Add capability of adding service account annotations to Helm Chart (a…

…pache#11387)

We can now add annotations to the service accounts in a generic
way. This allows for example to add Workflow Identitty in GKE
environment but it is not limited to it.

Co-authored-by: Kamil Breguła <[email protected]>

Co-authored-by: Jacob Ferriero <[email protected]>
Co-authored-by: Kamil Breguła <[email protected]>

chart/README.md

@@ -210,7 +210,9 @@ The following tables lists the configurable parameters of the Airflow chart and
 | `webserver.defaultUser`                               | Optional default airflow user information                                                                    | `{}`                                              |
 | `dags.persistence.*`                                  | Dag persistence configuration                                                                                | Please refer to `values.yaml`                     |
 | `dags.gitSync.*`                                      | Git sync configuration                                                                                       | Please refer to `values.yaml`                     |
-| `multiNamespaceMode`                                   | Whether the KubernetesExecutor can launch pods in multiple namespaces                                        | `False`                                           |
+| `multiNamespaceMode`                                  | Whether the KubernetesExecutor can launch pods in multiple namespaces                                        | `False`                                           |
+| `serviceAccountAnnottions.*`                          | Map of annotations for worker, webserver, scheduler kubernetes service accounts                              | {}                                                |
+
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

chart/templates/scheduler/scheduler-serviceaccount.yaml

@@ -28,6 +28,12 @@ metadata:
     release: {{ .Release.Name }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service }}
+  {{- with .Values.scheduler.serviceAccountAnnotations }}
+  annotations:
+    {{- range $key, $value := . }}
+      {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+      {{- end }}
+  {{- end }}
 {{- with .Values.labels }}
 {{ toYaml . | indent 4 }}
 {{- end }}

chart/templates/webserver/webserver-serviceaccount.yaml

@@ -27,6 +27,12 @@ metadata:
     release: {{ .Release.Name }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service }}
+  {{- with .Values.webserver.serviceAccountAnnotations }}
+  annotations:
+    {{- range $key, $value := . }}
+      {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+      {{- end }}
+  {{- end }}
 {{- with .Values.labels }}
 {{ toYaml . | indent 4 }}
 {{- end }}

chart/templates/workers/worker-serviceaccount.yaml

@@ -28,7 +28,13 @@ metadata:
     release: {{ .Release.Name }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service }}
-{{- with .Values.labels }}
+  {{- with .Values.workers.serviceAccountAnnotations }}
+  annotations:
+    {{- range $key, $value := . }}
+      {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+      {{- end }}
+  {{- end }}
+  {{- with .Values.labels }}
 {{ toYaml . | indent 4 }}
 {{- end }}
 {{- end }}

chart/values.schema.json

@@ -467,6 +467,10 @@
                 "safeToEvict": {
                     "description": "This setting tells Kubernetes that it's ok to evict when it wants to scale a node down.",
                     "type": "boolean"
+                },
+                "serviceAccountAnnotations": {
+                  "description": "Annotations to add to the worker kubernetes service account.",
+                  "type": "object"
                 }
             }
         },
@@ -507,6 +511,10 @@
                 "safeToEvict": {
                     "description": "This setting tells Kubernetes that its ok to evict when it wants to scale a node down.",
                     "type": "boolean"
+                },
+                "serviceAccountAnnotations": {
+                  "description": "Annotations to add to the scheduler kubernetes service account.",
+                  "type": "object"
                 }
             }
         },
@@ -631,6 +639,10 @@
                             "type": "object"
                         }
                     }
+                },
+                "serviceAccountAnnotations": {
+                  "description": "Annotations to add to the webserver kubernetes service account.",
+                  "type": "object"
                 }
             }
         },

chart/values.yaml

@@ -233,7 +233,6 @@ kerberos:
       admin_server = admin_server.foo.com
     }
 
-
 # Airflow Worker Config
 workers:
   # Number of airflow celery workers in StatefulSet
@@ -285,6 +284,8 @@ workers:
   # This setting tells kubernetes that its ok to evict
   # when it wants to scale a node down.
   safeToEvict: true
+  # Annotations to add to worker kubernetes service account.
+  serviceAccountAnnotations: {}
 
 # Airflow scheduler settings
 scheduler:
@@ -312,6 +313,9 @@ scheduler:
   # when it wants to scale a node down.
   safeToEvict: true
 
+  # Annotations to add to scheduler kubernetes service account.
+  serviceAccountAnnotations: {}
+
 # Airflow webserver settings
 webserver:
   livenessProbe:
@@ -372,6 +376,9 @@ webserver:
     ## service annotations
     annotations: {}
 
+  # Annotations to add to webserver kubernetes service account.
+  serviceAccountAnnotations: {}
+
 # Flower settings
 flower:
   # Additional network policies as needed