bobu-putheeckal opened a new pull request, #67436: URL: https://github.com/apache/airflow/pull/67436
Fixes #67261. ## What changed This updates Celery worker RBAC subjects to resolve the worker service account name using `workers.celery.serviceAccount` with the same fallback behavior as the Celery worker templates. The pod-launcher, job-launcher, and SCC role bindings now reference the custom Celery worker service account when users set `workers.celery.serviceAccount.name`. For hybrid Celery/Kubernetes executor deployments, the templates also keep the fallback Kubernetes worker service account subject when it differs from the Celery worker service account and no dedicated `workers.kubernetes.serviceAccount` is configured. ## Tests - `uv run pytest tests/helm_tests/airflow_aux/test_pod_launcher_role.py tests/helm_tests/airflow_aux/test_job_launcher_role.py tests/helm_tests/security/test_scc_rolebinding.py` - `helm lint chart` - `helm template test chart --show-only templates/rbac/pod-launcher-rolebinding.yaml --set allowPodLaunching=true --set executor=CeleryExecutor --set workers.celery.serviceAccount.name=worker` - `helm template test chart --show-only templates/rbac/job-launcher-rolebinding.yaml --set allowJobLaunching=true --set executor=CeleryExecutor --set workers.celery.serviceAccount.name=worker` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
