From a0b18f7f3e8628329bf5d4a7745720d5008a8bda Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Sun, 31 May 2026 23:04:27 +0200 Subject: [PATCH] Chart: Select NetworkPolicy log-access component by Airflow version The 1.2x chart line supports both Airflow 2.11 (logs served by the webserver) and Airflow 3 (logs served by the api-server). #65754 unconditionally changed the scheduler/triggerer/worker NetworkPolicy log-ingress selectors to api-server, which would break task log access on Airflow 2.11 deployments. Choose the component based on .Values.airflowVersion via semverCompare (>=3.0.0 -> api-server, else webserver), matching how the chart already selects webserver vs api-server elsewhere. Tests now cover both Airflow versions. --- chart/templates/scheduler/scheduler-networkpolicy.yaml | 2 +- chart/templates/triggerer/triggerer-networkpolicy.yaml | 2 +- chart/templates/workers/worker-networkpolicy.yaml | 2 +- .../tests/helm_tests/airflow_core/test_scheduler.py | 9 +++++++-- .../tests/helm_tests/airflow_core/test_triggerer.py | 9 +++++++-- helm-tests/tests/helm_tests/airflow_core/test_worker.py | 9 +++++++-- 6 files changed, 24 insertions(+), 9 deletions(-) diff --git a/chart/templates/scheduler/scheduler-networkpolicy.yaml b/chart/templates/scheduler/scheduler-networkpolicy.yaml index 1828361a239d5..0762442e9e408 100644 --- a/chart/templates/scheduler/scheduler-networkpolicy.yaml +++ b/chart/templates/scheduler/scheduler-networkpolicy.yaml @@ -48,7 +48,7 @@ spec: - podSelector: matchLabels: tier: airflow - component: api-server + component: {{ if semverCompare ">=3.0.0" .Values.airflowVersion }}api-server{{ else }}webserver{{ end }} release: {{ .Release.Name }} ports: - protocol: TCP diff --git a/chart/templates/triggerer/triggerer-networkpolicy.yaml b/chart/templates/triggerer/triggerer-networkpolicy.yaml index ea3cda5b45c33..f2beddbca1e13 100644 --- a/chart/templates/triggerer/triggerer-networkpolicy.yaml +++ b/chart/templates/triggerer/triggerer-networkpolicy.yaml @@ -48,7 +48,7 @@ spec: matchLabels: tier: airflow release: {{ .Release.Name }} - component: api-server + component: {{ if semverCompare ">=3.0.0" .Values.airflowVersion }}api-server{{ else }}webserver{{ end }} ports: - protocol: TCP port: {{ .Values.ports.triggererLogs }} diff --git a/chart/templates/workers/worker-networkpolicy.yaml b/chart/templates/workers/worker-networkpolicy.yaml index 0e4206f10f0e0..3df69c7dcca31 100644 --- a/chart/templates/workers/worker-networkpolicy.yaml +++ b/chart/templates/workers/worker-networkpolicy.yaml @@ -64,7 +64,7 @@ spec: matchLabels: tier: airflow release: {{ .Release.Name }} - component: api-server + component: {{ if semverCompare ">=3.0.0" .Values.airflowVersion }}api-server{{ else }}webserver{{ end }} ports: - protocol: TCP port: {{ .Values.ports.workerLogs }} diff --git a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py index ca3ed2fce8f12..4622db151a8e7 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_scheduler.py @@ -1065,9 +1065,14 @@ def test_should_add_component_specific_labels(self): assert "test_label" in jmespath.search("metadata.labels", docs[0]) assert jmespath.search("metadata.labels", docs[0])["test_label"] == "test_label_value" - def test_should_allow_api_server_to_read_scheduler_logs(self): + @pytest.mark.parametrize( + ("airflow_version", "expected_component"), + [("3.0.0", "api-server"), ("2.11.0", "webserver")], + ) + def test_should_allow_log_server_to_read_scheduler_logs(self, airflow_version, expected_component): docs = render_chart( values={ + "airflowVersion": airflow_version, "executor": "LocalExecutor", "networkPolicies": {"enabled": True}, }, @@ -1076,7 +1081,7 @@ def test_should_allow_api_server_to_read_scheduler_logs(self): assert ( jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) - == "api-server" + == expected_component ) diff --git a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py index 74cee65e0f099..81f5d9e282c66 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_triggerer.py @@ -791,9 +791,14 @@ def test_overridden_automount_service_account_token(self): class TestTriggererNetworkPolicy: """Tests triggerer network policy.""" - def test_should_allow_api_server_to_read_triggerer_logs(self): + @pytest.mark.parametrize( + ("airflow_version", "expected_component"), + [("3.0.0", "api-server"), ("2.11.0", "webserver")], + ) + def test_should_allow_log_server_to_read_triggerer_logs(self, airflow_version, expected_component): docs = render_chart( values={ + "airflowVersion": airflow_version, "networkPolicies": {"enabled": True}, }, show_only=["templates/triggerer/triggerer-networkpolicy.yaml"], @@ -801,7 +806,7 @@ def test_should_allow_api_server_to_read_triggerer_logs(self): assert ( jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) - == "api-server" + == expected_component ) diff --git a/helm-tests/tests/helm_tests/airflow_core/test_worker.py b/helm-tests/tests/helm_tests/airflow_core/test_worker.py index 145048d1016dd..deb922d0e0393 100644 --- a/helm-tests/tests/helm_tests/airflow_core/test_worker.py +++ b/helm-tests/tests/helm_tests/airflow_core/test_worker.py @@ -2803,9 +2803,14 @@ def test_should_add_component_specific_labels(self, workers_values): assert "key" not in labels @pytest.mark.parametrize("executor", ["CeleryExecutor", "CeleryExecutor,KubernetesExecutor"]) - def test_should_allow_api_server_to_read_worker_logs(self, executor): + @pytest.mark.parametrize( + ("airflow_version", "expected_component"), + [("3.0.0", "api-server"), ("2.11.0", "webserver")], + ) + def test_should_allow_log_server_to_read_worker_logs(self, executor, airflow_version, expected_component): docs = render_chart( values={ + "airflowVersion": airflow_version, "networkPolicies": {"enabled": True}, "executor": executor, }, @@ -2814,7 +2819,7 @@ def test_should_allow_api_server_to_read_worker_logs(self, executor): assert ( jmespath.search("spec.ingress[0].from[0].podSelector.matchLabels.component", docs[0]) - == "api-server" + == expected_component )