(airflow) branch main updated: Remove scheduler automate serviceaccount token (#44173)

[rom]

This is an automated email from the ASF dual-hosted git repository.

rom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 9ba279d15f2 Remove scheduler automate serviceaccount token (#44173)
9ba279d15f2 is described below

commit 9ba279d15f26088400b15281b3cc346e2d7a0e30
Author: rom sharon <33751805+romsharo...@users.noreply.github.com>
AuthorDate: Mon Jan 6 15:12:47 2025 +0200

    Remove scheduler automate serviceaccount token (#44173)
    
    * remove scheduler automate serviceaccount token
    
    * concider automount service account only if executor is CeleryExecutor
    
    * change comment
    
    * fix typo
---
 .../scheduler/scheduler-serviceaccount.yaml        |  2 ++
 chart/values.yaml                                  |  2 +-
 helm_tests/airflow_core/test_scheduler.py          | 37 +++++++++++++++++++---
 3 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/chart/templates/scheduler/scheduler-serviceaccount.yaml 
b/chart/templates/scheduler/scheduler-serviceaccount.yaml
index 310f1684967..0f4f8cfaa67 100644
--- a/chart/templates/scheduler/scheduler-serviceaccount.yaml
+++ b/chart/templates/scheduler/scheduler-serviceaccount.yaml
@@ -23,7 +23,9 @@
 {{- if and .Values.scheduler.enabled .Values.scheduler.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
+{{- if eq .Values.executor "CeleryExecutor" }}
 automountServiceAccountToken: {{ 
.Values.scheduler.serviceAccount.automountServiceAccountToken }}
+{{- end }}
 metadata:
   name: {{ include "scheduler.serviceAccountName" . }}
   labels:
diff --git a/chart/values.yaml b/chart/values.yaml
index 2e27b7a4686..c0764fb54a0 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -934,7 +934,7 @@ scheduler:
 
   # Create ServiceAccount
   serviceAccount:
-    # default value is true
+    # only affect CeleryExecutor, default value is true
     # ref: 
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
     automountServiceAccountToken: true
     # Specifies whether a ServiceAccount should be created
diff --git a/helm_tests/airflow_core/test_scheduler.py 
b/helm_tests/airflow_core/test_scheduler.py
index 0bef3e7e132..7b3eae3fdad 100644
--- a/helm_tests/airflow_core/test_scheduler.py
+++ b/helm_tests/airflow_core/test_scheduler.py
@@ -988,27 +988,54 @@ class TestSchedulerServiceAccount:
         assert "test_label" in jmespath.search("metadata.labels", docs[0])
         assert jmespath.search("metadata.labels", docs[0])["test_label"] == 
"test_label_value"
 
-    def test_default_automount_service_account_token(self):
+    @pytest.mark.parametrize(
+        "executor, default_automount_service_account",
+        [
+            ("LocalExecutor", None),
+            ("CeleryExecutor", True),
+            ("CeleryKubernetesExecutor", None),
+            ("KubernetesExecutor", None),
+            ("LocalKubernetesExecutor", None),
+        ],
+    )
+    def test_default_automount_service_account_token(self, executor, 
default_automount_service_account):
         docs = render_chart(
             values={
                 "scheduler": {
                     "serviceAccount": {"create": True},
                 },
+                "executor": executor,
             },
             show_only=["templates/scheduler/scheduler-serviceaccount.yaml"],
         )
-        assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+        assert jmespath.search("automountServiceAccountToken", docs[0]) is 
default_automount_service_account
 
-    def test_overridden_automount_service_account_token(self):
+    @pytest.mark.parametrize(
+        "executor, automount_service_account, 
should_automount_service_account",
+        [
+            ("LocalExecutor", True, None),
+            ("CeleryExecutor", False, False),
+            ("CeleryKubernetesExecutor", False, None),
+            ("KubernetesExecutor", False, None),
+            ("LocalKubernetesExecutor", False, None),
+        ],
+    )
+    def test_overridden_automount_service_account_token(
+        self, executor, automount_service_account, 
should_automount_service_account
+    ):
         docs = render_chart(
             values={
                 "scheduler": {
-                    "serviceAccount": {"create": True, 
"automountServiceAccountToken": False},
+                    "serviceAccount": {
+                        "create": True,
+                        "automountServiceAccountToken": 
automount_service_account,
+                    },
                 },
+                "executor": executor,
             },
             show_only=["templates/scheduler/scheduler-serviceaccount.yaml"],
         )
-        assert jmespath.search("automountServiceAccountToken", docs[0]) is 
False
+        assert jmespath.search("automountServiceAccountToken", docs[0]) is 
should_automount_service_account
 
 
 class TestSchedulerCreation: