This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch chart/v1-2x-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/chart/v1-2x-test by this push:
new 0f58019aa93 Fix role bindings for workers.celery.serviceAccount
(#68306) (#68351)
0f58019aa93 is described below
commit 0f58019aa9344adb2274cc1e671a1fd6b9ee8ea5
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Wed Jun 10 22:42:06 2026 +0200
Fix role bindings for workers.celery.serviceAccount (#68306) (#68351)
* Unify context passed to serviceAccountName helpers
* Add missing test cases
* Fix role bindings for workers.celery SA
(cherry picked from commit eeb0c9d1b5ba92ea5d269590b404b15624670ff8)
---
chart/templates/rbac/job-launcher-rolebinding.yaml | 15 +-
chart/templates/rbac/pod-launcher-rolebinding.yaml | 15 +-
.../security-context-constraint-rolebinding.yaml | 5 +-
.../airflow_aux/test_job_launcher_role.py | 194 +++++++++++++++++++++
.../airflow_aux/test_pod_launcher_role.py | 165 ++++++++++++++++++
.../helm_tests/security/test_scc_rolebinding.py | 159 +++++++++++++++++
6 files changed, 537 insertions(+), 16 deletions(-)
diff --git a/chart/templates/rbac/job-launcher-rolebinding.yaml
b/chart/templates/rbac/job-launcher-rolebinding.yaml
index 86603aa47f6..477a779df0d 100644
--- a/chart/templates/rbac/job-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/job-launcher-rolebinding.yaml
@@ -57,17 +57,18 @@ roleRef:
subjects:
{{- if and .Values.scheduler.enabled (or (contains "LocalExecutor"
.Values.executor) (contains "KubernetesExecutor" .Values.executor) (contains
"LocalKubernetesExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor)) }}
- kind: ServiceAccount
- name: {{ include "scheduler.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "scheduler.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor)) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (or (contains "KubernetesExecutor"
.Values.executor) (contains "LocalKubernetesExecutor" .Values.executor)) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
- kind: ServiceAccount
- name: {{ include "worker.kubernetes.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "worker.kubernetes.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- end }}
diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml
b/chart/templates/rbac/pod-launcher-rolebinding.yaml
index 7979585673a..c77195941ab 100644
--- a/chart/templates/rbac/pod-launcher-rolebinding.yaml
+++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -57,18 +57,19 @@ roleRef:
subjects:
{{- if and .Values.scheduler.enabled (or (contains "LocalExecutor"
.Values.executor) (contains "KubernetesExecutor" .Values.executor) (contains
"LocalKubernetesExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor)) }}
- kind: ServiceAccount
- name: {{ include "scheduler.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "scheduler.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor)) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (or (contains "KubernetesExecutor"
.Values.executor) (contains "LocalKubernetesExecutor" .Values.executor)) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
- kind: ServiceAccount
- name: {{ include "worker.kubernetes.serviceAccountName" $ }}
- namespace: "{{ $.Release.Namespace }}"
+ name: {{ include "worker.kubernetes.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if .Values.triggerer.enabled }}
- kind: ServiceAccount
diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index 7ec9d033e19..8c7af83b8af 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -55,9 +55,10 @@ subjects:
name: {{ include "webserver.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
- {{- if or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor) (and (or (contains
"KubernetesExecutor" .Values.executor) (contains "LocalKubernetesExecutor"
.Values.executor)) (eq .Values.workers.kubernetes.serviceAccount.create nil)) }}
+ {{- $create := or .Values.workers.celery.serviceAccount.create (and (not
(has .Values.workers.celery.serviceAccount.create (list true false)))
.Values.workers.serviceAccount.create) }}
+ {{- if or (and (or (contains "CeleryExecutor" .Values.executor) (contains
"CeleryKubernetesExecutor" .Values.executor)) (or $create
.Values.workers.celery.serviceAccount.name
.Values.workers.serviceAccount.name)) (and (or (contains "KubernetesExecutor"
.Values.executor) (contains "LocalKubernetesExecutor" .Values.executor)) (eq
.Values.workers.kubernetes.serviceAccount.create nil)) }}
- kind: ServiceAccount
- name: {{ include "worker.serviceAccountName" . }}
+ name: {{ default (include "worker.serviceAccountName" .)
