apache
diff --git a/‎chart/files/pod-template-file.kubernetes-helm-yaml‎
Lines changed: 4 additions & 0 deletions b/‎chart/files/pod-template-file.kubernetes-helm-yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎chart/templates/NOTES.txt‎
Lines changed: 32 additions & 0 deletions b/‎chart/templates/NOTES.txt‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎chart/templates/_helpers.yaml‎
Lines changed: 20 additions & 5 deletions b/‎chart/templates/_helpers.yaml‎
Lines changed: 20 additions & 5 deletions
diff --git a/‎chart/templates/workers/worker-kubernetes-serviceaccount.yaml‎
Lines changed: 41 additions & 0 deletions b/‎chart/templates/workers/worker-kubernetes-serviceaccount.yaml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎chart/values.schema.json‎
Lines changed: 81 additions & 5 deletions b/‎chart/values.schema.json‎
Lines changed: 81 additions & 5 deletions
diff --git a/‎chart/values.yaml‎
Lines changed: 55 additions & 0 deletions b/‎chart/values.yaml‎
Lines changed: 55 additions & 0 deletions
@@ -236,7 +236,11 @@ spec:
   terminationGracePeriodSeconds: {{ .Values.workers.kubernetes.terminationGracePeriodSeconds | default .Values.workers.terminationGracePeriodSeconds }}
   tolerations: {{- toYaml $tolerations | nindent 4 }}
   topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 4 }}
+  {{- if .Values.workers.kubernetes.serviceAccount.create }}
+  serviceAccountName: {{ include "worker.kubernetes.serviceAccountName" . }}
+  {{- else }}
   serviceAccountName: {{ include "worker.serviceAccountName" . }}
+  {{- end }}
   volumes:
   {{- if .Values.dags.persistence.enabled }}
   - name: dags
 
@@ -413,6 +413,38 @@ DEPRECATION WARNING:
 
 {{- end }}
 
+{{- if not .Values.workers.serviceAccount.automountServiceAccountToken }}
+
+ DEPRECATION WARNING:
+    `workers.serviceAccount.automountServiceAccountToken` has been renamed to `workers.celery.serviceAccount.automountServiceAccountToken`/`workers.kubernetes.serviceAccount.automountServiceAccountToken`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if not .Values.workers.serviceAccount.create }}
+
+ DEPRECATION WARNING:
+    `workers.serviceAccount.create` has been renamed to `workers.celery.serviceAccount.create`/`workers.kubernetes.serviceAccount.create`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if not (empty .Values.workers.serviceAccount.name) }}
+
+ DEPRECATION WARNING:
+    `workers.serviceAccount.name` has been renamed to `workers.celery.serviceAccount.name`/`workers.kubernetes.serviceAccount.name`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if not (empty .Values.workers.serviceAccount.annotations) }}
+
+ DEPRECATION WARNING:
+    `workers.serviceAccount.annotations` has been renamed to `workers.celery.serviceAccount.annotations`/`workers.kubernetes.serviceAccount.annotations`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
 {{- if .Values.workers.keda.enabled }}
 
  DEPRECATION WARNING:
 
@@ -641,13 +641,23 @@ server_tls_key_file = /etc/pgbouncer/server.key
   {{- end }}
 {{- end }}
 
-{{/* Helper to generate service account name respecting .Values.$section.serviceAccount flags */}}
+{{/* Helper for service account name generation */}}
+{{- define "_serviceAccountNameGen" -}}
+  {{- if .sa.create }}
+    {{- default (printf "%s-%s" (include "airflow.serviceAccountName" .) (default .key .nameSuffix )) .sa.name | quote }}
+  {{- else }}
+    {{- default "default" .sa.name | quote }}
+  {{- end }}
+{{- end }}
+
+{{/* Helper to generate service account name respecting .Values.$section.serviceAccount or .Values.$section.$subSection.serviceAccount flags */}}
 {{- define "_serviceAccountName" -}}
-  {{- $sa := get (get .Values .key) "serviceAccount" }}
-  {{- if $sa.create }}
-    {{- default (printf "%s-%s" (include "airflow.serviceAccountName" .) (default .key .nameSuffix )) $sa.name | quote }}
+  {{- if .subKey }}
+    {{- $sa := get (get (get .Values .key) .subKey) "serviceAccount" -}}
+    {{- include "_serviceAccountNameGen" (merge (dict "sa" $sa "key" .key "nameSuffix" .nameSuffix) .) }}
   {{- else }}
-    {{- default "default" $sa.name | quote }}
+    {{- $sa := get (get .Values .key) "serviceAccount" }}
+    {{- include "_serviceAccountNameGen" (merge (dict "sa" $sa "key" .key "nameSuffix" .nameSuffix) .) }}
   {{- end }}
 {{- end }}
 
