This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch chart/v1-2x-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/chart/v1-2x-test by this push:
new cd9c07dd632 [chart/v1-2x-test] Chart: add serviceAccountTokenVolume to
cleanup cron (#67446) (#67617)
cd9c07dd632 is described below
commit cd9c07dd63205845360bab27b3e88235c6291cbf
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed May 27 22:07:19 2026 +0200
[chart/v1-2x-test] Chart: add serviceAccountTokenVolume to cleanup cron
(#67446) (#67617)
* [helm chart] add cleanup serviceAccountTokenVolume
* [helm chart] update doc for cleanup
(cherry picked from commit 2ac00bbc27d4ae34e27230db3bebed52567e8287)
Co-authored-by: johanjk <[email protected]>
---
chart/docs/production-guide.rst | 4 +-
chart/templates/_helpers.yaml | 51 ++++++++++++++++++++++
chart/templates/cleanup/cleanup-cronjob.yaml | 3 ++
.../templates/scheduler/scheduler-deployment.yaml | 30 +------------
chart/values.schema.json | 39 ++++++++++++++++-
chart/values.yaml | 19 ++++++++
6 files changed, 115 insertions(+), 31 deletions(-)
diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst
index 4fc83b33b9a..d163c604c7d 100644
--- a/chart/docs/production-guide.rst
+++ b/chart/docs/production-guide.rst
@@ -795,12 +795,12 @@ This container-specific approach ensures that:
Configuration Options
^^^^^^^^^^^^^^^^^^^^^
-The service account token volume configuration is available for the scheduler
component and includes the following options:
+The service account token volume configuration is available for the scheduler
and cleanup component and includes the following options:
.. code-block:: yaml
:caption: values.yaml
- scheduler:
+ (scheduler|cleanup):
serviceAccount:
automountServiceAccountToken: false
serviceAccountTokenVolume:
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index ad4df84b44a..22ec9f5955b 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -1198,3 +1198,54 @@ Usage:
{{- end -}}
{{- toYaml $newValues -}}
{{- end -}}
+
+
+{{/*
+serviceAccountTokenVolume mount
+
+Usage:
+ {{ include "serviceAccountTokenVolumeMount" (list .
.Values.scheduler.serviceAccount) }}
+*/}}
+{{- define "serviceAccountTokenVolumeMount" -}}
+ {{- $root := index . 0 -}}
+ {{- $sa := index . 1 -}}
+ {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not
$sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }}
+- name: {{ $sa.serviceAccountTokenVolume.volumeName }}
+ mountPath: {{ $sa.serviceAccountTokenVolume.mountPath }}
+ readOnly: true
+ {{- end }}
+{{- end -}}
+
+{{/*
+serviceAccountTokenVolume
+
+Usage:
+ {{ include "serviceAccountTokenVolume" (list .
.Values.scheduler.serviceAccount) }}
+*/}}
+{{- define "serviceAccountTokenVolume" -}}
+ {{- $root := index . 0 -}}
+ {{- $sa := index . 1 -}}
+ {{- if and (eq (include "airflow.podLaunchingExecutor" $root ) "true") (not
$sa.automountServiceAccountToken) $sa.serviceAccountTokenVolume.enabled }}
+- name: {{ $sa.serviceAccountTokenVolume.volumeName }}
+ projected:
+ defaultMode: 420
+ sources:
+ - serviceAccountToken:
+ {{- if $sa.serviceAccountTokenVolume.audience }}
+ audience: {{ $sa.serviceAccountTokenVolume.audience }}
+ {{- end }}
+ expirationSeconds: {{ $sa.serviceAccountTokenVolume.expirationSeconds
}}
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ {{- end }}
+{{- end -}}
diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml
b/chart/templates/cleanup/cleanup-cronjob.yaml
index 70cb53862d1..9314e933c29 100644
--- a/chart/templates/cleanup/cleanup-cronjob.yaml
+++ b/chart/templates/cleanup/cleanup-cronjob.yaml
@@ -110,6 +110,7 @@ spec:
{{- if .Values.volumeMounts }}
{{- toYaml .Values.volumeMounts | nindent 16 }}
{{- end }}
+ {{- include "serviceAccountTokenVolumeMount" (list .
.Values.cleanup.serviceAccount) | nindent 16 }}
resources: {{- toYaml .Values.cleanup.resources | nindent 16 }}
volumes:
- name: config
@@ -118,4 +119,6 @@ spec:
{{- if .Values.volumes }}
{{- toYaml .Values.volumes | nindent 12 }}
{{- end }}
+ {{- include "serviceAccountTokenVolume" (list .
