diff --git a/chart/templates/scheduler/scheduler-networkpolicy.yaml b/chart/templates/scheduler/scheduler-networkpolicy.yaml index 795bd16351471..c45fce635676d 100644 --- a/chart/templates/scheduler/scheduler-networkpolicy.yaml +++ b/chart/templates/scheduler/scheduler-networkpolicy.yaml @@ -48,7 +48,7 @@ spec: - podSelector: matchLabels: tier: airflow - component: scheduler + component: api-server release: {{ .Release.Name }} ports: - protocol: TCP diff --git a/chart/templates/triggerer/triggerer-networkpolicy.yaml b/chart/templates/triggerer/triggerer-networkpolicy.yaml index 18978969797dd..ea3cda5b45c33 100644 --- a/chart/templates/triggerer/triggerer-networkpolicy.yaml +++ b/chart/templates/triggerer/triggerer-networkpolicy.yaml @@ -48,7 +48,7 @@ spec: matchLabels: tier: airflow release: {{ .Release.Name }} - component: triggerer + component: api-server ports: - protocol: TCP port: {{ .Values.ports.triggererLogs }} diff --git a/chart/templates/workers/worker-networkpolicy.yaml b/chart/templates/workers/worker-networkpolicy.yaml index 4048f3fac834c..ee0f6a26d1a9a 100644 --- a/chart/templates/workers/worker-networkpolicy.yaml +++ b/chart/templates/workers/worker-networkpolicy.yaml @@ -64,7 +64,7 @@ spec: matchLabels: tier: airflow release: {{ .Release.Name }} - component: webserver + component: api-server ports: - protocol: TCP port: {{ .Values.ports.workerLogs }} diff --git a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py index 5e42e835d382c..140bb5153aceb 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py @@ -1005,6 +1005,20 @@ def test_should_add_component_specific_labels(self): assert "test_label" in jmespath.search("metadata.labels", docs[0]) assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value" + def test_should_allow_api_server_to_read_scheduler_logs(self): + docs = render_chart( + values={ + "executor": "LocalExecutor", + "networkPolicies": {"enabled": True}, + }, + show_only=["templates/scheduler/scheduler-networkpolicy.yaml"], + ) + + assert ( + jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) + == "api-server" + ) + class TestSchedulerLogGroomer(LogGroomerTestBase): """Scheduler log groomer.""" diff --git a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py index 44a022ae2c914..2a3356ab02462 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py @@ -778,6 +778,23 @@ def test_overridden_automount_service_account_token(self): assert jmespath.search("automountServiceAccountToken", docs[0]) is False +class TestTriggererNetworkPolicy: + """Tests triggerer network policy.""" + + def test_should_allow_api_server_to_read_triggerer_logs(self): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + }, + show_only=["templates/triggerer/triggerer-networkpolicy.yaml"], + ) + + assert ( + jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) + == "api-server" + ) + + class TestTriggererLogGroomer(LogGroomerTestBase): """Triggerer log groomer.""" diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker.py b/helm-tests/tests/helm_tests/airflow_core/test_worker.py index fdb4f291ae997..e0d498a6ad6ba 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_worker.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_worker.py @@ -2682,6 +2682,21 @@ def test_should_add_component_specific_labels(self, workers_values): assert labels["test_label"] == "test_label_value" assert "key" not in labels + @pytest.mark.parametrize("executor", ["CeleryExecutor", "CeleryExecutor,KubernetesExecutor"]) + def test_should_allow_api_server_to_read_worker_logs(self, executor): + docs = render_chart( + values={ + "networkPolicies": {"enabled": True}, + "executor": executor, + }, + show_only=["templates/workers/worker-networkpolicy.yaml"], + ) + + assert ( + jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) + == "api-server" + ) + class TestWorkerService: """Tests worker service."""