johanjk opened a new pull request, #67446:
URL: https://github.com/apache/airflow/pull/67446
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Chart support serviceAccountTokenVolume for cleanup job
When in an environment where policy dictate `automountServiceAccountToken:
false`
the cleanup job require the same treatment as the scheduler, with a
`serviceAccountTokenVolume` block.
## Testing
Tested with
```bash
helm template chart | yq 'select(.metadata.name == "release-name-scheduler")'
helm template chart | yq 'select(.metadata.name == "release-name-cleanup")'
```
And `values.yaml`:
```yaml
executor: "CeleryExecutor,KubernetesExecutor"
cleanup:
enabled: true
serviceAccount:
automountServiceAccountToken: false
serviceAccountTokenVolume:
enabled: true
scheduler:
serviceAccount:
automountServiceAccountToken: false
serviceAccountTokenVolume:
enabled: true
```
as well as default `values.yaml`.
## Current workaround
```yaml
postRenders:
- kustomize:
patches:
- target:
version: v1
kind: CronJob
name: .*cleanup.*
patch: |
- op: add
path: /spec/jobTemplate/spec/template/spec/volumes/-
value:
name: sa-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
fieldPath: metadata.namespace
- op: add
path:
/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/-
value:
name: sa-token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
```
<!--
Thank you for contributing!
Please provide above a brief description of the changes made in this pull
request.
Write a good git commit message following this guide:
http://chris.beams.io/posts/git-commit/
Please make sure that your code changes are covered with tests.
And in case of new features or big changes remember to adjust the
documentation.
Feel free to ping (in general) for the review if you do not see reaction for
a few days
(72 Hours is the minimum reaction time you can expect from volunteers) - we
sometimes miss notifications.
In case of an existing issue, reference it using one of the following:
* closes: #ISSUE
* related: #ISSUE
-->
---
##### Was generative AI tooling used to co-author this PR?
<!--
If generative AI tooling has been used in the process of authoring this PR,
please
change below checkbox to `[X]` followed by the name of the tool, uncomment
the "Generated-by".
-->
- [ ] Yes (please specify the tool below)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
