Skip to content

Add workers.celery.serviceAccount & workers.kubernetes.serviceAccount #64730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jscheffl merged 6 commits into from
Apr 7, 2026
Merged

Add workers.celery.serviceAccount & workers.kubernetes.serviceAccount #64730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ed86363
Refactor Service Account workers tests
Miretpl Apr 2, 2026
59f3ea7
Add workers.celery.serviceAccount & workers.kubernetes.serviceAccount
Miretpl Apr 4, 2026
75dfcd4
Fix spellcheck
Miretpl Apr 4, 2026
78c2fbb
Separate ServiceAccount names
Miretpl Apr 4, 2026
1a6a79a
Add newsfragment
Miretpl Apr 4, 2026
d5b52f6
Misc
Miretpl Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions chart/files/pod-template-file.kubernetes-helm-yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,11 @@ spec:
terminationGracePeriodSeconds: {{ .Values.workers.kubernetes.terminationGracePeriodSeconds | default .Values.workers.terminationGracePeriodSeconds }}
tolerations: {{- toYaml $tolerations | nindent 4 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 4 }}
{{- if .Values.workers.kubernetes.serviceAccount.create }}
serviceAccountName: {{ include "worker.kubernetes.serviceAccountName" . }}
{{- else }}
serviceAccountName: {{ include "worker.serviceAccountName" . }}
{{- end }}
volumes:
{{- if .Values.dags.persistence.enabled }}
- name: dags
Expand Down
1 change: 1 addition & 0 deletions chart/newsfragments/64730.significant.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
``workers.serviceAccount`` section is now deprecated in favor of ``workers.celery.serviceAccount`` and ``workers.kubernetes.serviceAccount``. Please update your configuration accordingly.
32 changes: 32 additions & 0 deletions chart/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,38 @@ DEPRECATION WARNING:

{{- end }}

{{- if not .Values.workers.serviceAccount.automountServiceAccountToken }}

DEPRECATION WARNING:
`workers.serviceAccount.automountServiceAccountToken` has been renamed to `workers.celery.serviceAccount.automountServiceAccountToken`/`workers.kubernetes.serviceAccount.automountServiceAccountToken`.
Please change your values as support for the old name will be dropped in a future release.

{{- end }}

{{- if not .Values.workers.serviceAccount.create }}

DEPRECATION WARNING:
`workers.serviceAccount.create` has been renamed to `workers.celery.serviceAccount.create`/`workers.kubernetes.serviceAccount.create`.
Please change your values as support for the old name will be dropped in a future release.

{{- end }}

{{- if not (empty .Values.workers.serviceAccount.name) }}

DEPRECATION WARNING:
`workers.serviceAccount.name` has been renamed to `workers.celery.serviceAccount.name`/`workers.kubernetes.serviceAccount.name`.
Please change your values as support for the old name will be dropped in a future release.

{{- end }}

{{- if not (empty .Values.workers.serviceAccount.annotations) }}

DEPRECATION WARNING:
`workers.serviceAccount.annotations` has been renamed to `workers.celery.serviceAccount.annotations`/`workers.kubernetes.serviceAccount.annotations`.
Please change your values as support for the old name will be dropped in a future release.

{{- end }}

{{- if .Values.workers.keda.enabled }}

DEPRECATION WARNING:
Expand Down
25 changes: 20 additions & 5 deletions chart/templates/_helpers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -641,13 +641,23 @@ server_tls_key_file = /etc/pgbouncer/server.key
{{- end }}
{{- end }}

{{/* Helper to generate service account name respecting .Values.$section.serviceAccount flags */}}
{{/* Helper for service account name generation */}}
{{- define "_serviceAccountNameGen" -}}
{{- if .sa.create }}
{{- default (printf "%s-%s" (include "airflow.serviceAccountName" .) (default .key .nameSuffix)) .sa.name | quote }}
{{- else }}
{{- default "default" .sa.name | quote }}
{{- end }}
{{- end }}

{{/* Helper to generate service account name respecting .Values.$section.serviceAccount or .Values.$section.$subSection.serviceAccount flags */}}
{{- define "_serviceAccountName" -}}
{{- $sa := get (get .Values .key) "serviceAccount" }}
{{- if $sa.create }}
{{- default (printf "%s-%s" (include "airflow.serviceAccountName" .) (default .key .nameSuffix )) $sa.name | quote }}
{{- if .subKey }}
{{- $sa := get (get (get .Values .key) .subKey) "serviceAccount" -}}
{{- include "_serviceAccountNameGen" (merge (dict "sa" $sa "key" .key "nameSuffix" .nameSuffix) .) }}
{{- else }}
{{- default "default" $sa.name | quote }}
{{- $sa := get (get .Values .key) "serviceAccount" }}
{{- include "_serviceAccountNameGen" (merge (dict "sa" $sa "key" .key "nameSuffix" .nameSuffix) .) }}
{{- end }}
{{- end }}

Expand Down Expand Up @@ -700,6 +710,11 @@ server_tls_key_file = /etc/pgbouncer/server.key
{{- end }}
{{- end }}

{{/* Create the name of the worker kubernetes service account to use */}}
{{- define "worker.kubernetes.serviceAccountName" -}}
{{- include "_serviceAccountName" (merge (dict "key" "workers" "subKey" "kubernetes" "nameSuffix" "worker-kubernetes") .) -}}
{{- end }}

