diff --git a/chart/README.md b/chart/README.md index 09762b8ae056c..57e308e8061dc 100644 --- a/chart/README.md +++ b/chart/README.md @@ -218,7 +218,9 @@ The following tables lists the configurable parameters of the Airflow chart and | `webserver.defaultUser` | Optional default airflow user information | `{}` | | `dags.persistence.*` | Dag persistence configuration | Please refer to `values.yaml` | | `dags.gitSync.*` | Git sync configuration | Please refer to `values.yaml` | -| `multiNamespaceMode` | Whether the KubernetesExecutor can launch pods in multiple namespaces | `False` | +| `multiNamespaceMode` | Whether the KubernetesExecutor can launch pods in multiple namespaces | `False` | +| `serviceAccountAnnottions.*` | Map of annotations for worker, webserver, scheduler kubernetes service accounts | {} | + Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/chart/templates/scheduler/scheduler-serviceaccount.yaml b/chart/templates/scheduler/scheduler-serviceaccount.yaml index 0e97bbd665096..c5e97f1037106 100644 --- a/chart/templates/scheduler/scheduler-serviceaccount.yaml +++ b/chart/templates/scheduler/scheduler-serviceaccount.yaml @@ -28,6 +28,12 @@ metadata: release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- with .Values.scheduler.serviceAccountAnnotations }} + annotations: + {{- range $key, $value := . }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- end }} {{- with .Values.labels }} {{ toYaml . | indent 4 }} {{- end }} diff --git a/chart/templates/webserver/webserver-serviceaccount.yaml b/chart/templates/webserver/webserver-serviceaccount.yaml index ea867135d228e..ba99cea9ef193 100644 --- a/chart/templates/webserver/webserver-serviceaccount.yaml +++ b/chart/templates/webserver/webserver-serviceaccount.yaml @@ -27,6 +27,12 @@ metadata: release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- with .Values.webserver.serviceAccountAnnotations }} + annotations: + {{- range $key, $value := . }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- end }} {{- with .Values.labels }} {{ toYaml . | indent 4 }} {{- end }} diff --git a/chart/templates/workers/worker-serviceaccount.yaml b/chart/templates/workers/worker-serviceaccount.yaml index 5bfb6a60b330e..3f2df95d4220b 100644 --- a/chart/templates/workers/worker-serviceaccount.yaml +++ b/chart/templates/workers/worker-serviceaccount.yaml @@ -28,7 +28,13 @@ metadata: release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} -{{- with .Values.labels }} + {{- with .Values.workers.serviceAccountAnnotations }} + annotations: + {{- range $key, $value := . }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.labels }} {{ toYaml . | indent 4 }} {{- end }} {{- end }} diff --git a/chart/values.schema.json b/chart/values.schema.json index 977611642bd9d..dc8fe1bc98abd 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -457,6 +457,15 @@ } } }, + "kerberosSidecar": { + "description": "Run a side car in each worker pod to refresh kerberos ccache with `airflow kerberos` according to the airflow secuirty configuration", + "type": "object", + "properties": { + "enabled": { + "description": "Enable kerberos side car on worker pods." + } + } + }, "resources": { "type": "object" }, @@ -467,6 +476,10 @@ "safeToEvict": { "description": "This setting tells Kubernetes that it's ok to evict when it wants to scale a node down.", "type": "boolean" + }, + "serviceAccountAnnotations": { + "description": "Annotations to add to the worker kubernetes service account.", + "type": "object" } } }, @@ -507,6 +520,10 @@ "safeToEvict": { "description": "This setting tells Kubernetes that its ok to evict when it wants to scale a node down.", "type": "boolean" + }, + "serviceAccountAnnotations": { + "description": "Annotations to add to the scheduler kubernetes service account.", + "type": "object" } } }, @@ -631,6 +648,10 @@ "type": "object" } } + }, + "serviceAccountAnnotations": { + "description": "Annotations to add to the webserver kubernetes service account.", + "type": "object" } } }, @@ -1054,6 +1075,84 @@ } } } + }, + "kerberos": { + "description": "Kerberos configurations for airflow", + "type": "object", + "properties": { + "enabled": { + "description": "Enable kerberos.", + "type": "boolean" + }, + "ccacheMountPath": { + "description": "Path to mount shared volume for kerberos credentials cache.", + "type": "string" + }, + "ccacheFileName": { + "description": "Name for kerberos credentials cache file.", + "type": "string" + }, + "configPath":{ + "description": "Path to mount krb5.conf kerberos configuration file.", + "type": "string" + }, + "keytabPath":{ + "description": "Path to mount the keytab for refreshing credentials in the kerberos sidecar.", + "type": "string" + }, + "principal":{ + "description": "Principal to use when refreshing kerberos credentials.", + "type": "string" + }, + "reinitFrequency": { + "description": "How often (in seconds) airflow kerberos will reinitialize the credentials cache.", + "type": "integer" + }, + "config": { + "description": "Contents of krb5.conf.", + "type": "string" + } + } + }, + "hadoop": { + "description": "Hadoop configurations.", + "type": "object", + "properties": { + "enabled": { + "description": "Enable Hadoop configurations.", + "type": "boolean" + }, + "configPath": { + "description": "Path for volume mount for Hadoop configuration files.", + "type": "string" + }, + "core": { + "description": "Contents of core-site.xml.", + "type": ["string", "null"] + }, + "yarn": { + "description": "Contents of yarn-site.xml.", + "type": ["string", "null"] + } + } + }, + "spark": { + "description": "Spark configurations.", + "type": "object", + "properties": { + "enabled": { + "description": "Enable Spark configurations.", + "type": "boolean" + }, + "configPath": { + "description": "Path for volume mount for Hadoop configuration files.", + "type": "string" + }, + "sparkEnv": { + "description": "Contents of spark-env.sh.", + "type": "string" + } } + } } } diff --git a/chart/values.yaml b/chart/values.yaml index a4d6e35db255a..aab99064a0684 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -250,7 +250,7 @@ spark: configPath: '/etc/spark/conf/' # Contents of spark-env.sh sparkEnv: | - export HADOOP_CONFDIR={{ .Values.hadoop.configPath | quote}} + export HADOOP_CONFDIR={{ .Values.hadoop.configPath | quote }} export SPARK_HOME={{ .Values.spark.homePath | quote }} # Airflow Worker Config @@ -304,6 +304,8 @@ workers: # This setting tells kubernetes that its ok to evict # when it wants to scale a node down. safeToEvict: true + # Annotations to add to worker kubernetes service account. + serviceAccountAnnotations: {} # Airflow scheduler settings scheduler: @@ -331,6 +333,9 @@ scheduler: # when it wants to scale a node down. safeToEvict: true + # Annotations to add to scheduler kubernetes service account. + serviceAccountAnnotations: {} + # Airflow webserver settings webserver: livenessProbe: @@ -391,6 +396,9 @@ webserver: ## service annotations annotations: {} + # Annotations to add to webserver kubernetes service account. + serviceAccountAnnotations: {} + # Flower settings flower: # Additional network policies as needed