You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by vi...@apache.org on 2023/07/26 14:19:29 UTC
[airflow] branch main updated: Adding support for disabling token mounts using automountServiceAccountToken (#32808)
This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f17bc0f4bf Adding support for disabling token mounts using automountServiceAccountToken (#32808)
f17bc0f4bf is described below
commit f17bc0f4bf15504833f2c8fd72d947c2ddfa55ed
Author: Amogh Desai <am...@gmail.com>
AuthorDate: Wed Jul 26 19:49:20 2023 +0530
Adding support for disabling token mounts using automountServiceAccountToken (#32808)
---
.../templates/cleanup/cleanup-serviceaccount.yaml | 1 +
.../dag-processor-serviceaccount.yaml | 1 +
chart/templates/flower/flower-serviceaccount.yaml | 1 +
.../jobs/create-user-job-serviceaccount.yaml | 1 +
.../jobs/migrate-database-job-serviceaccount.yaml | 1 +
.../pgbouncer/pgbouncer-serviceaccount.yaml | 1 +
chart/templates/redis/redis-serviceaccount.yaml | 1 +
.../scheduler/scheduler-serviceaccount.yaml | 1 +
chart/templates/statsd/statsd-serviceaccount.yaml | 1 +
.../triggerer/triggerer-serviceaccount.yaml | 1 +
.../webserver/webserver-serviceaccount.yaml | 1 +
chart/templates/workers/worker-serviceaccount.yaml | 1 +
chart/values.schema.json | 60 ++++++++++++++++++++++
chart/values.yaml | 36 +++++++++++++
helm_tests/airflow_aux/test_cleanup_pods.py | 20 ++++++++
helm_tests/airflow_aux/test_create_user_job.py | 22 ++++++++
.../airflow_aux/test_migrate_database_job.py | 22 ++++++++
helm_tests/airflow_core/test_dag_processor.py | 24 +++++++++
helm_tests/airflow_core/test_scheduler.py | 22 ++++++++
helm_tests/airflow_core/test_triggerer.py | 22 ++++++++
helm_tests/airflow_core/test_worker.py | 22 ++++++++
helm_tests/other/test_flower.py | 26 ++++++++++
helm_tests/other/test_pgbouncer.py | 24 +++++++++
helm_tests/other/test_redis.py | 22 ++++++++
helm_tests/other/test_statsd.py | 22 ++++++++
helm_tests/webserver/test_webserver.py | 22 ++++++++
26 files changed, 378 insertions(+)
diff --git a/chart/templates/cleanup/cleanup-serviceaccount.yaml b/chart/templates/cleanup/cleanup-serviceaccount.yaml
index f243404e90..0bda299229 100644
--- a/chart/templates/cleanup/cleanup-serviceaccount.yaml
+++ b/chart/templates/cleanup/cleanup-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.cleanup.serviceAccount.create .Values.cleanup.enabled }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.cleanup.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "cleanup.serviceAccountName" . }}
labels:
diff --git a/chart/templates/dag-processor/dag-processor-serviceaccount.yaml b/chart/templates/dag-processor/dag-processor-serviceaccount.yaml
index 6be9bb6d1e..5d386e4af6 100644
--- a/chart/templates/dag-processor/dag-processor-serviceaccount.yaml
+++ b/chart/templates/dag-processor/dag-processor-serviceaccount.yaml
@@ -24,6 +24,7 @@
{{- if and .Values.dagProcessor.serviceAccount.create .Values.dagProcessor.enabled }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.dagProcessor.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "dagProcessor.serviceAccountName" . }}
labels:
diff --git a/chart/templates/flower/flower-serviceaccount.yaml b/chart/templates/flower/flower-serviceaccount.yaml
index cc8e925808..efe621c625 100644
--- a/chart/templates/flower/flower-serviceaccount.yaml
+++ b/chart/templates/flower/flower-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.flower.enabled (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) .Values.flower.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.flower.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "flower.serviceAccountName" . }}
labels:
diff --git a/chart/templates/jobs/create-user-job-serviceaccount.yaml b/chart/templates/jobs/create-user-job-serviceaccount.yaml
index bbe1a381a5..8e6f4a641b 100644
--- a/chart/templates/jobs/create-user-job-serviceaccount.yaml
+++ b/chart/templates/jobs/create-user-job-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.createUserJob.serviceAccount.create .Values.webserver.defaultUser.enabled }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.createUserJob.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "createUserJob.serviceAccountName" . }}
labels:
diff --git a/chart/templates/jobs/migrate-database-job-serviceaccount.yaml b/chart/templates/jobs/migrate-database-job-serviceaccount.yaml
index 45afe4f468..52a07e5b03 100644
--- a/chart/templates/jobs/migrate-database-job-serviceaccount.yaml
+++ b/chart/templates/jobs/migrate-database-job-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if .Values.migrateDatabaseJob.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.migrateDatabaseJob.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "migrateDatabaseJob.serviceAccountName" . }}
labels:
diff --git a/chart/templates/pgbouncer/pgbouncer-serviceaccount.yaml b/chart/templates/pgbouncer/pgbouncer-serviceaccount.yaml
index 01e5fcca38..c0994f7700 100644
--- a/chart/templates/pgbouncer/pgbouncer-serviceaccount.yaml