{{/* Create the name of the triggerer service account to use */}}
{{- define "triggerer.serviceAccountName" -}}
{{- include "_serviceAccountName" (merge (dict "key" "triggerer") .) -}}
Expand Down
41 changes: 41 additions & 0 deletions chart/templates/workers/worker-kubernetes-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
*/}}

###########################################
## Airflow Worker Kubernetes ServiceAccount
###########################################
{{- if and .Values.workers.kubernetes.serviceAccount.create (contains "KubernetesExecutor" .Values.executor) }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ or .Values.workers.kubernetes.serviceAccount.automountServiceAccountToken (and (not (has .Values.workers.kubernetes.serviceAccount.automountServiceAccountToken (list true false))) .Values.workers.serviceAccount.automountServiceAccountToken) }}
metadata:
name: {{ include "worker.kubernetes.serviceAccountName" . }}
labels:
tier: airflow
component: worker
release: {{ .Release.Name }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
heritage: {{ .Release.Service }}
{{- if or .Values.labels .Values.workers.labels }}
{{- mustMerge .Values.workers.labels .Values.labels | toYaml | nindent 4 }}
{{- end }}
{{- with (.Values.workers.kubernetes.serviceAccount.annotations | default .Values.workers.serviceAccount.annotations) }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
86 changes: 81 additions & 5 deletions chart/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1848,29 +1848,29 @@
}
},
"serviceAccount": {
"description": "Create ServiceAccount for Airflow Celery workers and pods created with pod-template-file.",
"description": "Create ServiceAccount for Airflow Celery workers and pods created with pod-template-file (deprecated, use ``workers.celery.serviceAccount`` and/or ``workers.kubernetes.serviceAccount`` instead).",
"type": "object",
"properties": {
"automountServiceAccountToken": {
"description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
"description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods (deprecated, use ``workers.celery.serviceAccount.automountServiceAccountToken`` and/or ``workers.kubernetes.serviceAccount.automountServiceAccountToken`` instead)",
"type": "boolean",
"default": true
},
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"description": "Specifies whether a ServiceAccount should be created (deprecated, use ``workers.celery.serviceAccount.create`` and/or ``workers.kubernetes.serviceAccount.create`` instead).",
"type": "boolean",
"default": true
},
"name": {
"description": "The name of the ServiceAccount to use. If not set and create is true, a name is generated using the release name.",
"description": "The name of the ServiceAccount to use (deprecated, use ``workers.celery.serviceAccount.name`` and/or ``workers.kubernetes.serviceAccount.name`` instead). If not set and create is true, a name is generated using the release name.",
"type": [
"string",
"null"
],
"default": null
},
"annotations": {
"description": "Annotations to add to the worker Kubernetes ServiceAccount.",
"description": "Annotations to add to the worker Kubernetes ServiceAccount (deprecated, use ``workers.celery.serviceAccount.annotations`` and/or ``workers.kubernetes.serviceAccount.annotations`` instead).",
"type": "object",
"default": {},
"additionalProperties": {
Expand Down Expand Up @@ -2921,6 +2921,44 @@
}
}
},
"serviceAccount": {
"description": "Create ServiceAccount for Airflow Celery workers.",
"type": "object",
"properties": {
"automountServiceAccountToken": {
"description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods.",
"type": [
"boolean",
"null"
],
"default": null
},
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": [
"boolean",
"null"
],
"default": null
},
"name": {
"description": "The name of the ServiceAccount to use. If not set and create is true, a name is generated using the release name.",
"type": [
"string",
"null"
],
"default": null
},
"annotations": {
"description": "Annotations to add to the worker Kubernetes ServiceAccount.",
"type": "object",
"default": {},
"additionalProperties": {
"type": "string"
}
}
}
},
"keda": {
"description": "KEDA configuration of Airflow Celery workers.",
"type": "object",
Expand Down Expand Up @@ -3534,6 +3572,44 @@
}
]
},
"serviceAccount": {
"description": "Create ServiceAccount for pods created with pod-template-file. When this section is specified, the Service Account is created from ``templates/workers/worker-kubernetes-serviceaccount.yaml`` file.",
"type": "object",
"properties": {
"automountServiceAccountToken": {
"description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods. If not specified, the ``workers.serviceAccount.automountServiceAccountToken`` value will be taken.",
"type": [
"boolean",
"null"
],
"default": null
},
"create": {
"description": "Specifies whether a ServiceAccount should be created. If not specified, the ServiceAccount will be generated and used from ``templates/workers/worker-serviceaccount.yaml`` file if ``workers.serviceAccount.create`` will be 'true'.",
"type": [
"boolean",
"null"
],
"default": null
},
"name": {
"description": "The name of the ServiceAccount to use. If not set and ``create`` is 'true', a name is generated using the release name with kubernetes dedicated name.",
"type": [
"string",
"null"
],
"default": null
},
"annotations": {
"description": "Annotations to add to the worker Kubernetes ServiceAccount. If not specified, the ``workers.serviceAccount.annotations`` value will be taken.",
"type": "object",
"default": {},
"additionalProperties": {
"type": "string"
}
}
}
},
"kerberosSidecar": {
"description": "Kerberos sidecar for pods created with pod-template-file.",
"type": "object",
Expand Down
Loading
Loading