Add workers.celery.kerberosInitContainer field

chart/templates/NOTES.txt

@@ -204,6 +204,14 @@ DEPRECATION WARNING:
 
 {{- end }}
 
+{{- if not (empty .Values.workers.kerberosInitContainer) }}
+
+ DEPRECATION WARNING:
+    `workers.kerberosInitContainer` has been renamed to `workers.celery.kerberosInitContainer`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
 {{- if ne (.Values.workers.args | toJson) (list "bash" "-c" "exec \\\nairflow {{ semverCompare \">=2.0.0\" .Values.airflowVersion | ternary \"celery worker\" \"worker\" }}" | toJson) }}
 
  DEPRECATION WARNING:

chart/templates/workers/worker-deployment.yaml

@@ -196,12 +196,14 @@ spec:
               subPath: {{ .Values.logs.persistence.subPath }}
               {{- end }}
         {{- end }}
-        {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion) .Values.workers.kerberosInitContainer.enabled }}
+        {{- $kerberosInitContainerEnabled := or (.Values.workers.celery.kerberosInitContainer).enabled (.Values.workers.kerberosInitContainer).enabled }}
+        {{- $kerberosInitContainerResources := (.Values.workers.celery.kerberosInitContainer).resources | default (.Values.workers.kerberosInitContainer).resources | default dict }}
+        {{- if and (semverCompare ">=2.8.0" .Values.airflowVersion) $kerberosInitContainerEnabled }}
         - name: kerberos-init
           image: {{ template "airflow_image" . }}
           imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
           args: ["kerberos", "-o"]
-          resources: {{- toYaml .Values.workers.kerberosInitContainer.resources | nindent 12 }}
+          resources: {{- toYaml $kerberosInitContainerResources | nindent 12 }}
           volumeMounts:
             - name: logs
               mountPath: {{ template "airflow_logs" . }}

chart/values.schema.json

@@ -2059,7 +2059,7 @@
                     }
                 },
                 "kerberosInitContainer": {
-                    "description": "Kerberos init container for Airflow Celery workers and pods created with pod-template-file.",
+                    "description": "Kerberos init container for Airflow Celery workers and pods created with pod-template-file (deprecated, use `workers.celery.kerberosInitContainer` instead).",
                     "type": "object",
                     "additionalProperties": false,
                     "properties": {
@@ -2810,6 +2810,89 @@
                                     }
                                 }
                             }
+                        },
+                        "kerberosInitContainer": {
+                            "description": "Kerberos init container for Airflow Celery workers.",
+                            "type": "object",
+                            "additionalProperties": false,
+                            "properties": {
+                                "enabled": {
+                                    "description": "Enable Kerberos init container.",
+                                    "type": "boolean",
+                                    "default": false
+                                },
+                                "resources": {
+                                    "description": "Resources on kerberos init container.",
+                                    "type": "object",
+                                    "default": {},
+                                    "examples": [
+                                        {
+                                            "limits": {
+                                                "cpu": "100m",
+                                                "memory": "128Mi"
+                                            },
+                                            "requests": {
+                                                "cpu": "100m",
+                                                "memory": "128Mi"
+                                            }
+                                        }
+                                    ],
+                                    "$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements"
+                                },
+                                "containerLifecycleHooks": {
+                                    "description": "Container Lifecycle Hooks definition for the kerberos init container. If not set, the values from global `containerLifecycleHooks` will be used.",
+                                    "type": "object",
+                                    "$ref": "#/definitions/io.k8s.api.core.v1.Lifecycle",
+                                    "default": {},
+                                    "x-docsSection": "Kubernetes",
+                                    "examples": [
+                                        {
+                                            "postStart": {
+                                                "exec": {
+                                                    "command": [
+                                                        "/bin/sh",
+                                                        "-c",
+                                                        "echo postStart handler > /usr/share/message"
+                                                    ]
+                                                }
+                                            },
+                                            "preStop": {
+                                                "exec": {
+                                                    "command": [
+                                                        "/bin/sh",
+                                                        "-c",
+                                                        "echo preStop handler > /usr/share/message"
+                                                    ]
+                                                }
+                                            }
+                                        }
+                                    ]
+                                },
+                                "securityContexts": {
+                                    "description": "Security context definition for the kerberos init container. If not set, the values from global `securityContexts` will be used.",
+                                    "type": "object",
+                                    "x-docsSection": "Kubernetes",
+                                    "properties": {
+                                        "container": {
+                                            "description": "Container security context definition for the kerberos init container.",
+                                            "type": "object",
+                                            "$ref": "#/definitions/io.k8s.api.core.v1.SecurityContext",
+                                            "default": {},
+                                            "x-docsSection": "Kubernetes",
+                                            "examples": [
+                                                {
+                                                    "allowPrivilegeEscalation": false,
+                                                    "capabilities": {
+                                                        "drop": [
+                                                            "ALL"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 },