@@ -700,6 +710,11 @@ server_tls_key_file = /etc/pgbouncer/server.key
   {{- end }}
 {{- end }}
 
+{{/* Create the name of the worker kubernetes service account to use */}}
+{{- define "worker.kubernetes.serviceAccountName" -}}
+  {{- include "_serviceAccountName" (merge (dict "key" "workers" "subKey" "kubernetes" "nameSuffix" "worker-kubernetes") .) -}}
+{{- end }}
+
 {{/* Create the name of the triggerer service account to use */}}
 {{- define "triggerer.serviceAccountName" -}}
   {{- include "_serviceAccountName" (merge (dict "key" "triggerer") .) -}}
 
@@ -0,0 +1,41 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+###########################################
+## Airflow Worker Kubernetes ServiceAccount
+###########################################
+{{- if and .Values.workers.kubernetes.serviceAccount.create (contains "KubernetesExecutor" .Values.executor) }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ or .Values.workers.kubernetes.serviceAccount.automountServiceAccountToken (and (not (has .Values.workers.kubernetes.serviceAccount.automountServiceAccountToken (list true false))) .Values.workers.serviceAccount.automountServiceAccountToken) }}
+metadata:
+  name: {{ include "worker.kubernetes.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    component: worker
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or .Values.labels .Values.workers.labels }}
+      {{- mustMerge .Values.workers.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with (.Values.workers.kubernetes.serviceAccount.annotations | default .Values.workers.serviceAccount.annotations) }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
@@ -1848,29 +1848,29 @@
                     }
                 },
                 "serviceAccount": {
-                    "description": "Create ServiceAccount for Airflow Celery workers and pods created with pod-template-file.",
+                    "description": "Create ServiceAccount for Airflow Celery workers and pods created with pod-template-file (deprecated, use ``workers.celery.serviceAccount`` and/or ``workers.kubernetes.serviceAccount`` instead).",
                     "type": "object",
                     "properties": {
                         "automountServiceAccountToken": {
-                            "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
+                            "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods (deprecated, use ``workers.celery.serviceAccount.automountServiceAccountToken`` and/or ``workers.kubernetes.serviceAccount.automountServiceAccountToken`` instead)",
                             "type": "boolean",
                             "default": true
                         },
                         "create": {
-                            "description": "Specifies whether a ServiceAccount should be created.",
+                            "description": "Specifies whether a ServiceAccount should be created (deprecated, use ``workers.celery.serviceAccount.create`` and/or ``workers.kubernetes.serviceAccount.create`` instead).",
                             "type": "boolean",
                             "default": true
                         },
                         "name": {
-                            "description": "The name of the ServiceAccount to use. If not set and create is true, a name is generated using the release name.",
+                            "description": "The name of the ServiceAccount to use (deprecated, use ``workers.celery.serviceAccount.name`` and/or ``workers.kubernetes.serviceAccount.name`` instead). If not set and create is true, a name is generated using the release name.",
                             "type": [
                                 "string",
                                 "null"
                             ],
                             "default": null
                         },
                         "annotations": {
-                            "description": "Annotations to add to the worker Kubernetes ServiceAccount.",
+                            "description": "Annotations to add to the worker Kubernetes ServiceAccount (deprecated, use ``workers.celery.serviceAccount.annotations`` and/or ``workers.kubernetes.serviceAccount.annotations`` instead).",
                             "type": "object",
                             "default": {},
                             "additionalProperties": {
@@ -2921,6 +2921,44 @@
                                 }
                             }
                         },
+                        "serviceAccount": {
+                            "description": "Create ServiceAccount for Airflow Celery workers.",
+                            "type": "object",
+                            "properties": {
+                                "automountServiceAccountToken": {
+                                    "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods.",
+                                    "type": [
+                                        "boolean",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "create": {
+                                    "description": "Specifies whether a ServiceAccount should be created.",
+                                    "type": [
+                                        "boolean",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "name": {
+                                    "description": "The name of the ServiceAccount to use. If not set and create is true, a name is generated using the release name.",
+                                    "type": [
+                                        "string",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "annotations": {
+                                    "description": "Annotations to add to the worker Kubernetes ServiceAccount.",
+                                    "type": "object",
+                                    "default": {},
+                                    "additionalProperties": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
                         "keda": {
                             "description": "KEDA configuration of Airflow Celery workers.",
                             "type": "object",
@@ -3431,6 +3469,44 @@
                                 }
                             ]
                         },
+                        "serviceAccount": {
+                            "description": "Create ServiceAccount for pods created with pod-template-file. When this section is specified, the Service Account is created from 'templates/workers/worker-kubernetes-serviceaccount.yaml' file.",
+                            "type": "object",
+                            "properties": {
+                                "automountServiceAccountToken": {
+                                    "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods. If not specified, the ``workers.serviceAccount.automountServiceAccountToken`` value will be taken.",
+                                    "type": [
+                                        "boolean",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "create": {
+                                    "description": "Specifies whether a ServiceAccount should be created. If not specified, the ServiceAccount will be generated and used from 'templates/workers/worker-serviceaccount.yaml' file if `workers.serviceAccount.create` will be 'true'.",
+                                    "type": [
+                                        "boolean",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "name": {
+                                    "description": "The name of the ServiceAccount to use. If not set and ``create`` is 'true', a name is generated using the release name with kubernetes dedicated name.",
+                                    "type": [
+                                        "string",
+                                        "null"
+                                    ],
+                                    "default": null
+                                },
+                                "annotations": {
+                                    "description": "Annotations to add to the worker Kubernetes ServiceAccount. If not specified, the ``workers.serviceAccount.annotations`` value will be taken.",
+                                    "type": "object",
+                                    "default": {},
+                                    "additionalProperties": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
                         "kerberosSidecar": {
                             "description": "Kerberos sidecar for pods created with pod-template-file.",
                             "type": "object",
 
