Skip to content

Remove scheduler automate serviceaccount token #44173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
romsharon98 merged 4 commits into from
Jan 6, 2025
Merged

Remove scheduler automate serviceaccount token #44173

romsharon98 merged 4 commits into from
Jan 6, 2025

Conversation

@romsharon98
Copy link
Contributor

@romsharon98 romsharon98 commented Nov 19, 2024

closes: #43464

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@boring-cyborg boring-cyborg bot added the area:helm-chart Airflow Helm Chart label Nov 19, 2024
@eladkal eladkal requested a review from amoghrajesh November 19, 2024 09:07
@eladkal eladkal added this to the Airflow Helm Chart 1.16.0 milestone Nov 19, 2024
@potiuk
Copy link
Member

potiuk commented Nov 19, 2024

Hmm. I wonder.. Looking at #43464 - yes, when you have K8S executor, you will not be able to work without serviceAutomount set to true. But is it generally true for LocalExecutor and CeleryExecutor for example?

I believe should work without automount for those executors?

@jedcunningham
Copy link
Member

jedcunningham commented Nov 19, 2024

@potiuk you'd still need it for LocalExecutor and KubernetesPodOperator too.

But yes, with CeleryExecutor it should be fine. Or if you don't care about LE+KPO. Not sure removing completely is the right call.

@potiuk
Copy link
Member

potiuk commented Nov 19, 2024

@potiuk you'd still need it for LocalExecutor and KubernetesPodOperator too.

But yes, with CeleryExecutor it should be fine. Or if you don't care about LE+KPO. Not sure removing completely is the right call.

Yeah. For me it looks like maybe we should detect it when we need it and it is not set and provide a better diagnostics.

@romsharon98
Copy link
Contributor Author

romsharon98 commented Nov 20, 2024

didn't fully understand what are the cases that we will need it.

amoghrajesh
amoghrajesh reviewed Nov 20, 2024
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @jedcunningham and @potiuk comments.
Summarising the cases I think we should cover

amoghrajesh
amoghrajesh approved these changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Sorry for the delay @romsharon98
One small nit.

@romsharon98 romsharon98 force-pushed the remove-scheduler-automate-serviceaccount-token branch from 0ea1f3f to e423f77 Compare December 16, 2024 17:23
@eladkal eladkal force-pushed the remove-scheduler-automate-serviceaccount-token branch from 0558838 to 7018a19 Compare January 3, 2025 02:23
@romsharon98 romsharon98 force-pushed the remove-scheduler-automate-serviceaccount-token branch from 7018a19 to a0a6d5b Compare January 5, 2025 21:12
@romsharon98 romsharon98 merged commit 9ba279d into apache:main Jan 6, 2025
59 checks passed
HariGS-DB pushed a commit to HariGS-DB/airflow that referenced this pull request Jan 16, 2025
@romsharon98 @HariGS-DB
Remove scheduler automate serviceaccount token (apache#44173)
f764c3a 
* remove scheduler automate serviceaccount token

* concider automount service account only if executor is CeleryExecutor

* change comment

* fix typo
got686-yandex pushed a commit to got686-yandex/airflow that referenced this pull request Jan 30, 2025
@romsharon98 @got686-yandex
Remove scheduler automate serviceaccount token (apache#44173)
7936839 
* remove scheduler automate serviceaccount token

* concider automount service account only if executor is CeleryExecutor

* change comment

* fix typo
@jedcunningham jedcunningham mentioned this pull request Mar 29, 2025
Closed
62 tasks
@dano-nx dano-nx mentioned this pull request Dec 5, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amoghrajesh amoghrajesh amoghrajesh approved these changes

@eladkal eladkal eladkal approved these changes

@dstandish dstandish Awaiting requested review from dstandish

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

Assignees

No one assigned

Labels

area:helm-chart Airflow Helm Chart

Projects

None yet

Milestone

Airflow Helm Chart 1.16.0

Development

Successfully merging this pull request may close these issues.

Scheduler has no Kubernetes API access when disabling API token automounting

5 participants

@romsharon98 @potiuk @jedcunningham @amoghrajesh @eladkal