Skip to content

[helm] Isolate defaultUser handling in createUserJob #59767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
romsharon98 merged 7 commits into from
Dec 24, 2025
Merged

[helm] Isolate defaultUser handling in createUserJob #59767

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
407c1e7
[helm] Move defaultUser to createUserJob
nhuantho Dec 22, 2025
0af797b
[test] Fix ruff format
nhuantho Dec 22, 2025
33ebeed
[test] Fix static check value of chart
nhuantho Dec 22, 2025
2b8884f
remove redundant file
nhuantho Dec 22, 2025
fabdd79
Merge branch 'main' into helm/move-defaultUser-to-createUserJob
nhuantho Dec 23, 2025
41dedb9
Merge branch 'main' into helm/move-defaultUser-to-createUserJob
nhuantho Dec 24, 2025
0fbde54
Merge branch 'main' into helm/move-defaultUser-to-createUserJob
nhuantho Dec 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions chart/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,10 @@ Flower Dashboard: kubectl port-forward svc/{{ include "airflow.fullname" .
{{- end }}


{{- if .Values.webserver.defaultUser.enabled}}
Default Webserver (Airflow UI) Login credentials:
username: {{ .Values.webserver.defaultUser.username }}
password: {{ .Values.webserver.defaultUser.password }}
{{- if .Values.createUserJob.enabled}}
Default user (Airflow UI) Login credentials:
username: {{ .Values.createUserJob.defaultUser.username }}
password: {{ .Values.createUserJob.defaultUser.password }}
{{- end }}

{{- if .Values.postgresql.enabled }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/jobs/create-user-job-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
###########################################
## Airflow Create User Job ServiceAccount
###########################################
{{- if and .Values.createUserJob.serviceAccount.create .Values.webserver.defaultUser.enabled }}
{{- if .Values.createUserJob.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.createUserJob.serviceAccount.automountServiceAccountToken }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/jobs/create-user-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
################################
## Airflow Create User Job
#################################
{{- if and .Values.webserver.defaultUser.enabled .Values.createUserJob.enabled }}
{{- if .Values.createUserJob.enabled }}
{{- $nodeSelector := or .Values.createUserJob.nodeSelector .Values.nodeSelector }}
{{- $affinity := or .Values.createUserJob.affinity .Values.affinity }}
{{- $tolerations := or .Values.createUserJob.tolerations .Values.tolerations }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/rbac/security-context-constraint-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ subjects:
- kind: ServiceAccount
name: {{ include "migrateDatabaseJob.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- if .Values.webserver.defaultUser.enabled }}
{{- if .Values.createUserJob.enabled }}
- kind: ServiceAccount
name: {{ include "createUserJob.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
Expand Down
98 changes: 49 additions & 49 deletions chart/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4394,6 +4394,49 @@
"type": "boolean",
"default": true
},
"defaultUser": {
"description": "Optional default Airflow user information",
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"description": "Enable default user creation.",
"type": "boolean",
"x-docsSection": "Common",
"default": true
},
"role": {
"description": "Default user role.",
"type": "string",
"default": "Admin"
},
"username": {
"description": "Default user username.",
"type": "string",
"default": "admin"
},
"email": {
"description": "Default user email address.",
"type": "string",
"default": "admin@example.com"
},
"firstName": {
"description": "Default user firstname.",
"type": "string",
"default": "admin"
},
"lastName": {
"description": "Default user lastname.",
"type": "string",
"default": "user"
},
"password": {
"description": "Default user password.",
"type": "string",
"default": "admin"
}
}
},
"command": {
"description": "Command to use when running create user job (templated).",
"type": [
Expand All @@ -4420,17 +4463,17 @@
"exec \\\nairflow {{ semverCompare \">=2.0.0\" .Values.airflowVersion | ternary \"users create\" \"create_user\" }} \"$@\"",
"--",
"-r",
"{{ .Values.webserver.defaultUser.role }}",
"{{ .Values.createUserJob.defaultUser.role }}",
"-u",
"{{ .Values.webserver.defaultUser.username }}",
"{{ .Values.createUserJob.defaultUser.username }}",
"-e",
"{{ .Values.webserver.defaultUser.email }}",
"{{ .Values.createUserJob.defaultUser.email }}",
"-f",
"{{ .Values.webserver.defaultUser.firstName }}",
"{{ .Values.createUserJob.defaultUser.firstName }}",
"-l",
"{{ .Values.webserver.defaultUser.lastName }}",
"{{ .Values.createUserJob.defaultUser.lastName }}",
"-p",
"{{ .Values.webserver.defaultUser.password }}"
"{{ .Values.createUserJob.defaultUser.password }}"
]
},
"annotations": {
Expand Down Expand Up @@ -6300,49 +6343,6 @@
],
"$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"defaultUser": {
"description": "Optional default Airflow user information",
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"description": "Enable default user creation.",
"type": "boolean",
"x-docsSection": "Common",
"default": true
},
"role": {
"description": "Default user role.",
"type": "string",
"default": "Admin"
},
"username": {
"description": "Default user username.",
"type": "string",
"default": "admin"
},
"email": {
"description": "Default user email address.",
"type": "string",
"default": "admin@example.com"
},
"firstName": {
"description": "Default user firstname.",
"type": "string",
"default": "admin"
},
"lastName": {
"description": "Default user lastname.",
"type": "string",
"default": "user"
},
"password": {
"description": "Default user password.",
"type": "string",
"default": "admin"
}
}
},
"extraContainers": {
"description": "Launch additional containers into webserver (templated).",
"type": "array",
Expand Down
32 changes: 16 additions & 16 deletions chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1239,6 +1239,16 @@ scheduler:
createUserJob:
# Whether the create user job should be created
enabled: true

