This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch chart/v1-2x-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/chart/v1-2x-test by this push:
new 6b9c4c31e76 Chart: Fix Airflow 3 task log access with NetworkPolicies
(#65754) (#67805)
6b9c4c31e76 is described below
commit 6b9c4c31e764fd4aa9e10ac8d01407c6c959a54b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun May 31 18:20:35 2026 +0200
Chart: Fix Airflow 3 task log access with NetworkPolicies (#65754) (#67805)
(cherry picked from commit 8b2ce0016b0f877044d535ecac9baa776ee53779)
Co-authored-by: Henry Chen <[email protected]>
---
chart/templates/scheduler/scheduler-networkpolicy.yaml | 2 +-
chart/templates/triggerer/triggerer-networkpolicy.yaml | 2 +-
chart/templates/workers/worker-networkpolicy.yaml | 2 +-
.../tests/helm_tests/airflow_core/test_scheduler.py | 14 ++++++++++++++
.../tests/helm_tests/airflow_core/test_triggerer.py | 17 +++++++++++++++++
helm-tests/tests/helm_tests/airflow_core/test_worker.py | 15 +++++++++++++++
6 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/chart/templates/scheduler/scheduler-networkpolicy.yaml
b/chart/templates/scheduler/scheduler-networkpolicy.yaml
index 37d0b3ed532..1828361a239 100644
--- a/chart/templates/scheduler/scheduler-networkpolicy.yaml
+++ b/chart/templates/scheduler/scheduler-networkpolicy.yaml
@@ -48,7 +48,7 @@ spec:
- podSelector:
matchLabels:
tier: airflow
- component: webserver
+ component: api-server
release: {{ .Release.Name }}
ports:
- protocol: TCP
diff --git a/chart/templates/triggerer/triggerer-networkpolicy.yaml
b/chart/templates/triggerer/triggerer-networkpolicy.yaml
index a5a729cbd96..ea3cda5b45c 100644
--- a/chart/templates/triggerer/triggerer-networkpolicy.yaml
+++ b/chart/templates/triggerer/triggerer-networkpolicy.yaml
@@ -48,7 +48,7 @@ spec:
matchLabels:
tier: airflow
release: {{ .Release.Name }}
- component: webserver
+ component: api-server
ports:
- protocol: TCP
port: {{ .Values.ports.triggererLogs }}
diff --git a/chart/templates/workers/worker-networkpolicy.yaml
b/chart/templates/workers/worker-networkpolicy.yaml
index 2fcb6662237..0e4206f10f0 100644
--- a/chart/templates/workers/worker-networkpolicy.yaml
+++ b/chart/templates/workers/worker-networkpolicy.yaml
@@ -64,7 +64,7 @@ spec:
matchLabels:
tier: airflow
release: {{ .Release.Name }}
- component: webserver
+ component: api-server
ports:
- protocol: TCP
port: {{ .Values.ports.workerLogs }}
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py
b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py
index 907ce32ed08..ca3ed2fce8f 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py
@@ -1065,6 +1065,20 @@ class TestSchedulerNetworkPolicy:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] ==
"test_label_value"
+ def test_should_allow_api_server_to_read_scheduler_logs(self):
+ docs = render_chart(
+ values={
+ "executor": "LocalExecutor",
+ "networkPolicies": {"enabled": True},
+ },
+ show_only=["templates/scheduler/scheduler-networkpolicy.yaml"],
+ )
+
+ assert (
+
jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component",
docs[0])
+ == "api-server"
+ )
+
class TestSchedulerLogGroomer(LogGroomerTestBase):
"""Scheduler log groomer."""
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py
b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py
index 6a916da4d70..74cee65e0f0 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py
@@ -788,6 +788,23 @@ class TestTriggererServiceAccount:
assert jmespath.search("automountServiceAccountToken", docs[0]) is
False
+class TestTriggererNetworkPolicy:
+ """Tests triggerer network policy."""
+
+ def test_should_allow_api_server_to_read_triggerer_logs(self):
+ docs = render_chart(
+ values={
+ "networkPolicies": {"enabled": True},
+ },
+ show_only=["templates/triggerer/triggerer-networkpolicy.yaml"],
+ )
+
+ assert (
+
jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component",
docs[0])
+ == "api-server"
+ )
+
+
class TestTriggererLogGroomer(LogGroomerTestBase):
"""Triggerer log groomer."""
diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
index 6de6517100a..145048d1016 100644
--- a/helm-tests/tests/helm_tests/airflow_core/test_worker.py
+++ b/helm-tests/tests/helm_tests/airflow_core/test_worker.py
@@ -2802,6 +2802,21 @@ class TestWorkerNetworkPolicy:
assert labels["test_label"] == "test_label_value"
assert "key" not in labels
+ @pytest.mark.parametrize("executor", ["CeleryExecutor",
"CeleryExecutor,KubernetesExecutor"])
+ def test_should_allow_api_server_to_read_worker_logs(self, executor):
+ docs = render_chart(
+ values={
+ "networkPolicies": {"enabled": True},
+ "executor": executor,
+ },
+ show_only=["templates/workers/worker-networkpolicy.yaml"],
+ )
+
+ assert (
+
jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component",
docs[0])
+ == "api-server"
+ )
+
class TestWorkerService:
"""Tests worker service."""
