This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 56061a6b233 Chart: configurable enableServiceLinks (#67447)
56061a6b233 is described below
commit 56061a6b233d8600ad406a0c00f3a66ad58011ec
Author: johanjk <[email protected]>
AuthorDate: Sun May 31 15:25:46 2026 +0200
Chart: configurable enableServiceLinks (#67447)
* [helm chart] configuration enableServiceLinks
* Added newsfragment
* change newsfragment to sigificant
* Change default to true
* fully backwards compatible (default unset)
* Add deprecation warning in notes
* Add servicelinks to pod-template
* Added testcase
* Removed un-rendered comment
---
chart/files/pod-template-file.kubernetes-helm-yaml | 1 +
chart/newsfragments/67447.significant.rst | 3 ++
chart/templates/NOTES.txt | 8 ++++
chart/templates/_helpers.yaml | 13 +++++-
.../api-server/api-server-deployment.yaml | 1 +
chart/templates/cleanup/cleanup-cronjob.yaml | 1 +
.../dag-processor/dag-processor-deployment.yaml | 1 +
.../database-cleanup/database-cleanup-cronjob.yaml | 1 +
chart/templates/flower/flower-deployment.yaml | 1 +
chart/templates/jobs/create-user-job.yaml | 1 +
chart/templates/jobs/migrate-database-job.yaml | 1 +
.../otel-collector/otel-collector-deployment.yaml | 1 +
.../templates/pgbouncer/pgbouncer-deployment.yaml | 1 +
chart/templates/redis/redis-statefulset.yaml | 1 +
.../templates/scheduler/scheduler-deployment.yaml | 1 +
chart/templates/statsd/statsd-deployment.yaml | 1 +
.../templates/triggerer/triggerer-deployment.yaml | 1 +
chart/templates/workers/worker-deployment.yaml | 1 +
.../helm_tests/airflow_aux/test_airflow_common.py | 52 ++++++++++++++++++++++
chart/values.schema.json | 9 ++++
chart/values.yaml | 2 +
21 files changed, 101 insertions(+), 1 deletion(-)
diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml
b/chart/files/pod-template-file.kubernetes-helm-yaml
index bbb764937d7..61314e2a4d3 100644
--- a/chart/files/pod-template-file.kubernetes-helm-yaml
+++ b/chart/files/pod-template-file.kubernetes-helm-yaml
@@ -229,6 +229,7 @@ spec:
{{- else }}
serviceAccountName: {{ include "worker.serviceAccountName" . }}
{{- end }}
+ {{- include "serviceLinks" . | nindent 2 }}
volumes:
{{- if .Values.dags.persistence.enabled }}
- name: dags
diff --git a/chart/newsfragments/67447.significant.rst
b/chart/newsfragments/67447.significant.rst
new file mode 100644
index 00000000000..459f1c38c9d
--- /dev/null
+++ b/chart/newsfragments/67447.significant.rst
@@ -0,0 +1,3 @@
+Added support for configuring ``enableServiceLinks``.
+
+Warning: The default will become ``false`` in ``Chart 2.0``. If you rely on
these environment variables, explicitly set ``enableServiceLinks: true``, or
migrate your code to use dns based service lookups.
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 2ba8c2401e6..bb8a5eb6faa 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -938,6 +938,14 @@ DEPRECATION WARNING:
{{- end }}
+{{- if (eq .Values.enableServiceLinks nil) }}
+
+ DEPRECATION WARNING:
+ The default for `enableServiceLinks` will become False in Chart 2.0.
+ If you relied on these environment variables, explicitly set
``enableServiceLinks: true``, or migrate your code to use dns based service
lookups.
+
+{{- end }}
+
{{- if not (or .Values.apiSecretKey .Values.apiSecretKeySecretName) }}
#####################################################
# WARNING: You should set a static API secret key #
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index f04e55b18d3..4c026e23935 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -1155,7 +1155,6 @@ Usage:
{{- toYaml $newValues -}}
{{- end -}}
-
{{/*
serviceAccountTokenVolume mount
@@ -1205,3 +1204,15 @@ Usage:
path: namespace
{{- end }}
{{- end -}}
+
+{{/*
+Set service links if not null.
+
+Usage:
+ {{ include "serviceLinks" . }}
+*/}}
+{{- define "serviceLinks" -}}
+{{- if not (eq .Values.enableServiceLinks nil) -}}
+enableServiceLinks: {{ .Values.enableServiceLinks }}
+{{- end }}
+{{- end -}}
diff --git a/chart/templates/api-server/api-server-deployment.yaml
b/chart/templates/api-server/api-server-deployment.yaml
index e8358c5f458..963332a79a1 100644
--- a/chart/templates/api-server/api-server-deployment.yaml
+++ b/chart/templates/api-server/api-server-deployment.yaml
@@ -106,6 +106,7 @@ spec:
hostAliases: {{- toYaml .Values.apiServer.hostAliases | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "apiServer.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
{{- if .Values.apiServer.priorityClassName }}
priorityClassName: {{ .Values.apiServer.priorityClassName }}
{{- end }}
diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml
b/chart/templates/cleanup/cleanup-cronjob.yaml
index 9314e933c29..fe3d6a33b48 100644
--- a/chart/templates/cleanup/cleanup-cronjob.yaml
+++ b/chart/templates/cleanup/cleanup-cronjob.yaml
@@ -86,6 +86,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 12 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 12 }}
serviceAccountName: {{ include "cleanup.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 10 }}
imagePullSecrets: {{- include "image_pull_secrets" . | nindent 12 }}
securityContext: {{ $securityContext | nindent 12 }}
containers:
diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml
b/chart/templates/dag-processor/dag-processor-deployment.yaml
index 5cad98175c5..c19bed8a95a 100644
--- a/chart/templates/dag-processor/dag-processor-deployment.yaml
+++ b/chart/templates/dag-processor/dag-processor-deployment.yaml
@@ -110,6 +110,7 @@ spec:
terminationGracePeriodSeconds: {{
.Values.dagProcessor.terminationGracePeriodSeconds }}
restartPolicy: Always
serviceAccountName: {{ include "dagProcessor.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
securityContext: {{ $securityContext | nindent 8 }}
imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
initContainers:
diff --git a/chart/templates/database-cleanup/database-cleanup-cronjob.yaml
b/chart/templates/database-cleanup/database-cleanup-cronjob.yaml
index 2c1ab65073a..140e6f3c5f7 100644
--- a/chart/templates/database-cleanup/database-cleanup-cronjob.yaml
+++ b/chart/templates/database-cleanup/database-cleanup-cronjob.yaml
@@ -89,6 +89,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 12 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 12 }}
serviceAccountName: {{ include "databaseCleanup.serviceAccountName"
. }}
+ {{- include "serviceLinks" . | nindent 10 }}
imagePullSecrets: {{- include "image_pull_secrets" . | nindent 12 }}
securityContext: {{ $securityContext | nindent 12 }}
containers:
diff --git a/chart/templates/flower/flower-deployment.yaml
b/chart/templates/flower/flower-deployment.yaml
index 4ee4256dcbe..0563ae05c25 100644
--- a/chart/templates/flower/flower-deployment.yaml
+++ b/chart/templates/flower/flower-deployment.yaml
@@ -79,6 +79,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
serviceAccountName: {{ include "flower.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
{{- if .Values.flower.priorityClassName }}
priorityClassName: {{ .Values.flower.priorityClassName }}
{{- end }}
diff --git a/chart/templates/jobs/create-user-job.yaml
b/chart/templates/jobs/create-user-job.yaml
index e1c55ac383e..e670151708c 100644
--- a/chart/templates/jobs/create-user-job.yaml
+++ b/chart/templates/jobs/create-user-job.yaml
@@ -86,6 +86,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
serviceAccountName: {{ include "createUserJob.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
{{- if .Values.createUserJob.extraInitContainers }}
initContainers:
diff --git a/chart/templates/jobs/migrate-database-job.yaml
b/chart/templates/jobs/migrate-database-job.yaml
index 362d5f406b0..b18d3c9290e 100644
--- a/chart/templates/jobs/migrate-database-job.yaml
+++ b/chart/templates/jobs/migrate-database-job.yaml
@@ -86,6 +86,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
serviceAccountName: {{ include "migrateDatabaseJob.serviceAccountName" .
