Fix Airflow 3 task log access with NetworkPolicies

chart/templates/scheduler/scheduler-networkpolicy.yaml

@@ -48,7 +48,7 @@ spec:
     - podSelector:
         matchLabels:
           tier: airflow
-          component: scheduler
+          component: api-server
           release: {{ .Release.Name }}
     ports:
     - protocol: TCP

chart/templates/triggerer/triggerer-networkpolicy.yaml

@@ -48,7 +48,7 @@ spec:
         matchLabels:
           tier: airflow
           release: {{ .Release.Name }}
-          component: triggerer
+          component: api-server
     ports:
     - protocol: TCP
       port: {{ .Values.ports.triggererLogs }}

chart/templates/workers/worker-networkpolicy.yaml

@@ -64,7 +64,7 @@ spec:
         matchLabels:
           tier: airflow
           release: {{ .Release.Name }}
-          component: webserver
+          component: api-server
     ports:
     - protocol: TCP
       port: {{ .Values.ports.workerLogs }}

helm-tests/tests/helm_tests/airflow_core/test_scheduler.py

@@ -1005,6 +1005,20 @@ def test_should_add_component_specific_labels(self):
         assert "test_label" in jmespath.search("metadata.labels", docs[0])
         assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value"
 
+    def test_should_allow_api_server_to_read_scheduler_logs(self):
+        docs = render_chart(
+            values={
+                "executor": "LocalExecutor",
+                "networkPolicies": {"enabled": True},
+            },
+            show_only=["templates/scheduler/scheduler-networkpolicy.yaml"],
+        )
+
+        assert (
+            jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0])
+            == "api-server"
+        )
+
 
 class TestSchedulerLogGroomer(LogGroomerTestBase):
     """Scheduler log groomer."""

helm-tests/tests/helm_tests/airflow_core/test_triggerer.py

@@ -778,6 +778,23 @@ def test_overridden_automount_service_account_token(self):
         assert jmespath.search("automountServiceAccountToken", docs[0]) is False
 
 
+class TestTriggererNetworkPolicy:
+    """Tests triggerer network policy."""
+
+    def test_should_allow_api_server_to_read_triggerer_logs(self):
+        docs = render_chart(
+            values={
+                "networkPolicies": {"enabled": True},
+            },
+            show_only=["templates/triggerer/triggerer-networkpolicy.yaml"],
+        )
+
+        assert (
+            jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0])
+            == "api-server"
+        )
+
+
 class TestTriggererLogGroomer(LogGroomerTestBase):
     """Triggerer log groomer."""
 

helm-tests/tests/helm_tests/airflow_core/test_worker.py

@@ -2682,6 +2682,21 @@ def test_should_add_component_specific_labels(self, workers_values):
         assert labels["test_label"] == "test_label_value"
         assert "key" not in labels
 
+    @pytest.mark.parametrize("executor", ["CeleryExecutor", "CeleryExecutor,KubernetesExecutor"])
+    def test_should_allow_api_server_to_read_worker_logs(self, executor):
+        docs = render_chart(
+            values={
+                "networkPolicies": {"enabled": True},
+                "executor": executor,
+            },
+            show_only=["templates/workers/worker-networkpolicy.yaml"],
+        )
+
+        assert (
+            jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0])
+            == "api-server"
+        )
+
 
 class TestWorkerService:
     """Tests worker service."""