", docs[0]) is None
+
@pytest.mark.parametrize(
("rbac_enabled", "scc_enabled", "created"),
[
@@ -33,9 +90,10 @@ class TestSCCActivation:
(True, False, False),
],
)
- def test_create_scc(self, rbac_enabled, scc_enabled, created):
+ def test_create_scc_airflow_2(self, rbac_enabled, scc_enabled, created):
docs = render_chart(
values={
+ "airflowVersion": "2.11.0",
"multiNamespaceMode": False,
"cleanup": {"enabled": True},
"databaseCleanup": {"enabled": True},
@@ -52,82 +110,144 @@ class TestSCCActivation:
assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
- assert jmespath.search("subjects[0].name", docs[0]) ==
"release-name-airflow-webserver"
- assert jmespath.search("subjects[1].name", docs[0]) ==
"release-name-airflow-worker"
- assert jmespath.search("subjects[2].name", docs[0]) ==
"release-name-airflow-scheduler"
- assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-api-server"
- assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-statsd"
- assert jmespath.search("subjects[5].name", docs[0]) ==
"release-name-airflow-flower"
- assert jmespath.search("subjects[6].name", docs[0]) ==
"release-name-airflow-redis"
- assert jmespath.search("subjects[7].name", docs[0]) ==
"release-name-airflow-triggerer"
- assert jmespath.search("subjects[8].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
- assert jmespath.search("subjects[9].name", docs[0]) ==
"release-name-airflow-create-user-job"
- assert jmespath.search("subjects[10].name", docs[0]) ==
"release-name-airflow-cleanup"
- assert jmespath.search("subjects[11].name", docs[0]) ==
"release-name-airflow-database-cleanup"
- assert jmespath.search("subjects[12].name", docs[0]) ==
"release-name-airflow-dag-processor"
+ assert jmespath.search("subjects | [*].name", docs[0]) == [
+ "release-name-airflow-webserver",
+ "release-name-airflow-worker",
+ "release-name-airflow-scheduler",
+ "release-name-airflow-statsd",
+ "release-name-airflow-flower",
+ "release-name-airflow-redis",
+ "release-name-airflow-triggerer",
+ "release-name-airflow-migrate-database-job",
+ "release-name-airflow-create-user-job",
+ "release-name-airflow-cleanup",
+ "release-name-airflow-database-cleanup",
+ "release-name-airflow-dag-processor",
+ ]
@pytest.mark.parametrize(
- ("rbac_enabled", "scc_enabled", "created", "namespace",
"expected_name"),
+ ("rbac_enabled", "scc_enabled", "created"),
[
- (True, True, True, "default",
"default-release-name-scc-rolebinding"),
- (True, True, True, "other-ns",
"other-ns-release-name-scc-rolebinding"),
+ (False, False, False),
+ (False, True, False),
+ (True, True, True),
+ (True, False, False),
],
)
- def test_create_scc_multinamespace(self, rbac_enabled, scc_enabled,
created, namespace, expected_name):
+ def test_create_scc(self, rbac_enabled, scc_enabled, created):
docs = render_chart(
- namespace=namespace,
values={
- "multiNamespaceMode": True,
- "createUserJob": {"enabled": False},
- "cleanup": {"enabled": False},
- "databaseCleanup": {"enabled": False},
- "flower": {"enabled": False},
+ "multiNamespaceMode": False,
+ "cleanup": {"enabled": True},
+ "databaseCleanup": {"enabled": True},
+ "flower": {"enabled": True},
"rbac": {"create": rbac_enabled, "createSCCRoleBinding":
scc_enabled},
+ "dagProcessor": {"enabled": True},
},
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
)
assert bool(docs) is created
if created:
- assert jmespath.search("kind", docs[0]) == "ClusterRoleBinding"
+ assert jmespath.search("kind", docs[0]) == "RoleBinding"
assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
- assert expected_name == jmespath.search("metadata.name", docs[0])
+ assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+ assert jmespath.search("subjects | [*].name", docs[0]) == [
+ "release-name-airflow-worker",
+ "release-name-airflow-scheduler",
+ "release-name-airflow-api-server",
+ "release-name-airflow-statsd",
+ "release-name-airflow-flower",
+ "release-name-airflow-redis",
+ "release-name-airflow-triggerer",
+ "release-name-airflow-migrate-database-job",
+ "release-name-airflow-create-user-job",
