Single/Multi-Namespace mode for helm chart (#11034)

* Multi-Namespace mode for helm chart Users should not REQUIRE a ClusterRole/ClusterRolebinding to run airflow via helm. This change will allow "single" and "multi" namespace modes so users can add airflow to managed kubernetes clusters * add namespace to role * add rolebinding too * add docs * add values.schema.json change (cherry picked from commit 93475e9)
apache · Nov 18, 2020 · 84af189 · 84af189
1 parent 5f40cbc
commit 84af189
Show file tree

Hide file tree

Showing 5 changed files with 1,170 additions and 51 deletions.
diff --git a/chart/README.md b/chart/README.md
@@ -206,7 +206,7 @@ The following tables lists the configurable parameters of the Airflow chart and
 | `webserver.defaultUser`                               | Optional default airflow user information                                                                    | `{}`                                              |
 | `dags.persistence.*`                                  | Dag persistence configuration                                                                    | Please refer to `values.yaml`                                    |
 | `dags.gitSync.*`                                      | Git sync configuration                                                                   | Please refer to `values.yaml`                                    |
-
+| `multiNamespaceMode`                                  | Whether the KubernetesExecutor can launch pods in multiple namespaces                                        | `False`                                           |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

diff --git a/chart/templates/rbac/pod-launcher-role.yaml b/chart/templates/rbac/pod-launcher-role.yaml
@@ -19,10 +19,17 @@
 ## Airflow Pod Launcher Role
 #################################
 {{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
+{{- if .Values.multiNamespaceMode }}
 kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}-pod-launcher-role
+{{- if not .Values.multiNamespaceMode }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     tier: airflow
     release: {{ .Release.Name }}
@@ -40,6 +47,7 @@ rules:
       - "create"
       - "list"
       - "get"
+      - "patch"
       - "watch"
       - "delete"
   - apiGroups:

diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -21,9 +21,16 @@
 {{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
 {{- $grantScheduler := or (eq .Values.executor "LocalExecutor") (eq .Values.executor "SequentialExecutor") (eq .Values.executor "KubernetesExecutor") }}
 {{- $grantWorker := or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "KubernetesExecutor") }}
+{{- if .Values.multiNamespaceMode }}
 kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+{{- if not .Values.multiNamespaceMode }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   name: {{ .Release.Name }}-pod-launcher-rolebinding
   labels:
     tier: airflow