This is an automated email from the ASF dual-hosted git repository.
bugraoz93 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new eeb0c9d1b5b Fix role bindings for workers.celery.serviceAccount
(#68306)
eeb0c9d1b5b is described below
commit eeb0c9d1b5ba92ea5d269590b404b15624670ff8
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Wed Jun 10 18:50:52 2026 +0200
Fix role bindings for workers.celery.serviceAccount (#68306)
* Unify context passed to serviceAccountName helpers
* Add missing test cases
* Fix role bindings for workers.celery SA
---
chart/templates/rbac/job-launcher-rolebinding.yaml | 15 ++--
chart/templates/rbac/pod-launcher-rolebinding.yaml | 15 ++--
.../security-context-constraint-rolebinding.yaml | 5 +-
.../airflow_aux/test_job_launcher_role.py | 100 ++++++++++++++++++++-
.../airflow_aux/test_pod_launcher_role.py | 86 +++++++++++++++++-
.../helm_tests/security/test_scc_rolebinding.py | 83 ++++++++++++++++-
6 files changed, 285 insertions(+), 19 deletions(-)
diff --git a/chart/templates/rbac/job-launcher-rolebinding.yaml
b/chart/templates/rbac/job-launcher-rolebinding.yaml
index 6749b139866..acf595b235f 100644
--- a/chart/templates/rbac/job-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/job-launcher-rolebinding.yaml
@@ -57,17 +57,18 @@ roleRef:
subjects:
{{- if and .Values.scheduler.enabled (or (contains "LocalExecutor"
.Values.executor) (contains "KubernetesExecutor" .Values.executor)) }}
- kind: ServiceAccount
- name: {{ include "scheduler.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "scheduler.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (and (contains
"KubernetesExecutor" .Values.executor) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (contains "CeleryExecutor" .Values.executor) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (contains "KubernetesExecutor"
.Values.executor) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
- kind: ServiceAccount
- name: {{ include "worker.kubernetes.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "worker.kubernetes.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- end }}
diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml
b/chart/templates/rbac/pod-launcher-rolebinding.yaml
index f05f897f728..92443e7c2ad 100644
--- a/chart/templates/rbac/pod-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -57,18 +57,19 @@ roleRef:
subjects:
{{- if and .Values.scheduler.enabled (or (contains "LocalExecutor"
.Values.executor) (contains "KubernetesExecutor" .Values.executor)) }}
- kind: ServiceAccount
- name: {{ include "scheduler.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "scheduler.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (and (contains
"KubernetesExecutor" .Values.executor) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (contains "CeleryExecutor" .Values.executor) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (contains "KubernetesExecutor"
.Values.executor) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
- kind: ServiceAccount
- name: {{ include "worker.kubernetes.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "worker.kubernetes.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if .Values.triggerer.enabled }}
- kind: ServiceAccount
diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index cccf2d9fa42..fe75fb15c36 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -50,9 +50,10 @@ roleRef:
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- {{- if or (contains "CeleryExecutor" .Values.executor) (and (contains
"KubernetesExecutor" .Values.executor) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (contains "CeleryExecutor" .Values.executor) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (contains "KubernetesExecutor"
.Values.executor) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" . }}
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
diff --git a/chart/tests/helm_tests/airflow_aux/test_job_launcher_role.py
b/chart/tests/helm_tests/airflow_aux/test_job_launcher_role.py
index 18bac0e3a9e..00ae4db313b 100644
--- a/chart/tests/helm_tests/airflow_aux/test_job_launcher_role.py
+++ b/chart/tests/helm_tests/airflow_aux/test_job_launcher_role.py
@@ -131,7 +131,13 @@ class TestJobLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-scheduler']",
docs[0]) == []
@pytest.mark.parametrize(
- "executor", ["CeleryExecutor", "KubernetesExecutor",
"LocalExecutor,CeleryExecutor"]
+ "executor",
+ [
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ ],
)
def test_worker_role_binding_should_exists(self, executor):
docs = render_chart(
@@ -257,6 +263,98 @@ class TestJobLauncher:
assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ def
test_worker_celery_role_binding_should_not_exists_with_celery_executor(self):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": "CeleryExecutor",
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects", docs[0]) is None
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
def test_no_role_bindings(self):
docs = render_chart(
name="prod",
diff --git a/chart/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
b/chart/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
index bf66464bd50..3dec8489b92 100644
--- a/chart/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
+++ b/chart/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
@@ -132,7 +132,13 @@ class TestPodLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-scheduler']",
docs[0]) == []
@pytest.mark.parametrize(
- "executor", ["CeleryExecutor", "KubernetesExecutor",
"LocalExecutor,CeleryExecutor"]
+ "executor",
+ [
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ ],
)
def test_worker_role_binding_should_exists(self, executor):
docs = render_chart(
@@ -299,6 +305,84 @@ class TestPodLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-triggerer']",
docs[0]) == []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["CeleryExecutor", "LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
def test_no_role_bindings(self):
docs = render_chart(
name="prod",
diff --git a/chart/tests/helm_tests/security/test_scc_rolebinding.py
b/chart/tests/helm_tests/security/test_scc_rolebinding.py
index a9b1719a2da..dbab7d2f7ee 100644
--- a/chart/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/chart/tests/helm_tests/security/test_scc_rolebinding.py
@@ -114,7 +114,13 @@ class TestSCCActivation:
assert jmespath.search("subjects", docs[0]) is None
@pytest.mark.parametrize(
- "executor", ["CeleryExecutor", "KubernetesExecutor",
"LocalExecutor,CeleryExecutor"]
+ "executor",
+ [
+ "CeleryExecutor",
+ "KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
+ ],
)
def test_worker_role_binding_should_exists(self, executor):
docs = render_chart(
@@ -236,6 +242,81 @@ class TestSCCActivation:
assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["CeleryExecutor", "LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
@pytest.mark.parametrize("executor", ["CeleryExecutor",
"LocalExecutor,CeleryExecutor"])
def test_flower_role_binding_should_exists(self, executor):
docs = render_chart(