+++ b/chart/templates/pgbouncer/pgbouncer-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.pgbouncer.serviceAccount.create .Values.pgbouncer.enabled }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.pgbouncer.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "pgbouncer.serviceAccountName" . }}
labels:
diff --git a/chart/templates/redis/redis-serviceaccount.yaml b/chart/templates/redis/redis-serviceaccount.yaml
index 468f460df3..42921f3f30 100644
--- a/chart/templates/redis/redis-serviceaccount.yaml
+++ b/chart/templates/redis/redis-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.redis.enabled .Values.redis.serviceAccount.create (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "redis.serviceAccountName" . }}
labels:
diff --git a/chart/templates/scheduler/scheduler-serviceaccount.yaml b/chart/templates/scheduler/scheduler-serviceaccount.yaml
index ac2d187235..1a359ab182 100644
--- a/chart/templates/scheduler/scheduler-serviceaccount.yaml
+++ b/chart/templates/scheduler/scheduler-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if .Values.scheduler.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.scheduler.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "scheduler.serviceAccountName" . }}
labels:
diff --git a/chart/templates/statsd/statsd-serviceaccount.yaml b/chart/templates/statsd/statsd-serviceaccount.yaml
index ea052a1419..838cbdd857 100644
--- a/chart/templates/statsd/statsd-serviceaccount.yaml
+++ b/chart/templates/statsd/statsd-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.statsd.enabled .Values.statsd.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.statsd.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "statsd.serviceAccountName" . }}
labels:
diff --git a/chart/templates/triggerer/triggerer-serviceaccount.yaml b/chart/templates/triggerer/triggerer-serviceaccount.yaml
index a1ff32fe30..566d2b3b5f 100644
--- a/chart/templates/triggerer/triggerer-serviceaccount.yaml
+++ b/chart/templates/triggerer/triggerer-serviceaccount.yaml
@@ -24,6 +24,7 @@
{{- if and .Values.triggerer.serviceAccount.create .Values.triggerer.enabled }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.triggerer.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "triggerer.serviceAccountName" . }}
labels:
diff --git a/chart/templates/webserver/webserver-serviceaccount.yaml b/chart/templates/webserver/webserver-serviceaccount.yaml
index 719ec78d16..853e376a5d 100644
--- a/chart/templates/webserver/webserver-serviceaccount.yaml
+++ b/chart/templates/webserver/webserver-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if .Values.webserver.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.webserver.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "webserver.serviceAccountName" . }}
labels:
diff --git a/chart/templates/workers/worker-serviceaccount.yaml b/chart/templates/workers/worker-serviceaccount.yaml
index 1000400510..87dbb97284 100644
--- a/chart/templates/workers/worker-serviceaccount.yaml
+++ b/chart/templates/workers/worker-serviceaccount.yaml
@@ -23,6 +23,7 @@
{{- if and .Values.workers.serviceAccount.create (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") (eq .Values.executor "KubernetesExecutor") (eq .Values.executor "LocalKubernetesExecutor")) }}
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.workers.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "worker.serviceAccountName" . }}
labels:
diff --git a/chart/values.schema.json b/chart/values.schema.json
index ce116a2ea7..d182ad3ecc 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -1388,6 +1388,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -2015,6 +2020,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -2444,6 +2454,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -2873,6 +2888,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -3221,6 +3241,11 @@
"type": "object",
"additionalProperties": false,
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -3467,6 +3492,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -3784,6 +3814,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -4514,6 +4549,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -4765,6 +4805,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -5249,6 +5294,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -5548,6 +5598,11 @@
"description": "Create ServiceAccount.",
"type": "object",
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
@@ -5950,6 +6005,11 @@
"type": "object",
"additionalProperties": false,
"properties": {
+ "automountServiceAccountToken": {
+ "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+ "type": "boolean",
+ "default": true
+ },
"create": {
"description": "Specifies whether a ServiceAccount should be created.",
"type": "boolean",
diff --git a/chart/values.yaml b/chart/values.yaml