chart/values.yaml

@@ -871,6 +871,7 @@ workers:
     containerLifecycleHooks: {}
 
   # Kerberos init container configuration for Airflow Celery workers and pods created with pod-template-file
+  # (deprecated, use `workers.celery.kerberosInitContainer` instead)
   kerberosInitContainer:
     # Enable kerberos init container
     enabled: false
@@ -1152,6 +1153,25 @@ workers:
       securityContexts:
         container: {}
 
+    # Kerberos init container configuration for Airflow Celery workers
+    kerberosInitContainer:
+      # Enable kerberos init container
+      enabled: false
+      resources: {}
+      #  limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      #  requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+      # Detailed default security context for kerberos init container on container level
+      securityContexts:
+        container: {}
+
+      # Container level lifecycle hooks
+      containerLifecycleHooks: {}
+
   kubernetes:
     # Command to use in pod-template-file (templated)
     command: ~

helm-tests/tests/helm_tests/airflow_core/test_worker.py

@@ -970,6 +970,67 @@ def test_airflow_kerberos_init_container(
             assert initContainers[1]["name"] == "kerberos-init"
             assert initContainers[1]["args"] == ["kerberos", "-o"]
 
+    @pytest.mark.parametrize(
+        "workers_values",
+        [
+            {"kerberosInitContainer": {"enabled": True}},
+            {"celery": {"kerberosInitContainer": {"enabled": True}}},
+            {
+                "kerberosInitContainer": {"enabled": False},
+                "celery": {"kerberosInitContainer": {"enabled": True}},
+            },
+        ],
+    )
+    def test_airflow_kerberos_init_container_celery_values(self, workers_values):
+        """Test that workers.celery.kerberosInitContainer configuration works and takes precedence."""
+        docs = render_chart(
+            values={
+                "airflowVersion": "2.8.0",
+                "workers": {
+                    **workers_values,
+                    "celery": {
+                        **workers_values.get("celery", {}),
+                        "persistence": {"fixPermissions": True},
+                    },
+                },
+            },
+            show_only=["templates/workers/worker-deployment.yaml"],
+        )
+
+        initContainers = jmespath.search("spec.template.spec.initContainers", docs[0])
+        # Should have 3 init containers: wait-for-migrations, kerberos-init, volume-permissions
+        assert len(initContainers) == 3
+        assert initContainers[1]["name"] == "kerberos-init"
+        assert initContainers[1]["args"] == ["kerberos", "-o"]
+
+    def test_airflow_kerberos_init_container_resources(self):
+        """Test that kerberos init container resources can be configured via workers.celery.kerberosInitContainer."""
+        docs = render_chart(
+            values={
+                "airflowVersion": "2.8.0",
+                "workers": {
+                    "celery": {
+                        "kerberosInitContainer": {
+                            "enabled": True,
+                            "resources": {
+                                "limits": {"cpu": "100m", "memory": "128Mi"},
+                                "requests": {"cpu": "50m", "memory": "64Mi"},
+                            },
+                        },
+                    },
+                },
+            },
+            show_only=["templates/workers/worker-deployment.yaml"],
+        )
+
+        initContainers = jmespath.search("spec.template.spec.initContainers", docs[0])
+        kerberos_init = next((c for c in initContainers if c["name"] == "kerberos-init"), None)
+        assert kerberos_init is not None
+        assert kerberos_init["resources"]["limits"]["cpu"] == "100m"
+        assert kerberos_init["resources"]["limits"]["memory"] == "128Mi"
+        assert kerberos_init["resources"]["requests"]["cpu"] == "50m"
+        assert kerberos_init["resources"]["requests"]["memory"] == "64Mi"
+
     @pytest.mark.parametrize(
         ("airflow_version", "expected_arg"),
         [