.Values.cleanup.serviceAccount) | nindent 12 }}
+
{{- end }}
diff --git a/chart/templates/scheduler/scheduler-deployment.yaml
b/chart/templates/scheduler/scheduler-deployment.yaml
index e4209624433..22ef7b9aeda 100644
--- a/chart/templates/scheduler/scheduler-deployment.yaml
+++ b/chart/templates/scheduler/scheduler-deployment.yaml
@@ -256,11 +256,7 @@ spec:
{{- if .Values.scheduler.extraVolumeMounts }}
{{- tpl (toYaml .Values.scheduler.extraVolumeMounts) . | nindent
12 }}
{{- end }}
- {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true")
(not .Values.scheduler.serviceAccount.automountServiceAccountToken)
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }}
- - name: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }}
- mountPath: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.mountPath }}
- readOnly: true
- {{- end }}
+ {{- include "serviceAccountTokenVolumeMount" (list .
.Values.scheduler.serviceAccount) | nindent 12 }}
{{- if and $localOrDagProcessorDisabled .Values.dags.gitSync.enabled }}
{{- include "git_sync_container" . | indent 8 }}
{{- end }}
@@ -352,29 +348,7 @@ spec:
{{- if .Values.scheduler.extraVolumes }}
{{- tpl (toYaml .Values.scheduler.extraVolumes) . | nindent 8 }}
{{- end }}
- {{- if and (eq (include "airflow.podLaunchingExecutor" .) "true") (not
.Values.scheduler.serviceAccount.automountServiceAccountToken)
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.enabled }}
- - name: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.volumeName }}
- projected:
- defaultMode: 420
- sources:
- - serviceAccountToken:
- {{- if
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }}
- audience: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.audience }}
- {{- end }}
- expirationSeconds: {{
.Values.scheduler.serviceAccount.serviceAccountTokenVolume.expirationSeconds }}
- path: token
- - configMap:
- items:
- - key: ca.crt
- path: ca.crt
- name: kube-root-ca.crt
- - downwardAPI:
- items:
- - fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- path: namespace
- {{- end }}
+ {{- include "serviceAccountTokenVolume" (list .
.Values.scheduler.serviceAccount) | nindent 8 }}
{{- if .Values.logs.persistence.enabled }}
- name: logs
persistentVolumeClaim:
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 3ad6a95aa3f..7f7590188c5 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -11168,10 +11168,47 @@
"additionalProperties": false,
"properties": {
"automountServiceAccountToken": {
- "description": "Specifies if ServiceAccount's API
credentials should be mounted onto Pods",
+ "description": "Specifies if ServiceAccount's API
credentials should be mounted onto Pods. When false, you can use
`serviceAccountTokenVolume` to manually configure service account token volume
for pod-launching executors.",
"type": "boolean",
"default": true
},
+ "serviceAccountTokenVolume": {
+ "description": "Configuration for manual service
account token volume. Only used when automountServiceAccountToken is false and
for pod-launching executors. (CeleryExecutor, KubernetesExecutor)",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "description": "Enable manual service
account token volume configuration.",
+ "type": "boolean",
+ "default": false
+ },
+ "mountPath": {
+ "description": "Path where the service
account token volume will be mounted.",
+ "type": "string",
+ "default":
"/var/run/secrets/kubernetes.io/serviceaccount"
+ },
+ "volumeName": {
+ "description": "Name of the service
account token volume.",
+ "type": "string",
+ "default": "kube-api-access"
+ },
+ "expirationSeconds": {
+ "description": "Token expiration time in
seconds.",
+ "type": "integer",
+ "minimum": 600,
+ "maximum": 7776000,
+ "default": 3600
+ },
+ "audience": {
+ "description": "Intended audience of the
token. Optional - defaults to the identifier of the Kubernetes API server.",
+ "type": [
+ "string",
+ "null"
+ ],
+ "default": null
+ }
+ }
+ },
"create": {
"description": "Specifies whether a ServiceAccount
should be created.",
"type": "boolean",
diff --git a/chart/values.yaml b/chart/values.yaml
index c5e2446c206..bc2015b2c13 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -4070,6 +4070,25 @@ cleanup:
# Annotations to add to cleanup CronJob Kubernetes Service Account.
annotations: {}
+ # Service Account Token Volume configuration
+ # This is only used when `automountServiceAccountToken` is 'false'
+ # and allows manual configuration of the Service Account token volume
+ serviceAccountTokenVolume:
+ # Enable manual Service Account token volume configuration
+ enabled: false
+
+ # Path where the Service Account token should be mounted
+ mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+
+ # Name of the volume
+ volumeName: kube-api-access
+
+ # Token expiration in seconds
+ expirationSeconds: 3600
+
+ # Audience for the token
+ audience: ~
+
# When not set, the values defined in the global `securityContext` will be
used
# (deprecated, use `cleanup.securityContexts` instead)
securityContext: {}