index 9569ec2d82..8fc8053f96 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -515,6 +515,9 @@ workers:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -750,6 +753,9 @@ scheduler:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -905,6 +911,9 @@ createUserJob:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -985,6 +994,9 @@ migrateDatabaseJob:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1066,6 +1078,9 @@ webserver:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1259,6 +1274,9 @@ triggerer:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1412,6 +1430,9 @@ dagProcessor:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1563,6 +1584,9 @@ flower:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1645,6 +1669,9 @@ statsd:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1723,6 +1750,9 @@ pgbouncer:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -1867,6 +1897,9 @@ redis:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
@@ -2010,6 +2043,9 @@ cleanup:
# Create ServiceAccount
serviceAccount:
+ # default value is true
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+ automountServiceAccountToken: true
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
diff --git a/helm_tests/airflow_aux/test_cleanup_pods.py b/helm_tests/airflow_aux/test_cleanup_pods.py
index 013662e5f9..33e475d59f 100644
--- a/helm_tests/airflow_aux/test_cleanup_pods.py
+++ b/helm_tests/airflow_aux/test_cleanup_pods.py
@@ -361,3 +361,23 @@ class TestCleanupServiceAccount:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "cleanup": {
+ "enabled": True,
+ },
+ },
+ show_only=["templates/cleanup/cleanup-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "cleanup": {"enabled": True, "serviceAccount": {"automountServiceAccountToken": False}},
+ },
+ show_only=["templates/cleanup/cleanup-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
diff --git a/helm_tests/airflow_aux/test_create_user_job.py b/helm_tests/airflow_aux/test_create_user_job.py
index 76c32f4e19..3ed0cf04af 100644
--- a/helm_tests/airflow_aux/test_create_user_job.py
+++ b/helm_tests/airflow_aux/test_create_user_job.py
@@ -396,3 +396,25 @@ class TestCreateUserJobServiceAccount:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "createUserJob": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/jobs/create-user-job-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "createUserJob": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/jobs/create-user-job-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
diff --git a/helm_tests/airflow_aux/test_migrate_database_job.py b/helm_tests/airflow_aux/test_migrate_database_job.py
index 359c035b9e..3f1730f200 100644
--- a/helm_tests/airflow_aux/test_migrate_database_job.py
+++ b/helm_tests/airflow_aux/test_migrate_database_job.py
@@ -25,6 +25,28 @@ from tests.charts.helm_template_generator import render_chart
class TestMigrateDatabaseJob:
"""Tests migrate DB job."""
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "migrateDatabaseJob": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/jobs/migrate-database-job-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "migrateDatabaseJob": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/jobs/migrate-database-job-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
def test_should_run_by_default(self):
docs = render_chart(show_only=["templates/jobs/migrate-database-job.yaml"])
assert "Job" == docs[0]["kind"]
diff --git a/helm_tests/airflow_core/test_dag_processor.py b/helm_tests/airflow_core/test_dag_processor.py
index c1c1363474..544bbf1546 100644
--- a/helm_tests/airflow_core/test_dag_processor.py
+++ b/helm_tests/airflow_core/test_dag_processor.py
@@ -26,6 +26,30 @@ from tests.charts.log_groomer import LogGroomerTestBase
class TestDagProcessor:
"""Tests DAG processor."""
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "dagProcessor": {
+ "enabled": True,
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/dag-processor/dag-processor-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "dagProcessor": {
+ "enabled": True,
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/dag-processor/dag-processor-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
@pytest.mark.parametrize(
"airflow_version, num_docs",
[
diff --git a/helm_tests/airflow_core/test_scheduler.py b/helm_tests/airflow_core/test_scheduler.py
index 698ba4f6eb..57ab3bbe5b 100644
--- a/helm_tests/airflow_core/test_scheduler.py
+++ b/helm_tests/airflow_core/test_scheduler.py
@@ -803,3 +803,25 @@ class TestSchedulerServiceAccount:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "scheduler": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/scheduler/scheduler-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "scheduler": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/scheduler/scheduler-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
diff --git a/helm_tests/airflow_core/test_triggerer.py b/helm_tests/airflow_core/test_triggerer.py
index 22a8ad7f52..64f1a3419b 100644
--- a/helm_tests/airflow_core/test_triggerer.py
+++ b/helm_tests/airflow_core/test_triggerer.py
@@ -591,6 +591,28 @@ class TestTriggererServiceAccount:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "triggerer": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/triggerer/triggerer-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "triggerer": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/triggerer/triggerer-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
class TestTriggererLogGroomer(LogGroomerTestBase):
"""Triggerer log groomer."""