+ "release-name-airflow-cleanup",
+ "release-name-airflow-database-cleanup",
+ "release-name-airflow-dag-processor",
+ ]
@pytest.mark.parametrize(
- ("rbac_enabled", "scc_enabled", "created"),
+ ("namespace", "expected_name"),
[
- (True, True, True),
+ ("default", "default-release-name-scc-rolebinding"),
+ ("other-ns", "other-ns-release-name-scc-rolebinding"),
],
)
- def test_create_scc_worker_only(self, rbac_enabled, scc_enabled, created):
+ def test_create_scc_multinamespace(self, namespace, expected_name):
+ docs = render_chart(
+ namespace=namespace,
+ values={
+ "multiNamespaceMode": True,
+ "createUserJob": {"enabled": False},
+ "cleanup": {"enabled": False},
+ "databaseCleanup": {"enabled": False},
+ "flower": {"enabled": False},
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("kind", docs[0]) == "ClusterRoleBinding"
+ assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
+ assert expected_name == jmespath.search("metadata.name", docs[0])
+ assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+
+ def test_create_scc_worker_only_airflow_2(self):
docs = render_chart(
values={
+ "airflowVersion": "2.11.0",
"multiNamespaceMode": False,
"createUserJob": {"enabled": False},
"cleanup": {"enabled": False},
"databaseCleanup": {"enabled": False},
"flower": {"enabled": False},
"statsd": {"enabled": False},
- "rbac": {"create": rbac_enabled, "createSCCRoleBinding":
scc_enabled},
+ "rbac": {"create": True, "createSCCRoleBinding": True},
},
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
)
- assert bool(docs) is created
- if created:
- assert jmespath.search("kind", docs[0]) == "RoleBinding"
- assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
- assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
- assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
- assert jmespath.search("subjects[0].name", docs[0]) ==
"release-name-airflow-webserver"
- assert jmespath.search("subjects[1].name", docs[0]) ==
"release-name-airflow-worker"
- assert jmespath.search("subjects[2].name", docs[0]) ==
"release-name-airflow-scheduler"
- assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-api-server"
- assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-redis"
- assert jmespath.search("subjects[5].name", docs[0]) ==
"release-name-airflow-triggerer"
- assert jmespath.search("subjects[6].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
- assert len(docs[0]["subjects"]) == 7
+ assert jmespath.search("kind", docs[0]) == "RoleBinding"
+ assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
+ assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
+ assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+ assert jmespath.search("subjects | [*].name", docs[0]) == [
+ "release-name-airflow-webserver",
+ "release-name-airflow-worker",
+ "release-name-airflow-scheduler",
+ "release-name-airflow-redis",
+ "release-name-airflow-triggerer",
+ "release-name-airflow-migrate-database-job",
+ ]
+
+ def test_create_scc_worker_only(self):
+ docs = render_chart(
+ values={
+ "multiNamespaceMode": False,
+ "createUserJob": {"enabled": False},
+ "cleanup": {"enabled": False},
+ "databaseCleanup": {"enabled": False},
+ "flower": {"enabled": False},
+ "statsd": {"enabled": False},
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("kind", docs[0]) == "RoleBinding"
+ assert jmespath.search("roleRef.kind", docs[0]) == "ClusterRole"
+ assert jmespath.search("metadata.name", docs[0]) ==
"release-name-scc-rolebinding"
+ assert jmespath.search("roleRef.name", docs[0]) ==
"system:openshift:scc:anyuid"
+ assert jmespath.search("subjects | [*].name", docs[0]) == [
+ "release-name-airflow-worker",
+ "release-name-airflow-scheduler",
+ "release-name-airflow-api-server",
+ "release-name-airflow-redis",
+ "release-name-airflow-triggerer",
+ "release-name-airflow-migrate-database-job",
+ ]
def
test_deprecated_default_user_disabled_excludes_create_user_subject(self):
"""webserver.defaultUser.enabled=false should exclude the
create-user-job service account."""