@@ -771,18 +771,35 @@ workers:
       # minAvailable: 1
 
   # Create ServiceAccount for Airflow Celery workers and pods created with pod-template-file
+  # (deprecated, use `workers.celery.serviceAccount` and/or `workers.kubernetes.serviceAccount` instead)
   serviceAccount:
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+    # (deprecated, use
+    #   `workers.celery.serviceAccount.automountServiceAccountToken` and/or
+    #   `workers.kubernetes.serviceAccount.automountServiceAccountToken`
+    # instead)
     automountServiceAccountToken: true
 
     # Specifies whether a ServiceAccount should be created
+    # (deprecated, use
+    #   `workers.celery.serviceAccount.create` and/or
+    #   `workers.kubernetes.serviceAccount.create`
+    # instead)
     create: true
 
     # The name of the ServiceAccount to use.
     # If not set and `create` is 'true', a name is generated using the release name
+    # (deprecated, use
+    #   `workers.celery.serviceAccount.name` and/or
+    #   `workers.kubernetes.serviceAccount.name`
+    # instead)
     name: ~
 
     # Annotations to add to worker Kubernetes Service Account.
+    # (deprecated, use
+    #   `workers.celery.serviceAccount.annotations` and/or
+    #   `workers.kubernetes.serviceAccount.annotations`
+    # instead)
     annotations: {}
 
   # Allow KEDA autoscaling for Airflow Celery workers
@@ -1256,6 +1273,21 @@ workers:
         maxUnavailable: ~
         # minAvailable: ~
 
+    # Create ServiceAccount for Airflow Celery workers
+    serviceAccount:
+      # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+      automountServiceAccountToken: ~
+
+      # Specifies whether a ServiceAccount should be created
+      create: ~
+
+      # The name of the ServiceAccount to use.
+      # If not set and `create` is 'true', a name is generated using the release name
+      name: ~
+
+      # Annotations to add to worker Kubernetes Service Account.
+      annotations: {}
+
     # Allow KEDA autoscaling for Airflow Celery workers
     keda:
       enabled: ~
@@ -1413,6 +1445,29 @@ workers:
     # Container level Lifecycle Hooks definition for pods created with pod-template-file
     containerLifecycleHooks: {}
 
+    # Create ServiceAccount for pods created with pod-template-file
+    # When this section is specified, the Service Account is created from
+    # 'templates/workers/worker-kubernetes-serviceaccount.yaml' file
+    serviceAccount:
+      # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+      # If not specified, the `workers.serviceAccount.automountServiceAccountToken` value will be taken
+      automountServiceAccountToken: ~
+
+      # Specifies whether a ServiceAccount should be created.
+      # If not specified, the ServiceAccount will be generated and used from
+      # 'templates/workers/worker-serviceaccount.yaml' file if `workers.serviceAccount.create`
+      # will be 'true'
+      create: ~
+
+      # The name of the ServiceAccount to use.
+      # If not set and `create` is 'true', a name is generated using the release name
+      # with kubernetes dedicated name
+      name: ~
+
+      # Annotations to add to worker Kubernetes Service Account.
+      # If not specified, the `workers.serviceAccount.annotations` value will be taken
+      annotations: {}
+
     # Kerberos sidecar configuration for pods created with pod-template-file
     kerberosSidecar:
       # Enable kerberos sidecar