(airflow) branch main updated: render cleanup RBAC only for KubernetesExecutor (#65539)

Mon, 20 Apr 2026 11:43:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new f99b7c07187 render cleanup RBAC only for KubernetesExecutor (#65539)
f99b7c07187 is described below

commit f99b7c07187e0abeb0292dca588a1bec41339688
Author: Henry Chen <[email protected]>
AuthorDate: Tue Apr 21 02:43:32 2026 +0800

    render cleanup RBAC only for KubernetesExecutor (#65539)
---
 chart/templates/rbac/pod-cleanup-role.yaml          |  2 +-
 chart/templates/rbac/pod-cleanup-rolebinding.yaml   |  2 +-
 .../helm_tests/airflow_aux/test_basic_helm_chart.py | 12 +++++++++++-
 helm-tests/tests/helm_tests/security/test_rbac.py   | 21 +++++++++++++++++++++
 4 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/chart/templates/rbac/pod-cleanup-role.yaml 
b/chart/templates/rbac/pod-cleanup-role.yaml
index af73df6f619..d6aff407c71 100644
--- a/chart/templates/rbac/pod-cleanup-role.yaml
+++ b/chart/templates/rbac/pod-cleanup-role.yaml
@@ -20,7 +20,7 @@
 ################################
 ## Airflow Cleanup Role
 #################################
-{{- if and .Values.rbac.create .Values.cleanup.enabled }}
+{{- if and .Values.rbac.create .Values.cleanup.enabled (contains 
"KubernetesExecutor" .Values.executor) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
diff --git a/chart/templates/rbac/pod-cleanup-rolebinding.yaml 
b/chart/templates/rbac/pod-cleanup-rolebinding.yaml
index 8d927fb5b83..95de10ca85f 100644
--- a/chart/templates/rbac/pod-cleanup-rolebinding.yaml
+++ b/chart/templates/rbac/pod-cleanup-rolebinding.yaml
@@ -20,7 +20,7 @@
 ################################
 ## Airflow Cleanup Role Binding
 #################################
-{{- if and .Values.rbac.create .Values.cleanup.enabled }}
+{{- if and .Values.rbac.create .Values.cleanup.enabled (contains 
"KubernetesExecutor" .Values.executor) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py 
b/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
index 046587cc14d..53bb115e167 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
@@ -483,6 +483,13 @@ class TestBaseChartTest:
                 (f"{release_name}-ingress", "Ingress", "airflow-ingress"),
             ]
 
+        cleanup_kubernetes_executor_only_objects = {
+            (f"{release_name}-airflow-cleanup", "ServiceAccount"),
+            (f"{release_name}-cleanup", "CronJob"),
+            (f"{release_name}-cleanup-role", "Role"),
+            (f"{release_name}-cleanup-rolebinding", "RoleBinding"),
+        }
+
         for k8s_object_name, kind, component in kind_names_tuples:
             expected_labels = {
                 "label1": "value1",
@@ -499,7 +506,10 @@ class TestBaseChartTest:
                 if executor == "CeleryExecutor,KubernetesExecutor":
                     expected_labels["executor"] = 
"CeleryExecutor-KubernetesExecutor"
 
-            if component and component == "airflow-cleanup-pods" and executor 
== "CeleryExecutor":
+            if (
+                executor == "CeleryExecutor"
+                and (k8s_object_name, kind) in 
cleanup_kubernetes_executor_only_objects
+            ):
                 assert (k8s_object_name, kind) not in 
kind_k8s_obj_labels_tuples
             else:
                 actual_labels = 
kind_k8s_obj_labels_tuples.pop((k8s_object_name, kind))
diff --git a/helm-tests/tests/helm_tests/security/test_rbac.py 
b/helm-tests/tests/helm_tests/security/test_rbac.py
index 451ccdec73e..1a19f8738dc 100644
--- a/helm-tests/tests/helm_tests/security/test_rbac.py
+++ b/helm-tests/tests/helm_tests/security/test_rbac.py
@@ -281,6 +281,27 @@ class TestRBAC:
         )
         assert sorted(list_of_kind_names_tuples) == 
sorted(real_list_of_kind_names)
 
+    @pytest.mark.parametrize("executor", ["CeleryExecutor", "LocalExecutor"])
+    def test_cleanup_resources_require_kubernetes_executor(self, executor):
+        k8s_objects = render_chart(
+            "test-rbac",
+            values={
+                "airflowVersion": "3.0.0",
+                "fullnameOverride": "test-rbac",
+                "executor": executor,
+                "rbac": {"create": True},
+                "cleanup": {"enabled": True},
+            },
+            show_only=[
+                "templates/rbac/pod-cleanup-role.yaml",
+                "templates/rbac/pod-cleanup-rolebinding.yaml",
+                "templates/cleanup/cleanup-cronjob.yaml",
+                "templates/cleanup/cleanup-serviceaccount.yaml",
+            ],
+        )
+
+        assert not k8s_objects
+
     def test_service_account_custom_names(self):
         k8s_objects = render_chart(
             "test-rbac",

Reply via email to