Helm RBAC Best Practices (#14152)

This PR builds off of and supersedes @jaydesl's work on his [PR](apache/airflow#11769) to move forward with properly following [helm's rbac best practices](https://helm.sh/docs/chart_best_practices/rbac/). This PR updates every potential pod that can be deployed to include the option to either create or use an existing service account. This is the first step towards supporting environments where users have the [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) admission controller enabled without forcing such users to provide any additional permissions to the default service account in the namespace this is deployed to.

closes: apache/airflow#11755
related: apache/airflow#13643

Co-authored-by: jaydesl <jay.deslauriers@gmail.com>
Co-authored-by: Ian Stanton <ian@astronomer.io>
Co-authored-by: Kaxil Naik <kaxilnaik@gmail.com>
GitOrigin-RevId: 8655d66cea977102862379d9894810b1e836f7a8

chart/files/pod-template-file.kubernetes-helm-yaml

@@ -87,7 +87,7 @@ spec:
   nodeSelector: {{ toYaml .Values.nodeSelector | nindent 4 }}
   affinity: {{ toYaml .Values.affinity | nindent 4 }}
   tolerations: {{ toYaml .Values.tolerations | nindent 4 }}
-  serviceAccountName: '{{ .Release.Name }}-worker'
+  serviceAccountName: {{ include "worker.serviceAccountName" . }}
   volumes:
   {{- if .Values.dags.persistence.enabled }}
   - name: dags

chart/templates/_helpers.yaml

@@ -15,6 +15,25 @@
 # specific language governing permissions and limitations
 # under the License.
 
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "airflow.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
 {{/* Standard Airflow environment variables */}}
 {{- define "standard_airflow_environment" }}
   # Hard Coded Airflow Envs
@@ -372,6 +391,116 @@ server_tls_key_file = /etc/pgbouncer/server.key
 {{ (printf "%s-airflow-config" .Release.Name) }}
 {{- end }}
 
+{{/*
+Create the name of the webserver service account to use
+*/}}
+{{- define "webserver.serviceAccountName" -}}
+{{- if .Values.webserver.serviceAccount.create -}}
+    {{ default (printf "%s-webserver" (include "airflow.fullname" .)) .Values.webserver.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.webserver.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the redis service account to use
+*/}}
+{{- define "redis.serviceAccountName" -}}
+{{- if .Values.redis.serviceAccount.create -}}
+    {{ default (printf "%s-redis" (include "airflow.fullname" .)) .Values.redis.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.redis.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the flower service account to use
+*/}}
+{{- define "flower.serviceAccountName" -}}
+{{- if .Values.flower.serviceAccount.create -}}
+    {{ default (printf "%s-flower" (include "airflow.fullname" .)) .Values.flower.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.flower.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the scheduler service account to use
+*/}}
+{{- define "scheduler.serviceAccountName" -}}
+{{- if .Values.scheduler.serviceAccount.create -}}
+    {{ default (printf "%s-scheduler" (include "airflow.fullname" .)) .Values.scheduler.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.scheduler.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the statsd service account to use
+*/}}
+{{- define "statsd.serviceAccountName" -}}
+{{- if .Values.statsd.serviceAccount.create -}}
+    {{ default (printf "%s-statsd" (include "airflow.fullname" .)) .Values.statsd.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.statsd.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the create user job service account to use
+*/}}
+{{- define "createUserJob.serviceAccountName" -}}
+{{- if .Values.createUserJob.serviceAccount.create -}}
+    {{ default (printf "%s-create-user-job" (include "airflow.fullname" .)) .Values.createUserJob.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.createUserJob.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the migrate database job service account to use
+*/}}
+{{- define "migrateDatabaseJob.serviceAccountName" -}}
+{{- if .Values.migrateDatabaseJob.serviceAccount.create -}}
+    {{ default (printf "%s-migrate-database-job" (include "airflow.fullname" .)) .Values.migrateDatabaseJob.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.migrateDatabaseJob.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the worker service account to use
+*/}}
+{{- define "worker.serviceAccountName" -}}
+{{- if .Values.workers.serviceAccount.create -}}
+    {{ default (printf "%s-worker" (include "airflow.fullname" .)) .Values.workers.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.workers.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the pgbouncer service account to use
+*/}}
+{{- define "pgbouncer.serviceAccountName" -}}
+{{- if .Values.pgbouncer.serviceAccount.create -}}
+    {{ default (printf "%s-pgbouncer" (include "airflow.fullname" .)) .Values.pgbouncer.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.pgbouncer.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the cleanup service account to use
+*/}}
+{{- define "cleanup.serviceAccountName" -}}
+{{- if .Values.cleanup.serviceAccount.create -}}
+    {{ default (printf "%s-cleanup" (include "airflow.fullname" .)) .Values.cleanup.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.cleanup.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{ define "wait-for-migrations-command" }}
   {{/* From Airflow 2.0.0 this can become [airflow, db, check-migrations] */}}
   - python

