airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Add support for disabling SA token automount for Scheduler

Open dan-osterrath opened this issue 3 weeks ago • 2 comments

This PR adds support to the Airflow Helm chart for disabling the service account token automounting into the Airflow Scheduler pods. This might be restricted by cluster policies for security reasons and best practices. When automounting is disabled and the executor is a Pod launching executor (CeleryExecutor, CeleryKubernetesExecutor, KubernetesExecutor or LocalKubernetesExecutor), the service account token is mounted manually into the Schedulers container. You can configure some token parameters like volume name, mount path, token audience and TTL. By default the service account token is still mounted automatically to keep backward compatibility. There are sensible defaults for the token parameters to keep backward compatibility.

closes: #59099 related: #30722 #43464

dan-osterrath avatar Dec 07 '25 12:12 dan-osterrath

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst) Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits. Apache Airflow is a community-driven project and together we are making it better 🚀. In case of doubts contact the developers at: Mailing List: [email protected] Slack: https://s.apache.org/airflow-slack

boring-cyborg[bot] avatar Dec 07 '25 12:12 boring-cyborg[bot]

Ups, some nit in RST formatting - can you fix?

jscheffl avatar Dec 09 '25 22:12 jscheffl

Looks good for me now! Let's make CI green and then LGTM!

Is there any way to make these flaky tests green? Can I retrigger them on my own somehow?

downloading uv 0.9.16 x86_64-unknown-linux-gnu
curl: (22) The requested URL returned error: 504
failed to download https://github.com/astral-sh/uv/releases/download/0.9.16/uv-x86_64-unknown-linux-gnu.tar.gz
this may be a standard network error, but it may also indicate
that uv's release process is not working. When in doubt
please feel free to open an issue!

dan-osterrath avatar Dec 12 '25 08:12 dan-osterrath

Is there any way to make these flaky tests green? Can I retrigger them on my own somehow?

Yes. Rebase your PR or close/reopen it - the problem was with GitHub having hiccups - so those were not flaky tests - those were tests that did not run because GitHub infrastructure had problems.

potiuk avatar Dec 13 '25 15:12 potiuk

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

boring-cyborg[bot] avatar Dec 14 '25 13:12 boring-cyborg[bot]