diff --git a/helm_tests/airflow_core/test_worker.py b/helm_tests/airflow_core/test_worker.py
index 22d5be1822..81432ee7ac 100644
--- a/helm_tests/airflow_core/test_worker.py
+++ b/helm_tests/airflow_core/test_worker.py
@@ -802,3 +802,25 @@ class TestWorkerServiceAccount:
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
else:
assert docs == []
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "workers": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/workers/worker-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "workers": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/workers/worker-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
diff --git a/helm_tests/other/test_flower.py b/helm_tests/other/test_flower.py
index 337399439e..e195d146e7 100644
--- a/helm_tests/other/test_flower.py
+++ b/helm_tests/other/test_flower.py
@@ -577,3 +577,29 @@ class TestFlowerServiceAccount:
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "flower": {
+ "enabled": True,
+ "serviceAccount": {
+ "create": True,
+ },
+ }
+ },
+ show_only=["templates/flower/flower-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "flower": {
+ "enabled": True,
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ }
+ },
+ show_only=["templates/flower/flower-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
diff --git a/helm_tests/other/test_pgbouncer.py b/helm_tests/other/test_pgbouncer.py
index 7846476cc0..1189a2894e 100644
--- a/helm_tests/other/test_pgbouncer.py
+++ b/helm_tests/other/test_pgbouncer.py
@@ -27,6 +27,30 @@ from tests.charts.helm_template_generator import render_chart
class TestPgbouncer:
"""Tests PgBouncer."""
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "pgbouncer": {
+ "enabled": True,
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/pgbouncer/pgbouncer-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "pgbouncer": {
+ "enabled": True,
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/pgbouncer/pgbouncer-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
@pytest.mark.parametrize("yaml_filename", ["pgbouncer-deployment", "pgbouncer-service"])
def test_pgbouncer_resources_not_created_by_default(self, yaml_filename):
docs = render_chart(
diff --git a/helm_tests/other/test_redis.py b/helm_tests/other/test_redis.py
index 4236d82965..ee812ca0ed 100644
--- a/helm_tests/other/test_redis.py
+++ b/helm_tests/other/test_redis.py
@@ -42,6 +42,28 @@ CELERY_EXECUTORS_PARAMS = ["CeleryExecutor", "CeleryKubernetesExecutor"]
class TestRedis:
"""Tests redis."""
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "redis": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/redis/redis-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "redis": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/redis/redis-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
@staticmethod
def get_broker_url_in_broker_url_secret(k8s_obj_by_key):
broker_url_in_obj = b64decode(
diff --git a/helm_tests/other/test_statsd.py b/helm_tests/other/test_statsd.py
index 8c048e2141..d26b664514 100644
--- a/helm_tests/other/test_statsd.py
+++ b/helm_tests/other/test_statsd.py
@@ -26,6 +26,28 @@ from tests.charts.helm_template_generator import render_chart
class TestStatsd:
"""Tests statsd."""
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "statsd": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/statsd/statsd-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "statsd": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/statsd/statsd-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
def test_should_create_statsd_default(self):
docs = render_chart(show_only=["templates/statsd/statsd-deployment.yaml"])
diff --git a/helm_tests/webserver/test_webserver.py b/helm_tests/webserver/test_webserver.py
index 4d6c1181b8..d76cdb2eaa 100644
--- a/helm_tests/webserver/test_webserver.py
+++ b/helm_tests/webserver/test_webserver.py
@@ -1014,3 +1014,25 @@ class TestWebserverServiceAccount:
)
assert "test_label" in jmespath.search("metadata.labels", docs[0])
assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
+
+ def test_default_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "webserver": {
+ "serviceAccount": {"create": True},
+ },
+ },
+ show_only=["templates/webserver/webserver-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+
+ def test_overriden_automount_service_account_token(self):
+ docs = render_chart(
+ values={
+ "webserver": {
+ "serviceAccount": {"create": True, "automountServiceAccountToken": False},
+ },
+ },
+ show_only=["templates/webserver/webserver-serviceaccount.yaml"],
+ )
+ assert jmespath.search("automountServiceAccountToken", docs[0]) is False