.Values.workers.celery.serviceAccount.name }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
{{- if and (or .Values.workers.kubernetes.serviceAccount.create
.Values.workers.kubernetes.serviceAccount.name) (contains "KubernetesExecutor"
.Values.executor) }}
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
b/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
index d5fdf818244..1812bd150a7 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_job_launcher_role.py
@@ -304,6 +304,7 @@ class TestJobLauncher:
"CeleryExecutor",
"KubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists(self, executor):
@@ -328,6 +329,7 @@ class TestJobLauncher:
"LocalKubernetesExecutor",
"CeleryKubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists_airflow_2(self, executor):
@@ -598,6 +600,198 @@ class TestJobLauncher:
assert
jmespath.search("subjects[?name=='prod-airflow-worker-kubernetes']", docs[0])
== []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ def
test_worker_celery_role_binding_should_not_exists_with_celery_executor(self):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": "CeleryExecutor",
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects", docs[0]) is None
+
+ def
test_worker_celery_role_binding_should_not_exists_with_celery_executor_airflow_2(self):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": "CeleryExecutor",
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects", docs[0]) is None
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists_airflow_2(self,
executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowJobLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/job-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
def test_no_role_bindings(self):
docs = render_chart(
name="prod",
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
b/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
index 5abc290c652..11e84c015b1 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_pod_launcher_role.py
@@ -306,6 +306,7 @@ class TestPodLauncher:
"CeleryExecutor",
"KubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists(self, executor):
@@ -330,6 +331,7 @@ class TestPodLauncher:
"LocalKubernetesExecutor",
"CeleryKubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists_airflow_2(self, executor):
@@ -708,6 +710,169 @@ class TestPodLauncher:
assert jmespath.search("subjects[?name=='prod-airflow-triggerer']",
docs[0]) == []
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists_airflow_2(self,
executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True},
+ "allowPodLaunching": True,
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+ show_only=["templates/rbac/pod-launcher-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
def test_no_role_bindings(self):
docs = render_chart(
name="prod",
diff --git a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
index e457faa35d5..23de4ae9865 100644
--- a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
@@ -221,6 +221,163 @@ class TestSCCActivation:
"name": "system:openshift:scc:anyuid",
}
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery(self, executor,
create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize("create", [True, None])
+ def test_worker_role_binding_should_exists_with_celery_airflow_2(self,
executor, create):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": create}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists(self, executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize("executor", ["LocalExecutor",
"LocalExecutor,CeleryExecutor"])
+ def test_worker_celery_role_binding_should_not_exists_airflow_2(self,
executor):
+ docs = render_chart(
+ name="prod",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount": {"create": False}}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker']",
docs[0]) == []
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists(self, executor,
service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
+ @pytest.mark.parametrize(
+ "executor",
+ [
+ "CeleryExecutor",
+ "CeleryExecutor,KubernetesExecutor",
+ "LocalExecutor,CeleryExecutor,KubernetesExecutor",
+ "LocalKubernetesExecutor",
+ "CeleryKubernetesExecutor",
+ ],
+ )
+ @pytest.mark.parametrize(
+ "service_account_values",
+ [
+ {"create": True},
+ {"name": "prod-airflow-worker"},
+ {"create": False, "name": "prod-airflow-worker"},
+ ],
+ )
+ def test_worker_celery_role_binding_should_exists_airflow_2(self,
executor, service_account_values):
+ docs = render_chart(
+ name="prod",
+ namespace="airflow",
+ values={
+ "airflowVersion": "2.11.0",
+ "rbac": {"create": True, "createSCCRoleBinding": True},
+ "executor": executor,
+ "workers": {"celery": {"serviceAccount":
service_account_values}},
+ },
+
show_only=["templates/rbac/security-context-constraint-rolebinding.yaml"],
+ )
+
+ assert jmespath.search("subjects[?name=='prod-airflow-worker'] | [0]",
docs[0]) == {
+ "kind": "ServiceAccount",
+ "name": "prod-airflow-worker",
+ "namespace": "airflow",
+ }
+
def test_no_role_bindings(self):
docs = render_chart(
values={
@@ -272,6 +429,7 @@ class TestSCCActivation:
"CeleryExecutor",
"KubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists(self, executor):
@@ -296,6 +454,7 @@ class TestSCCActivation:
"LocalKubernetesExecutor",
"CeleryKubernetesExecutor",
"LocalExecutor,CeleryExecutor",
+ "LocalExecutor,KubernetesExecutor",
],
)
def test_worker_role_binding_should_exists_airflow_2(self, executor):
