This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 2ac00bbc27d Chart: add serviceAccountTokenVolume to cleanup cron
(#67446)
2ac00bbc27d is described below
commit 2ac00bbc27d4ae34e27230db3bebed52567e8287
Author: johanjk <[email protected]>
AuthorDate: Wed May 27 21:56:27 2026 +0200
Chart: add serviceAccountTokenVolume to cleanup cron (#67446)
* [helm chart] add cleanup serviceAccountTokenVolume
* [helm chart] update doc for cleanup
---
chart/docs/production-guide.rst | 4 +-
chart/templates/_helpers.yaml | 51 ++++++++++++++++++++++
chart/templates/cleanup/cleanup-cronjob.yaml | 3 ++
.../templates/scheduler/scheduler-deployment.yaml | 30 +------------
chart/values.schema.json | 39 ++++++++++++++++-
chart/values.yaml | 19 ++++++++
6 files changed, 115 insertions(+), 31 deletions(-)
diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst
index 3e5ffc51da6..2ce003aa77b 100644
--- a/chart/docs/production-guide.rst
+++ b/chart/docs/production-guide.rst
@@ -788,12 +788,12 @@ This container-specific approach ensures that:
Configuration Options
^^^^^^^^^^^^^^^^^^^^^
-The service account token volume configuration is available for the scheduler
component and includes the following options:
+The service account token volume configuration is available for the scheduler
and cleanup component and includes the following options:
.. code-block:: yaml
:caption: values.yaml
- scheduler:
+ (scheduler|cleanup):
serviceAccount:
automountServiceAccountToken: false
serviceAccountTokenVolume:
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index 709e9a22d1b..f04e55b18d3 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -1154,3 +1154,54 @@ Usage:
{{- end -}}
{{- toYaml $newValues -}}
{{- end -}}
+
+
+{{/*
+serviceAccountTokenVolume mount
+
+Usage:
+ {{ include "serviceAccountTokenVolumeMount" (list .
.Values.scheduler.serviceAccount) }}
+*/}}
+{{- define "serviceAccountTokenVolumeMount" -}}
+ {{- $root := index . 0 -}}
+ {{- $sa := index . 1 -}}
+ {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not
$sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }}
+- name: {{ $sa.serviceAccountTokenVolume.volumeName }}
+ mountPath: {{ $sa.serviceAccountTokenVolume.mountPath }}
+ readOnly: true
+ {{- end }}
+{{- end -}}
+
+{{/*
+serviceAccountTokenVolume
+
+Usage:
+ {{ include "serviceAccountTokenVolume" (list .
.Values.scheduler.serviceAccount) }}
+*/}}
+{{- define "serviceAccountTokenVolume" -}}
+ {{- $root := index . 0 -}}
+ {{- $sa := index . 1 -}}
+ {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not
$sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }}
+- name: {{ $sa.serviceAccountTokenVolume.volumeName }}
+ projected:
+ defaultMode: 420
+ sources:
+ - serviceAccountToken:
+ {{- if $sa.serviceAccountTokenVolume.audience }}
+ audience: {{ $sa.serviceAccountTokenVolume.audience }}
+ {{- end }}
+ expirationSeconds: {{ $sa.serviceAccountTokenVolume.expirationSeconds
}}
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ {{- end }}
+{{- end -}}
diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml
b/chart/templates/cleanup/cleanup-cronjob.yaml
index 70cb53862d1..9314e933c29 100644
--- a/chart/templates/cleanup/cleanup-cronjob.yaml
+++ b/chart/templates/cleanup/cleanup-cronjob.yaml
@@ -110,6 +110,7 @@ spec:
{{- if .Values.volumeMounts }}
{{- toYaml .Values.volumeMounts | nindent 16 }}
{{- end }}
+ {{- include "serviceAccountTokenVolumeMount" (list .
.Values.cleanup.serviceAccount) | nindent 16 }}
resources: {{- toYaml .Values.cleanup.resources | nindent 16 }}
volumes:
- name: config
@@ -118,4 +119,6 @@ spec:
{{- if .Values.volumes }}
{{- toYaml .Values.volumes | nindent 12 }}
{{- end }}
+ {{- include "serviceAccountTokenVolume" (list .
