Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove scheduler automate serviceaccount token #44173

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Remove scheduler automate serviceaccount token #44173

wants to merge 4 commits into from

Conversation

romsharon98
Copy link
Contributor

closes: #43464

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@boring-cyborg boring-cyborg bot added the area:helm-chart Airflow Helm Chart label Nov 19, 2024
@eladkal eladkal requested a review from amoghrajesh November 19, 2024 09:07
@eladkal eladkal added this to the Airflow Helm Chart 1.16.0 milestone Nov 19, 2024
@potiuk
Copy link
Member

potiuk commented Nov 19, 2024

Hmm. I wonder.. Looking at #43464 - yes, when you have K8S executor, you will not be able to work without serviceAutomount set to true. But is it generally true for LocalExecutor and CeleryExecutor for example?

I believe should work without automount for those executors?

@jedcunningham
Copy link
Member

@potiuk you'd still need it for LocalExecutor and KubernetesPodOperator too.

But yes, with CeleryExecutor it should be fine. Or if you don't care about LE+KPO. Not sure removing completely is the right call.

@potiuk
Copy link
Member

potiuk commented Nov 19, 2024

@potiuk you'd still need it for LocalExecutor and KubernetesPodOperator too.

But yes, with CeleryExecutor it should be fine. Or if you don't care about LE+KPO. Not sure removing completely is the right call.

Yeah. For me it looks like maybe we should detect it when we need it and it is not set and provide a better diagnostics.

@romsharon98
Copy link
Contributor Author

didn't fully understand what are the cases that we will need it.

amoghrajesh
amoghrajesh reviewed Nov 20, 2024
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @jedcunningham and @potiuk comments.
Summarising the cases I think we should cover

chart/templates/scheduler/scheduler-serviceaccount.yaml Show resolved Hide resolved
chart/templates/scheduler/scheduler-serviceaccount.yaml
@@ -23,7 +23,6 @@
{{- if and .Values.scheduler.enabled .Values.scheduler.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.scheduler.serviceAccount.automountServiceAccountToken }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the possible cases:

  1. We can set it to true for cases when it is not CeleryExecutor
  2. For other cases it has to be true or the key can be removed entirely.

Two possible approaches. Either control addition or removal of key based on the executor, otherwise allow to override only for CeleryExecutor

amoghrajesh
amoghrajesh approved these changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Sorry for the delay @romsharon98
One small nit.

chart/templates/scheduler/scheduler-serviceaccount.yaml Show resolved Hide resolved
helm_tests/airflow_core/test_scheduler.py Outdated Show resolved Hide resolved
@romsharon98 romsharon98 force-pushed the remove-scheduler-automate-serviceaccount-token branch from 0ea1f3f to e423f77 Compare December 16, 2024 17:23
@eladkal eladkal force-pushed the remove-scheduler-automate-serviceaccount-token branch from 0558838 to 7018a19 Compare January 3, 2025 02:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladkal eladkal eladkal approved these changes

@amoghrajesh amoghrajesh amoghrajesh approved these changes

@dstandish dstandish Awaiting requested review from dstandish dstandish is a code owner

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

Assignees
No one assigned
Labels
area:helm-chart Airflow Helm Chart
Projects
None yet
Milestone
Airflow Helm Chart 1.16.0
Development

Successfully merging this pull request may close these issues.

Scheduler has no Kubernetes API access when disabling API token automounting
5 participants
@romsharon98 @potiuk @jedcunningham @amoghrajesh @eladkal