airbytehq · ufou · Apr 25, 2022 · May 6, 2022 · davinchia · Apr 27, 2022
diff --git a/charts/airbyte/templates/env-configmap.yaml b/charts/airbyte/templates/env-configmap.yaml
@@ -35,6 +35,8 @@ data:
   JOB_MAIN_CONTAINER_MEMORY_LIMIT: {{ ((.Values.jobs.resources | default dict).limits | default dict).memory | default "" | quote }}
   JOB_MAIN_CONTAINER_MEMORY_REQUEST: {{ ((.Values.jobs.resources | default dict).requests | default dict).memory | default "" | quote }}
   JOBS_DATABASE_MINIMUM_FLYWAY_MIGRATION_VERSION: "0.29.15.001"
+  KUBERNETES_AUTH_TRYKUBECONFIG: {{ .Values.kubernetesAuth.tryKubeConfig | quote }}
+  KUBERNETES_AUTH_TRYSERVICEACCOUNT: {{ .Values.kubernetesAuth.tryServiceAccount | quote }}
   LOCAL_ROOT: /tmp/airbyte_local
   RUN_DATABASE_MIGRATION_ON_STARTUP: "true"
   S3_LOG_BUCKET: {{ .Values.logs.s3.bucket | quote }}

diff --git a/charts/airbyte/templates/pod-sweeper/deployment.yaml b/charts/airbyte/templates/pod-sweeper/deployment.yaml
@@ -22,6 +22,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "airbyte.serviceAccountName" . }}
+      {{- if and .Values.serviceAccount.create .Values.kubernetesAuth.tryServiceAccount }}
+      automountServiceAccountToken: true
+      {{- end }}
       {{- if .Values.podSweeper.nodeSelector }}
       nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.podSweeper.nodeSelector "context" $) | nindent 8 }}
       {{- end }}
@@ -40,6 +43,16 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+        - name: KUBERNETES_AUTH_TRYKUBECONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYKUBECONFIG
         {{- if .Values.podSweeper.containerSecurityContext }}
         securityContext: {{- toYaml .Values.podSweeper.containerSecurityContext | nindent 10 }}
         {{- end }}

diff --git a/charts/airbyte/templates/worker/deployment.yaml b/charts/airbyte/templates/worker/deployment.yaml
@@ -239,6 +239,16 @@ spec:
             configMapKeyRef:
               name: {{ include "common.names.fullname" . }}-env
               key: INTERNAL_API_HOST
+        - name: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYSERVICEACCOUNT
+        - name: KUBERNETES_AUTH_TRYKUBECONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: airbyte-env
+              key: KUBERNETES_AUTH_TRYKUBECONFIG
         {{- if .Values.worker.extraEnv }}
         {{ .Values.worker.extraEnv | toYaml | nindent 8 }}
         {{- end }}

diff --git a/charts/airbyte/values.yaml b/charts/airbyte/values.yaml
@@ -27,6 +27,15 @@ serviceAccount:
   annotations: {}
   name: airbyte-admin
 
+## Kubernetes Authentication
+## Authentication method used by airbyte pods requiring cluster access, eg. worker/pod-sweeper
+## @param kubernetesAuth.tryKubeConfig if true, will try to use kube config mounted inside the pod (default: true)
+## @param kubernetesAuth.tryServiceAccount if true, will try to use serviceAccount credentials from serviceAccount.name (default: false)
+##
+kubernetesAuth:
+  tryKubeConfig: true
+  tryServiceAccount: false
+
 ## @param version Sets the AIRBYTE_VERSION environment variable. Defaults to Chart.AppVersion.
 ## If changing the image tags below, you should probably also update this.
 version: ""