.Values.cleanup.serviceAccount) | nindent 12 }}
+
{{- end }}
diff --git a/chart/templates/scheduler/scheduler-deployment.yaml
b/chart/templates/scheduler/scheduler-deployment.yaml
index 3ba9d89dae4..294975fab0a 100644
--- a/chart/templates/scheduler/scheduler-deployment.yaml
+++ b/chart/templates/scheduler/scheduler-deployment.yaml
@@ -246,11 +246,7 @@ spec:
{{- if .Values.scheduler.extraVolumeMounts }}
{{- tpl (toYaml .Values.scheduler.extraVolumeMounts) . | nindent
12 }}
{{- end }}
- {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true")
(not .Values.scheduler.serviceAccount.automountServiceAccountToken)
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }}
- - name: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }}
- mountPath: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.mountPath }}
- readOnly: true
- {{- end }}
+ {{- include "serviceAccountTokenVolumeMount" (list .
.Values.scheduler.serviceAccount) | nindent 12 }}
{{- if and $localOrDagProcessorDisabled .Values.dags.gitSync.enabled }}
{{- include "git_sync_container" . | indent 8 }}
{{- end }}
@@ -334,29 +330,7 @@ spec:
{{- if .Values.scheduler.extraVolumes }}
{{- tpl (toYaml .Values.scheduler.extraVolumes) . | nindent 8 }}
{{- end }}
- {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true") (not
.Values.scheduler.serviceAccount.automountServiceAccountToken)
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }}
- - name: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }}
- projected:
- defaultMode: 420
- sources:
- - serviceAccountToken:
- {{- if
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }}
- audience: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }}
- {{- end }}
- expirationSeconds: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.expirationSeconds }}
- path: token
- - configMap:
- items:
- - key: ca.crt
- path: ca.crt
- name: kube-root-ca.crt
- - downwardAPI:
- items:
- - fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- path: namespace
- {{- end }}
+ {{- include "serviceAccountTokenVolume" (list .
.Values.scheduler.serviceAccount) | nindent 8 }}
{{- if .Values.logs.persistence.enabled }}
- name: logs
persistentVolumeClaim:
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 953b07e02c6..040b716d6ea 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -10300,10 +10300,47 @@
"additionalProperties": false,
"properties": {
"automountServiceAccountToken": {
- "description": "Specifies if ServiceAccount's API
credentials should be mounted onto Pods",
+ "description": "Specifies if ServiceAccount's API
credentials should be mounted onto Pods. When false, you can use
`serviceAccountTokenVolume` to manually configure service account token volume
for pod-launching executors.",
"type": "boolean",
"default": true
},
+ "serviceAccountTokenVolume": {
+ "description": "Configuration for manual service
account token volume. Only used when automountServiceAccountToken is false and
for pod-launching executors. (CeleryExecutor, KubernetesExecutor)",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable manual service
account token volume configuration.",
+ "type": "boolean",
+ "default": false
+ },
+ "mountPath": {
+ "description": "Path where the service
account token volume will be mounted.",
+ "type": "string",
+ "default":
"/var/run/secrets/kubernetes.io/serviceaccount"
+ },
+ "volumeName": {
+ "description": "Name of the service
account token volume.",
+ "type": "string",
+ "default": "kube-api-access"
+ },
+ "expirationSeconds": {
+ "description": "Token expiration time in
seconds.",
+ "type": "integer",
+ "minimum": 600,
+ "maximum": 7776000,
+ "default": 3600
+ },
+ "audience": {
+ "description": "Intended audience of the
token. Optional - defaults to the identifier of the Kubernetes API server.",
+ "type": [
+ "string",
+ "null"
+ ],
+ "default": null
+ }
+ }
+ },
"create": {
"description": "Specifies whether a ServiceAccount
should be created.",
"type": "boolean",
diff --git a/chart/values.yaml b/chart/values.yaml
index 7698af004e5..ebb845fc948 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -3755,6 +3755,25 @@ cleanup:
# Annotations to add to cleanup CronJob Kubernetes Service Account.
annotations: {}
+ # Service Account Token Volume configuration
+ # This is only used when `automountServiceAccountToken` is 'false'
+ # and allows manual configuration of the Service Account token volume
+ serviceAccountTokenVolume:
+ # Enable manual Service Account token volume configuration
+ enabled: false
+
+ # Path where the Service Account token should be mounted
+ mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+
+ # Name of the volume
+ volumeName: kube-api-access
+
+ # Token expiration in seconds
+ expirationSeconds: 3600
+
+ # Audience for the token
+ audience: ~
+
# When not set, the values defined in the global `securityContext` will be
used
# (deprecated, use `cleanup.securityContexts` instead)
securityContext: {}
