(airflow) branch main updated: Fix Kubernetes worker service account values (#66598)

Sun, 10 May 2026 10:12:54 -0700 

This is an automated email from the ASF dual-hosted git repository.

jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 4fc7a532542 Fix Kubernetes worker service account values (#66598)
4fc7a532542 is described below

commit 4fc7a5325426a9ef68f53d4afe34a5bf8ea8a333
Author: Paul Kagiri <[email protected]>
AuthorDate: Sun May 10 20:11:03 2026 +0300

    Fix Kubernetes worker service account values (#66598)
    
    * Fix Kubernetes worker service account values
    
    * Fix static checks
    
    ---------
    
    Co-authored-by: Jens Scheffler <[email protected]>
---
 chart/files/pod-template-file.kubernetes-helm-yaml    |  2 +-
 chart/templates/workers/worker-serviceaccount.yaml    |  3 ++-
 .../helm_tests/airflow_aux/test_pod_template_file.py  | 19 +++++++++++++++++++
 chart/tests/helm_tests/airflow_core/test_worker.py    | 18 ++++++++++++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml 
b/chart/files/pod-template-file.kubernetes-helm-yaml
index 33da1d48eb9..bbb764937d7 100644
--- a/chart/files/pod-template-file.kubernetes-helm-yaml
+++ b/chart/files/pod-template-file.kubernetes-helm-yaml
@@ -224,7 +224,7 @@ spec:
   terminationGracePeriodSeconds: {{ 
.Values.workers.kubernetes.terminationGracePeriodSeconds | default 
.Values.workers.terminationGracePeriodSeconds }}
   tolerations: {{- toYaml $tolerations | nindent 4 }}
   topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 4 
}}
-  {{- if .Values.workers.kubernetes.serviceAccount.create }}
+  {{- if has .Values.workers.kubernetes.serviceAccount.create (list true 
false) }}
   serviceAccountName: {{ include "worker.kubernetes.serviceAccountName" . }}
   {{- else }}
   serviceAccountName: {{ include "worker.serviceAccountName" . }}
diff --git a/chart/templates/workers/worker-serviceaccount.yaml 
b/chart/templates/workers/worker-serviceaccount.yaml
index cbcf95381e8..a3da9f639ce 100644
--- a/chart/templates/workers/worker-serviceaccount.yaml
+++ b/chart/templates/workers/worker-serviceaccount.yaml
@@ -32,7 +32,8 @@
   {{- $workers := (include "workersMergeValues" (list $mergedWorkers 
$workerSet "" list) | fromYaml) -}}
   {{- $_ := set $globals.Values "workers" $workers -}}
   {{- with $globals -}}
-{{- if and .Values.workers.serviceAccount.create (include 
"airflow.podLaunchingExecutor" .) }}
+{{- $useKubernetesServiceAccount := and (contains "KubernetesExecutor" 
.Values.executor) (has .Values.workers.kubernetes.serviceAccount.create (list 
true false)) -}}
+{{- if and .Values.workers.serviceAccount.create (include 
"airflow.podLaunchingExecutor" .) (or (contains "CeleryExecutor" 
.Values.executor) (not $useKubernetesServiceAccount)) }}
 ---
 apiVersion: v1
 kind: ServiceAccount
diff --git a/chart/tests/helm_tests/airflow_aux/test_pod_template_file.py 
b/chart/tests/helm_tests/airflow_aux/test_pod_template_file.py
index b65ef577d45..579235cf7bf 100644
--- a/chart/tests/helm_tests/airflow_aux/test_pod_template_file.py
+++ b/chart/tests/helm_tests/airflow_aux/test_pod_template_file.py
@@ -2107,3 +2107,22 @@ class TestPodTemplateFile:
         )
 
         assert jmespath.search("spec.serviceAccountName", docs[0]) == 
"test-release-airflow-worker-kubernetes"
+
+    def test_dedicated_service_account_name_when_creation_disabled(self):
+        docs = render_chart(
+            name="test-release",
+            values={
+                "workers": {
+                    "kubernetes": {
+                        "serviceAccount": {
+                            "create": False,
+                            "name": "airflow",
+                        }
+                    }
+                }
+            },
+            show_only=["templates/pod-template-file.yaml"],
+            chart_dir=self.temp_chart_dir,
+        )
+
+        assert jmespath.search("spec.serviceAccountName", docs[0]) == "airflow"
diff --git a/chart/tests/helm_tests/airflow_core/test_worker.py 
b/chart/tests/helm_tests/airflow_core/test_worker.py
index e9997e9be89..1e561d2029d 100644
--- a/chart/tests/helm_tests/airflow_core/test_worker.py
+++ b/chart/tests/helm_tests/airflow_core/test_worker.py
@@ -2982,6 +2982,24 @@ class TestWorkerKubernetesServiceAccount:
 
         assert len(docs) == 1
 
+    def 
test_should_not_create_legacy_service_account_when_k8s_service_account_disabled(self):
+        docs = render_chart(
+            values={
+                "executor": "KubernetesExecutor",
+                "workers": {
+                    "kubernetes": {
+                        "serviceAccount": {
+                            "create": False,
+                            "name": "airflow",
+                        }
+                    }
+                },
+            },
+            show_only=["templates/workers/worker-serviceaccount.yaml"],
+        )
+
+        assert len(docs) == 0
+
     @pytest.mark.parametrize(
         "executor",
         [

Reply via email to