This is an automated email from the ASF dual-hosted git repository.
bugraoz93 pushed a commit to branch chart/v1-2x-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/chart/v1-2x-test by this push:
new a92cd667fcf Add binding for workers.kubernetes & condition workers SA
(#66730) (#66814)
a92cd667fcf is described below
commit a92cd667fcf6d3397ad73e84d6ca454d59ea5cf0
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Tue May 12 21:30:02 2026 +0200
Add binding for workers.kubernetes & condition workers SA (#66730) (#66814)
(cherry picked from commit 84420e0215672d75d45bd7937a61ab11dff2fdeb)
---
chart/templates/rbac/job-launcher-rolebinding.yaml | 7 +-
chart/templates/rbac/pod-launcher-rolebinding.yaml | 7 +-
.../security-context-constraint-rolebinding.yaml | 7 +-
.../airflow_aux/test_job_launcher_role.py | 226 +++++++++++++++++++++
.../airflow_aux/test_pod_launcher_role.py | 226 +++++++++++++++++++++
.../helm_tests/security/test_scc_rolebinding.py | 226 +++++++++++++++++++++
6 files changed, 696 insertions(+), 3 deletions(-)
diff --git a/chart/templates/rbac/job-launcher-rolebinding.yaml
b/chart/templates/rbac/job-launcher-rolebinding.yaml
index 4babd4b7b57..86603aa47f6 100644
--- a/chart/templates/rbac/job-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/job-launcher-rolebinding.yaml
@@ -60,9 +60,14 @@ subjects:
name: {{ include "scheduler.serviceAccountName" $ }}
namespace: "{{ $.Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor) (contains "CeleryKubernetesExecutor" .Values.executor) }}
+ {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
name: {{ include "worker.serviceAccountName" $ }}
namespace: "{{ $.Release.Namespace }}"
{{- end }}
+ {{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
+ - kind: ServiceAccount
+ name: {{ include "worker.kubernetes.serviceAccountName" $ }}
+ namespace: "{{ $.Release.Namespace }}"
+ {{- end }}
{{- end }}
diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml
b/chart/templates/rbac/pod-launcher-rolebinding.yaml
index b3deb3f2dfb..7979585673a 100644
--- a/chart/templates/rbac/pod-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -60,11 +60,16 @@ subjects:
name: {{ include "scheduler.serviceAccountName" $ }}
namespace: "{{ $.Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor) (contains "CeleryKubernetesExecutor" .Values.executor) }}
+ {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
name: {{ include "worker.serviceAccountName" $ }}
namespace: "{{ $.Release.Namespace }}"
{{- end }}
+ {{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
+ - kind: ServiceAccount
+ name: {{ include "worker.kubernetes.serviceAccountName" $ }}
+ namespace: "{{ $.Release.Namespace }}"
+ {{- end }}
{{- if .Values.triggerer.enabled }}
- kind: ServiceAccount
name: {{ include "triggerer.serviceAccountName" . }}
diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index 45f95480cd7..7ec9d033e19 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -55,11 +55,16 @@ subjects:
name: {{ include "webserver.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"LocalKubernetesExecutor" .Values.executor) (contains "KubernetesExecutor"
.Values.executor) (contains "CeleryKubernetesExecutor" .Values.executor) }}
+ {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
name: {{ include "worker.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
+ {{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
+ - kind: ServiceAccount
+ name: {{ include "worker.kubernetes.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
+ {{- end }}
{{- if .Values.scheduler.enabled }}
- kind: ServiceAccount
name: {{ include "scheduler.serviceAccountName" . }}
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
b/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
index ad25d275fc9..d5fdf818244 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
@@ -372,6 +372,232 @@ class TestJobLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor", ["KubernetesExecutor", "LocalExecutor",
"LocalExecutor,KubernetesExecutor"]
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def test_worker_role_binding_should_not_exists_with_kubernetes(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "LocalExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def
test_worker_role_binding_should_not_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor", "CeleryExecutor",
"KubernetesExecutor"])
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "LocalExecutor",
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists_airflow_2(
+ self, executor, service_account_values
+ ):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
def test_no_role_bindings(self):
docs = render_chart(
name="prod",
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
b/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
index cb92ee0f8bd..5abc290c652 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
@@ -374,6 +374,232 @@ class TestPodLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor", ["KubernetesExecutor", "LocalExecutor",
"LocalExecutor,KubernetesExecutor"]
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def test_worker_role_binding_should_not_exists_with_kubernetes(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "LocalExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def
test_worker_role_binding_should_not_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor", "CeleryExecutor",
"KubernetesExecutor"])
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "LocalExecutor",
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists_airflow_2(
+ self, executor, service_account_values
+ ):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
@pytest.mark.parametrize(
"executor",
[
diff --git a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
index 02301bb048a..e457faa35d5 100644
--- a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
@@ -338,6 +338,232 @@ class TestSCCActivation:
assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True, None])
+ def test_worker_role_binding_should_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor", ["KubernetesExecutor", "LocalExecutor",
"LocalExecutor,KubernetesExecutor"]
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def test_worker_role_binding_should_not_exists_with_kubernetes(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "LocalExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [False, True])
+ def
test_worker_role_binding_should_not_exists_with_kubernetes_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount": {"create":
create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "KubernetesExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker-kubernetes"},
+ {"create": False, "name": "prod-airflow-worker-kubernetes"},
+ ],
+ )
+ def test_worker_kubernetes_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker-kubernetes",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor", "CeleryExecutor",
"KubernetesExecutor"])
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "LocalExecutor",
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [{"create": False}, {"create": False, "name": None}, {"create": None,
"name": None}, {}],
+ )
+ def test_worker_kubernetes_role_binding_should_not_exists_airflow_2(
+ self, executor, service_account_values
+ ):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"kubernetes": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+
@pytest.mark.parametrize("executor", ["CeleryExecutor",
"LocalExecutor,CeleryExecutor"])
def test_flower_role_binding_should_exists(self, executor):
docs = render_chart(