}}
+ {{- include "serviceLinks" . | nindent 6 }}
imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
{{- if .Values.migrateDatabaseJob.extraInitContainers }}
initContainers:
diff --git a/chart/templates/otel-collector/otel-collector-deployment.yaml
b/chart/templates/otel-collector/otel-collector-deployment.yaml
index 45cf3fddb68..0bea8a53109 100644
--- a/chart/templates/otel-collector/otel-collector-deployment.yaml
+++ b/chart/templates/otel-collector/otel-collector-deployment.yaml
@@ -73,6 +73,7 @@ spec:
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
terminationGracePeriodSeconds: {{
.Values.otelCollector.terminationGracePeriodSeconds }}
serviceAccountName: {{ include "otelCollector.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
{{- if .Values.otelCollector.priorityClassName }}
priorityClassName: {{ .Values.otelCollector.priorityClassName }}
{{- end }}
diff --git a/chart/templates/pgbouncer/pgbouncer-deployment.yaml
b/chart/templates/pgbouncer/pgbouncer-deployment.yaml
index 9d6550afbee..45c4a714877 100644
--- a/chart/templates/pgbouncer/pgbouncer-deployment.yaml
+++ b/chart/templates/pgbouncer/pgbouncer-deployment.yaml
@@ -88,6 +88,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
serviceAccountName: {{ include "pgbouncer.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
securityContext: {{ $securityContext | nindent 8 }}
restartPolicy: Always
imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
diff --git a/chart/templates/redis/redis-statefulset.yaml
b/chart/templates/redis/redis-statefulset.yaml
index 9ec27f6e9f1..e1d58416d48 100644
--- a/chart/templates/redis/redis-statefulset.yaml
+++ b/chart/templates/redis/redis-statefulset.yaml
@@ -83,6 +83,7 @@ spec:
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
terminationGracePeriodSeconds: {{
.Values.redis.terminationGracePeriodSeconds }}
serviceAccountName: {{ include "redis.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
diff --git a/chart/templates/scheduler/scheduler-deployment.yaml
b/chart/templates/scheduler/scheduler-deployment.yaml
index 5f2846c3c7e..8a36460c52a 100644
--- a/chart/templates/scheduler/scheduler-deployment.yaml
+++ b/chart/templates/scheduler/scheduler-deployment.yaml
@@ -133,6 +133,7 @@ spec:
restartPolicy: Always
terminationGracePeriodSeconds: {{
.Values.scheduler.terminationGracePeriodSeconds }}
serviceAccountName: {{ include "scheduler.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
{{- if and (eq (include "airflow.podLaunchingExecutor" .) "true") (not
.Values.scheduler.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: false
{{- end }}
diff --git a/chart/templates/statsd/statsd-deployment.yaml
b/chart/templates/statsd/statsd-deployment.yaml
index 0b21999453c..9963ccd4858 100644
--- a/chart/templates/statsd/statsd-deployment.yaml
+++ b/chart/templates/statsd/statsd-deployment.yaml
@@ -84,6 +84,7 @@ spec:
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
terminationGracePeriodSeconds: {{
.Values.statsd.terminationGracePeriodSeconds }}
serviceAccountName: {{ include "statsd.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
securityContext: {{ $securityContext | nindent 8 }}
restartPolicy: Always
imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
diff --git a/chart/templates/triggerer/triggerer-deployment.yaml
b/chart/templates/triggerer/triggerer-deployment.yaml
index dd7c081a058..adccf67f2cc 100644
--- a/chart/templates/triggerer/triggerer-deployment.yaml
+++ b/chart/templates/triggerer/triggerer-deployment.yaml
@@ -127,6 +127,7 @@ spec:
terminationGracePeriodSeconds: {{
.Values.triggerer.terminationGracePeriodSeconds }}
restartPolicy: Always
serviceAccountName: {{ include "triggerer.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
securityContext: {{ $securityContext | nindent 8 }}
imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
initContainers:
diff --git a/chart/templates/workers/worker-deployment.yaml
b/chart/templates/workers/worker-deployment.yaml
index 2e7e1163b9a..56caeddc981 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -157,6 +157,7 @@ spec:
terminationGracePeriodSeconds: {{
.Values.workers.terminationGracePeriodSeconds }}
restartPolicy: Always
serviceAccountName: {{ include "worker.serviceAccountName" . }}
+ {{- include "serviceLinks" . | nindent 6 }}
securityContext: {{ $securityContext | nindent 8 }}
imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
initContainers:
diff --git a/chart/tests/helm_tests/airflow_aux/test_airflow_common.py
b/chart/tests/helm_tests/airflow_aux/test_airflow_common.py
index 0ce1123c874..251d8642127 100644
--- a/chart/tests/helm_tests/airflow_aux/test_airflow_common.py
+++ b/chart/tests/helm_tests/airflow_aux/test_airflow_common.py
@@ -18,6 +18,7 @@ from __future__ import annotations
import jmespath
import pytest
+import yaml
from chart_utils.helm_template_generator import render_chart
@@ -523,3 +524,54 @@ class TestAirflowCommon:
else doc["spec"]["template"]["spec"]["imagePullSecrets"]
)
assert got_image_pull_secrets == expected_image_pull_secrets
+
+ @pytest.mark.parametrize(
+ "enable_service_links",
+ [None, True, False],
+ )
+ def test_service_links(
+ self,
+ enable_service_links,
+ ):
+ release_name = "test-basic"
+ docs = render_chart(
+ name=release_name,
+ values={
+ "enableServiceLinks": enable_service_links,
+ "executor": "CeleryExecutor,KubernetesExecutor",
+ },
+ show_only=[
+ "templates/flower/flower-deployment.yaml",
+ "templates/pgbouncer/pgbouncer-deployment.yaml",
+ "templates/scheduler/scheduler-deployment.yaml",
+ "templates/statsd/statsd-deployment.yaml",
+ "templates/triggerer/triggerer-deployment.yaml",
+ "templates/dag-processor/dag-processor-deployment.yaml",
+ "templates/workers/worker-deployment.yaml",
+ "templates/cleanup/cleanup-cronjob.yaml",
+ "templates/database-cleanup/database-cleanup-cronjob.yaml",
+ "templates/jobs/migrate-database-job.yaml",
+ "templates/jobs/create-user-job.yaml",
+ "templates/configmaps/configmap.yaml",
+ ],
+ )
+
+ def matcher(doc):
+ match doc["kind"]:
+ case "Pod":
+ return doc["spec"].get("enableServiceLinks")
+ case "CronJob":
+ return
doc["spec"]["jobTemplate"]["spec"]["template"]["spec"].get("enableServiceLinks")
+ case "Deployment" | "StatefulSet" | "Job":
+ return
doc["spec"]["template"]["spec"].get("enableServiceLinks")
+ case "ConfigMap":
+ pod_template_raw = doc["data"]["pod_template_file.yaml"]
+ k8s_objects = yaml.full_load_all(pod_template_raw)
+ v = [matcher(doc) for doc in k8s_objects]
+ assert len(v) == 1
+ return v[0]
+ case _:
+ raise ValueError(f"Unhandled document type {doc}")
+
+ for doc in docs:
+ assert matcher(doc) == enable_service_links
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 99a795fe8bf..4c0b8162d3a 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -226,6 +226,15 @@
"type": "string"
}
},
+ "enableServiceLinks": {
+ "description": "Enable Kubernetes service links. The default will
become false in Chart 2.0.",
+ "type": [
+ "boolean",
+ "null"
+ ],
+ "default": null,
+ "x-docsSection": "Kubernetes"
+ },
"imagePullSecrets": {
"description": "List of existing Kubernetes secrets containing
Base64 encoded credentials to connect to private registries (will get passed to
imagePullSecrets).",
"type": "array",
diff --git a/chart/values.yaml b/chart/values.yaml
index 9987fffddbf..0e1358fa48b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -136,6 +136,8 @@ schedulerName: ~
# Add common labels to all objects and pods defined in this chart.
labels: {}
+# Whenever service links should be added to each pod.
+enableServiceLinks: ~
# List of existing Kubernetes secrets containing Base64 encoded credentials to
connect to private
# registries. Items can be either strings or {name: secret} objects.