# Create initial user.
defaultUser:
role: Admin
username: admin
email: admin@example.com
firstName: admin
lastName: user
password: admin

# Limit the lifetime of the job object after it finished execution.
ttlSecondsAfterFinished: 300
# Command to use when running the create user job (templated).
Expand All @@ -1253,17 +1263,17 @@ createUserJob:
airflow {{ semverCompare ">=2.0.0" .Values.airflowVersion | ternary "users create" "create_user" }} "$@"
- --
- "-r"
- "{{ .Values.webserver.defaultUser.role }}"
- "{{ .Values.createUserJob.defaultUser.role }}"
- "-u"
- "{{ .Values.webserver.defaultUser.username }}"
- "{{ .Values.createUserJob.defaultUser.username }}"
- "-e"
- "{{ .Values.webserver.defaultUser.email }}"
- "{{ .Values.createUserJob.defaultUser.email }}"
- "-f"
- "{{ .Values.webserver.defaultUser.firstName }}"
- "{{ .Values.createUserJob.defaultUser.firstName }}"
- "-l"
- "{{ .Values.webserver.defaultUser.lastName }}"
- "{{ .Values.createUserJob.defaultUser.lastName }}"
- "-p"
- "{{ .Values.webserver.defaultUser.password }}"
- "{{ .Values.createUserJob.defaultUser.password }}"

# Annotations on the create user job pod
annotations: {}
Expand Down Expand Up @@ -1761,16 +1771,6 @@ webserver:
# cpu: 100m
# memory: 128Mi

# Create initial user.
defaultUser:
enabled: true
role: Admin
username: admin
email: admin@example.com
firstName: admin
lastName: user
password: admin

# Launch additional containers into webserver (templated).
extraContainers: []
# Add additional init containers into webserver (templated).
Expand Down
13 changes: 0 additions & 13 deletions helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,19 +300,6 @@ def test_basic_deployment_with_standalone_dag_processor(self, version):
f"Missing label test-label on {k8s_name}. Current labels: {labels}"
)

@pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "3.0.0", "default"])
def test_basic_deployment_without_default_users(self, version):
k8s_objects = render_chart(
"test-basic",
values=self._get_values_with_version(
values={"webserver": {"defaultUser": {"enabled": False}}}, version=version
),
)
list_of_kind_names_tuples = [
(k8s_object["kind"], k8s_object["metadata"]["name"]) for k8s_object in k8s_objects
]
assert ("Job", "test-basic-create-user") not in list_of_kind_names_tuples

@pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "3.0.0"])
def test_basic_deployment_without_statsd(self, version):
k8s_objects = render_chart(
Expand Down
1 change: 0 additions & 1 deletion helm-tests/tests/helm_tests/airflow_aux/test_container_lifecycle.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ def test_check_default_setting(self):
docs = render_chart(
name=RELEASE_NAME,
values={
"webserver": {"defaultUser": {"enabled": True}},
"flower": {"enabled": True},
"statsd": {"enabled": True},
"pgbouncer": {"enabled": True},
Expand Down
39 changes: 3 additions & 36 deletions helm-tests/tests/helm_tests/airflow_aux/test_create_user_job.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,7 @@ def test_command_and_args_overrides_are_templated(self):
def test_default_user_overrides(self):
docs = render_chart(
values={
"webserver": {
"createUserJob": {
"defaultUser": {
"role": "SomeRole",
"username": "jdoe",
Expand Down Expand Up @@ -477,43 +477,10 @@ def test_should_not_create_job_when_createuserjob_disabled(self):
)
assert len(docs) == 0