chart/templates/cleanup/cleanup-cronjob.yaml

@@ -54,7 +54,7 @@ spec:
 {{ toYaml $affinity | indent 12 }}
           tolerations:
 {{ toYaml $tolerations | indent 12 }}
-          serviceAccountName: {{ .Release.Name }}-cleanup
+          serviceAccountName: {{ include "cleanup.serviceAccountName" . }}
           {{- if or .Values.registry.secretName .Values.registry.connection }}
           imagePullSecrets:
             - name: {{ template "registry_secret" . }}

chart/templates/cleanup/cleanup-serviceaccount.yaml

@@ -18,17 +18,21 @@
 ################################
 ## Airflow Cleanup ServiceAccount
 #################################
-{{- if and .Values.rbacEnabled .Values.cleanup.enabled }}
+{{- if and .Values.cleanup.serviceAccount.create .Values.cleanup.enabled }}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: {{ .Release.Name }}-cleanup
+  name: {{ include "cleanup.serviceAccountName" . }}
   labels:
     tier: airflow
     release: {{ .Release.Name }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service }}
-{{- with .Values.labels }}
-{{ toYaml . | indent 4 }}
-{{- end }}
+    {{- with .Values.labels }}
+    {{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- with .Values.cleanup.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
 {{- end }}

chart/templates/flower/flower-deployment.yaml

@@ -61,6 +61,7 @@ spec:
 {{ toYaml $affinity | indent 8 }}
       tolerations:
 {{ toYaml $tolerations | indent 8 }}
+      serviceAccountName: {{ include "flower.serviceAccountName" . }}
       restartPolicy: Always
       securityContext:
         runAsUser: {{ .Values.uid }}

chart/templates/flower/flower-serviceaccount.yaml

@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+######################################
+## Airflow Flower ServiceAccount
+######################################
+{{- if and (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) .Values.flower.serviceAccount.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "flower.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.flower.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

chart/templates/jobs/create-user-job-serviceaccount.yaml

@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+###########################################
+## Airflow Create User Job ServiceAccount
+###########################################
+{{- if and .Values.createUserJob.serviceAccount.create .Values.webserver.defaultUser.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "createUserJob.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.createUserJob.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

chart/templates/create-user-job.yaml → chart/templates/jobs/create-user-job.yaml

@@ -56,6 +56,7 @@ spec:
 {{ toYaml $affinity | indent 8 }}
       tolerations:
 {{ toYaml $tolerations | indent 8 }}
+      serviceAccountName: {{ include "createUserJob.serviceAccountName" . }}
       {{- if or .Values.registry.secretName .Values.registry.connection }}
       imagePullSecrets:
         - name: {{ template "registry_secret" . }}

chart/templates/jobs/migrate-database-job-serviceaccount.yaml

@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+#############################################
+## Airflow Migrate Database Job ServiceAccount
+##############################################
+{{- if .Values.migrateDatabaseJob.serviceAccount.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "migrateDatabaseJob.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.migrateDatabaseJob.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

chart/templates/migrate-database-job.yaml → chart/templates/jobs/migrate-database-job.yaml

@@ -55,6 +55,7 @@ spec:
 {{ toYaml $affinity | indent 8 }}
       tolerations:
 {{ toYaml $tolerations | indent 8 }}
+      serviceAccountName: {{ include "migrateDatabaseJob.serviceAccountName" . }}
       {{- if or .Values.registry.secretName .Values.registry.connection }}
       imagePullSecrets:
         - name: {{ template "registry_secret" . }}

chart/templates/pgbouncer/pgbouncer-deployment.yaml

@@ -65,6 +65,9 @@ spec:
 {{ toYaml $affinity | indent 8 }}
       tolerations:
 {{ toYaml $tolerations | indent 8 }}
+      serviceAccountName: {{ include "pgbouncer.serviceAccountName" . }}
+      securityContext:
+        runAsUser: {{ .Values.pgbouncer.uid }}
       restartPolicy: Always
       {{- if or .Values.registry.secretName .Values.registry.connection }}
       imagePullSecrets:

chart/templates/pgbouncer/pgbouncer-serviceaccount.yaml

@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+######################################
+## Airflow Pgbouncer ServiceAccount
+######################################
+{{- if and .Values.pgbouncer.serviceAccount.create .Values.pgbouncer.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ include "pgbouncer.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.pgbouncer.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

chart/templates/rbac/pod-cleanup-role.yaml

@@ -18,7 +18,7 @@
 ################################
 ## Airflow Cleanup Role
 #################################
-{{- if and .Values.rbacEnabled .Values.cleanup.enabled }}
+{{- if and .Values.rbac.create .Values.cleanup.enabled }}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata: