Single/Multi-Namespace mode for helm chart (apache#11034)

* Multi-Namespace mode for helm chart Users should not REQUIRE a ClusterRole/ClusterRolebinding to run airflow via helm. This change will allow "single" and "multi" namespace modes so users can add airflow to managed kubernetes clusters * add namespace to role * add rolebinding too * add docs * add values.schema.json change
akking · Oct 5, 2020 · 93475e9 · 93475e9
1 parent a33a919
commit 93475e9
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 1 deletion.
diff --git a/chart/README.md b/chart/README.md
@@ -210,7 +210,7 @@ The following tables lists the configurable parameters of the Airflow chart and
 | `webserver.defaultUser`                               | Optional default airflow user information                                                                    | `{}`                                              |
 | `dags.persistence.*`                                  | Dag persistence configuration                                                                                | Please refer to `values.yaml`                     |
 | `dags.gitSync.*`                                      | Git sync configuration                                                                                       | Please refer to `values.yaml`                     |
-
+| `multiNamespaceMode`                                   | Whether the KubernetesExecutor can launch pods in multiple namespaces                                        | `False`                                           |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

diff --git a/chart/templates/rbac/pod-launcher-role.yaml b/chart/templates/rbac/pod-launcher-role.yaml
@@ -19,10 +19,17 @@
 ## Airflow Pod Launcher Role
 #################################
 {{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
+{{- if .Values.multiNamespaceMode }}
 kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}-pod-launcher-role
+{{- if not .Values.multiNamespaceMode }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     tier: airflow
     release: {{ .Release.Name }}

diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -21,9 +21,16 @@
 {{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
 {{- $grantScheduler := or (eq .Values.executor "LocalExecutor") (eq .Values.executor "SequentialExecutor") (eq .Values.executor "KubernetesExecutor") }}
 {{- $grantWorker := or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "KubernetesExecutor") }}
+{{- if .Values.multiNamespaceMode }}
 kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+{{- if not .Values.multiNamespaceMode }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   name: {{ .Release.Name }}-pod-launcher-rolebinding
   labels:
     tier: airflow

diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -23,6 +23,10 @@
             "description": "Default airflow tag to deploy.",
             "type": "string"
         },
+        "multi_namespaceMode": {
+          "description": "Whether the KubernetesExecutor can launch workers in multiple namespaces",
+          "type": "boolean"
+        },
         "nodeSelector": {
             "description": "Select certain nodes for airflow pods.",
             "type": "object",

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -608,8 +608,11 @@ config:
     worker_container_repository: '{{ .Values.images.airflow.repository | default .Values.defaultAirflowRepository }}'
     worker_container_tag: '{{ .Values.images.airflow.tag | default .Values.defaultAirflowTag }}'
     delete_worker_pods: 'True'
+    multi_namespace_mode: '{{ .Values.multiNamespaceMode }}'
 # yamllint enable rule:line-length
 
+multiNamespaceMode: 'False'
+
 podTemplate: ~
 
 # Git sync