airbytehq · ufou · Apr 21, 2022
diff --git a/charts/airbyte/templates/_helpers.tpl b/charts/airbyte/templates/_helpers.tpl
@@ -238,3 +238,14 @@ Construct comma separated list of key/value pairs from object (useful for ENV va
 {{- end -}}
 {{ join "," $kvList }}
 {{- end -}}
+
+{{/*
+Construct semi-colon delimited list of comma separated key/value pairs from array of objects (useful for ENV var values)
+*/}}
+{{- define "airbyte.flattenArrayMap" -}}
+{{- $mapList := list -}}
+{{- range $element := . -}}
+{{- $mapList = include "airbyte.flattenMap" $element | mustAppend $mapList -}}
+{{- end -}}
+{{ join ";" $mapList }}
+{{- end -}}
diff --git a/charts/airbyte/templates/env-configmap.yaml b/charts/airbyte/templates/env-configmap.yaml
@@ -28,13 +28,15 @@ data:
   JOB_KUBE_NODE_SELECTORS: {{ $.Values.jobs.kube.nodeSelector | include "airbyte.flattenMap" | quote }}
 {{- end }}
 {{- if $.Values.jobs.kube.tolerations }}
-  JOB_KUBE_TOLERATIONS: {{ $.Values.jobs.kube.tolerations | include "airbyte.flattenMap" | quote }}
+  JOB_KUBE_TOLERATIONS: {{ $.Values.jobs.kube.tolerations | include "airbyte.flattenArrayMap" | quote }}
 {{- end }}
   JOB_MAIN_CONTAINER_CPU_LIMIT: {{ ((.Values.jobs.resources | default dict).limits | default dict).cpu | default "" | quote }}
   JOB_MAIN_CONTAINER_CPU_REQUEST: {{ ((.Values.jobs.resources | default dict).requests | default dict).cpu | default "" | quote }}
   JOB_MAIN_CONTAINER_MEMORY_LIMIT: {{ ((.Values.jobs.resources | default dict).limits | default dict).memory | default "" | quote }}
   JOB_MAIN_CONTAINER_MEMORY_REQUEST: {{ ((.Values.jobs.resources | default dict).requests | default dict).memory | default "" | quote }}
   JOBS_DATABASE_MINIMUM_FLYWAY_MIGRATION_VERSION: "0.29.15.001"
+  KUBERNETES_AUTH_TRYKUBECONFIG: {{ .Values.kubernetesAuth.tryKubeConfig | quote }}
+  KUBERNETES_AUTH_TRYSERVICEACCOUNT: {{ .Values.kubernetesAuth.tryServiceAccount | quote }}
   LOCAL_ROOT: /tmp/airbyte_local
   RUN_DATABASE_MIGRATION_ON_STARTUP: "true"
   S3_LOG_BUCKET: {{ .Values.logs.s3.bucket | quote }}

diff --git a/charts/airbyte/templates/pod-sweeper/deployment.yaml b/charts/airbyte/templates/pod-sweeper/deployment.yaml
@@ -22,6 +22,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "airbyte.serviceAccountName" . }}
+      {{- if and .Values.serviceAccount.create .Values.kubernetesAuth.tryServiceAccount }}
+      automountServiceAccountToken: true
+      {{- end }}
       {{- if .Values.podSweeper.nodeSelector }}
       nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.podSweeper.nodeSelector "context" $) | nindent 8 }}
       {{- end }}
@@ -40,6 +43,16 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+        - name: KUBERNETES_AUTH_TRYKUBECONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYKUBECONFIG
         {{- if .Values.podSweeper.containerSecurityContext }}
         securityContext: {{- toYaml .Values.podSweeper.containerSecurityContext | nindent 10 }}
         {{- end }}

diff --git a/charts/airbyte/templates/worker/deployment.yaml b/charts/airbyte/templates/worker/deployment.yaml
@@ -112,27 +112,27 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-{{- if $.Values.jobs.kube.annotations }}
+        {{- if $.Values.jobs.kube.annotations }}
         - name: JOB_KUBE_ANNOTATIONS
           valueFrom:
             configMapKeyRef:
               name: airbyte-env
               key: JOB_KUBE_ANNOTATIONS
-{{- end }}
-{{- if $.Values.jobs.kube.nodeSelector }}
+        {{- end }}
+        {{- if $.Values.jobs.kube.nodeSelector }}
         - name: JOB_KUBE_NODE_SELECTORS
           valueFrom:
             configMapKeyRef:
               name: airbyte-env
               key: JOB_KUBE_NODE_SELECTORS
-{{- end }}
-{{- if $.Values.jobs.kube.tolerations }}
+        {{- end }}
+        {{- if $.Values.jobs.kube.tolerations }}
         - name: JOB_KUBE_TOLERATIONS
           valueFrom:
             configMapKeyRef:
               name: airbyte-env
               key: JOB_KUBE_TOLERATIONS
-{{- end }}
+        {{- end }}
         - name: SUBMITTER_NUM_THREADS
           valueFrom:
             configMapKeyRef:
@@ -239,6 +239,16 @@ spec:
             configMapKeyRef:
               name: {{ include "common.names.fullname" . }}-env
               key: INTERNAL_API_HOST
+        - name: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+        - name: KUBERNETES_AUTH_TRYKUBECONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYKUBECONFIG
         {{- if .Values.worker.extraEnv }}
         {{ .Values.worker.extraEnv | toYaml | nindent 8 }}
         {{- end }}

diff --git a/charts/airbyte/values.yaml b/charts/airbyte/values.yaml
@@ -27,6 +27,15 @@ serviceAccount:
   annotations: {}
   name: airbyte-admin
 
+## Kubernetes Authentication
+## Authentication method used by airbyte pods requiring cluster access, eg. worker/pod-sweeper
+## @param kubernetesAuth.tryKubeConfig if true, will try to use kube config mounted inside the pod (default: true)
+## @param kubernetesAuth.tryServiceAccount if true, will try to use serviceAccount credentials from serviceAccount.name (default: false)
+##
+kubernetesAuth:
+  tryKubeConfig: true
+  tryServiceAccount: false
+
 ## @param version Sets the AIRBYTE_VERSION environment variable. Defaults to Chart.AppVersion.
 ## If changing the image tags below, you should probably also update this.
 version: ""
@@ -976,4 +985,9 @@ jobs:
     ## JOB_KUBE_TOLERATIONS
     ## @param jobs.kube.tolerations [array] Tolerations for jobs.kube pod assignment.
     ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+    ## any boolean values should be quoted to ensure the value is passed through as a string, eg:
+    ## - key: airbyte-server
+    ##   operator: Equal
+    ##   value: "true"
+    ##   effect: NoSchedule
     tolerations: []