diff --git a/chart/README.md b/chart/README.md index a17ef37aff..1753d6c3e3 100644 --- a/chart/README.md +++ b/chart/README.md @@ -210,7 +210,7 @@ The following tables lists the configurable parameters of the Airflow chart and | `webserver.defaultUser` | Optional default airflow user information | `{}` | | `dags.persistence.*` | Dag persistence configuration | Please refer to `values.yaml` | | `dags.gitSync.*` | Git sync configuration | Please refer to `values.yaml` | - +| `multiNamespaceMode` | Whether the KubernetesExecutor can launch pods in multiple namespaces | `False` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/chart/templates/rbac/pod-launcher-role.yaml b/chart/templates/rbac/pod-launcher-role.yaml index 7e10122351..dc56c9225e 100644 --- a/chart/templates/rbac/pod-launcher-role.yaml +++ b/chart/templates/rbac/pod-launcher-role.yaml @@ -19,10 +19,17 @@ ## Airflow Pod Launcher Role ################################# {{- if and .Values.rbacEnabled .Values.allowPodLaunching }} +{{- if .Values.multiNamespaceMode }} kind: ClusterRole +{{- else }} +kind: Role +{{- end }} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-pod-launcher-role +{{- if not .Values.multiNamespaceMode }} + namespace: {{ .Release.Namespace }} +{{- end }} labels: tier: airflow release: {{ .Release.Name }} diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml index 6582209adb..71167a1765 100644 --- a/chart/templates/rbac/pod-launcher-rolebinding.yaml +++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml @@ -21,9 +21,16 @@ {{- if and .Values.rbacEnabled .Values.allowPodLaunching }} {{- $grantScheduler := or (eq .Values.executor "LocalExecutor") (eq .Values.executor "SequentialExecutor") (eq .Values.executor "KubernetesExecutor") }} {{- $grantWorker := or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "KubernetesExecutor") }} +{{- if .Values.multiNamespaceMode }} kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} apiVersion: rbac.authorization.k8s.io/v1 metadata: +{{- if not .Values.multiNamespaceMode }} + namespace: {{ .Release.Namespace }} +{{- end }} name: {{ .Release.Name }}-pod-launcher-rolebinding labels: tier: airflow diff --git a/chart/values.schema.json b/chart/values.schema.json index 52bce31c0b..977611642b 100644 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -23,6 +23,10 @@ "description": "Default airflow tag to deploy.", "type": "string" }, + "multi_namespaceMode": { + "description": "Whether the KubernetesExecutor can launch workers in multiple namespaces", + "type": "boolean" + }, "nodeSelector": { "description": "Select certain nodes for airflow pods.", "type": "object", diff --git a/chart/values.yaml b/chart/values.yaml index a9a457a64f..1279da50e7 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -608,8 +608,11 @@ config: worker_container_repository: '{{ .Values.images.airflow.repository | default .Values.defaultAirflowRepository }}' worker_container_tag: '{{ .Values.images.airflow.tag | default .Values.defaultAirflowTag }}' delete_worker_pods: 'True' + multi_namespace_mode: '{{ .Values.multiNamespaceMode }}' # yamllint enable rule:line-length +multiNamespaceMode: 'False' + podTemplate: ~ # Git sync