This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 4d9950827b60d0bfc78195832b855c453a33459c Author: Jarek Potiuk <[email protected]> AuthorDate: Sun Sep 27 23:39:14 2020 +0200 Adds Kubernetes Service Account for the webserver (#11131) Webserver did not have a Kubernetes Service Account defined and while we do not strictly need to use the service account for anything now, having the Service Account defined allows to define various capabilities for the webserver. For example when you are in the GCP environment, you can map the Kubernetes service account into a GCP one, using Workload Identity without the need to define any secrets and performing additional authentication. Then you can have that GCP service account get the permissions to write logs to GCS bucket. Similar mechanisms exist in AWS and it also opens up on-premises configuration. See more at https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity Co-authored-by: Jacob Ferriero <[email protected]> Co-authored-by: Jacob Ferriero <[email protected]> (cherry picked from commit 0ea3e611d38f0829b3a2a06a9ba7af6423b2921d) --- .../templates/webserver/webserver-deployment.yaml | 1 + .../webserver/webserver-serviceaccount.yaml | 32 ++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/chart/templates/webserver/webserver-deployment.yaml b/chart/templates/webserver/webserver-deployment.yaml index 9ea2bc1..f6f781f 100644 --- a/chart/templates/webserver/webserver-deployment.yaml +++ b/chart/templates/webserver/webserver-deployment.yaml @@ -59,6 +59,7 @@ spec: {{- toYaml .Values.airflowPodAnnotations | nindent 8 }} {{- end }} spec: + serviceAccountName: {{ .Release.Name }}-webserver nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} affinity: diff --git a/chart/templates/webserver/webserver-serviceaccount.yaml b/chart/templates/webserver/webserver-serviceaccount.yaml new file mode 100644 index 0000000..ea86713 --- /dev/null +++ b/chart/templates/webserver/webserver-serviceaccount.yaml @@ -0,0 +1,32 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +###################################### +## Airflow Webserver ServiceAccount +###################################### +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-webserver + labels: + tier: airflow + release: {{ .Release.Name }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + heritage: {{ .Release.Service }} +{{- with .Values.labels }} +{{ toYaml . | indent 4 }} +{{- end }}