def test_should_not_create_job_when_webserver_defaultuser_disabled(self):
"""Test that job is not created when webserver.defaultUser.enabled is false."""
docs = render_chart(
values={"webserver": {"defaultUser": {"enabled": False}}},
show_only=["templates/jobs/create-user-job.yaml"],
)
assert len(docs) == 0

def test_should_not_create_job_when_both_disabled(self):
"""Test that job is not created when both flags are disabled."""
docs = render_chart(
values={
"createUserJob": {"enabled": False},
"webserver": {"defaultUser": {"enabled": False}},
},
show_only=["templates/jobs/create-user-job.yaml"],
)
assert len(docs) == 0

def test_should_not_create_job_when_createuserjob_disabled_but_defaultuser_enabled(self):
"""Test that job is not created when createUserJob.enabled is false even if defaultUser.enabled is true."""
docs = render_chart(
values={
"createUserJob": {"enabled": False},
"webserver": {"defaultUser": {"enabled": True}},
},
show_only=["templates/jobs/create-user-job.yaml"],
)
assert len(docs) == 0

def test_should_create_job_when_both_enabled(self):
def test_should_create_job_when_createuserjob_enabled(self):
"""Test that job is created when both createUserJob.enabled and defaultUser.enabled are true."""
docs = render_chart(
values={
"createUserJob": {"enabled": True},
"webserver": {"defaultUser": {"enabled": True}},
},
values={"createUserJob": {"enabled": True}},
show_only=["templates/jobs/create-user-job.yaml"],
)
assert len(docs) == 1
Expand Down
2 changes: 1 addition & 1 deletion helm-tests/tests/helm_tests/security/test_rbac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,7 +496,6 @@ def test_service_account_without_resource(self):
"redis": {"enabled": False},
"flower": {"enabled": False},
"statsd": {"enabled": False},
"webserver": {"defaultUser": {"enabled": False}},
},
)
list_of_sa_names = [
Expand All @@ -510,5 +509,6 @@ def test_service_account_without_resource(self):
"test-rbac-api-server",
"test-rbac-triggerer",
"test-rbac-migrate-database-job",
"test-rbac-create-user-job",
]
assert sorted(list_of_sa_names) == sorted(service_account_names)
5 changes: 2 additions & 3 deletions helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ def test_create_scc(self, rbac_enabled, scc_enabled, created):
docs = render_chart(
values={
"multiNamespaceMode": False,
"webserver": {"defaultUser": {"enabled": True}},
"cleanup": {"enabled": True},
"databaseCleanup": {"enabled": True},
"flower": {"enabled": True},
Expand Down Expand Up @@ -79,7 +78,7 @@ def test_create_scc_multinamespace(self, rbac_enabled, scc_enabled, created, nam
namespace=namespace,
values={
"multiNamespaceMode": True,
"webserver": {"defaultUser": {"enabled": False}},
"createUserJob": {"enabled": False},
"cleanup": {"enabled": False},
"databaseCleanup": {"enabled": False},
"flower": {"enabled": False},
Expand All @@ -105,7 +104,7 @@ def test_create_scc_worker_only(self, rbac_enabled, scc_enabled, created):
docs = render_chart(
values={
"multiNamespaceMode": False,
"webserver": {"defaultUser": {"enabled": False}},
"createUserJob": {"enabled": False},
"cleanup": {"enabled": False},
"databaseCleanup": {"enabled": False},
"flower": {"enabled": False},
Expand Down
4 changes: 1 addition & 3 deletions helm-tests/tests/helm_tests/security/test_security_context.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ def test_check_deployments_and_jobs(self, executor):
values={
"uid": 3000,
"gid": 30,
"webserver": {"defaultUser": {"enabled": True}},
"flower": {"enabled": True},
"airflowVersion": "2.2.0",
"executor": executor,
Expand Down Expand Up @@ -135,7 +134,6 @@ def test_check_default_setting(self):
docs = render_chart(
values={
"securityContext": {"runAsUser": 6000, "fsGroup": 60},
"webserver": {"defaultUser": {"enabled": True}},
"flower": {"enabled": True},
"statsd": {"enabled": False},
"airflowVersion": "2.2.0",
Expand Down Expand Up @@ -165,7 +163,7 @@ def test_check_local_setting(self):
"uid": 3000,
"gid": 30,
"securityContext": {"runAsUser": 6000, "fsGroup": 60},
"webserver": {"defaultUser": {"enabled": True}, **component_contexts},
"webserver": {**component_contexts},
"workers": {**component_contexts},
"flower": {"enabled": True, **component_contexts},
"scheduler": {**component_contexts},
Expand Down