RBAC: Update serviceaccount and k8s rbac for Airflow

This patch set brings the airflow/shipyard chart to be
inline with OSH* RBAC approach used in [0] and [1]

[0] https://review.openstack.org/#/c/526464/52
[1] https://review.openstack.org/#/c/529378/

Change-Id: Id2ff9f59028474601933196e1722b46c95f3a8ac

charts/shipyard/templates/deployment-airflow-flower.yaml

@@ -15,6 +15,8 @@
 {{- if .Values.manifests.deployment_airflow_flower }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
+{{- $serviceAccountName := "airflow-flower" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_flower := .Values.pod.mounts.airflow_flower.airflow_flower }}
 {{- $mounts_airflow_flower_init := .Values.pod.mounts.airflow_flower.init_container }}
 ---
@@ -33,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       restartPolicy: Always

charts/shipyard/templates/deployment-airflow-scheduler.yaml

@@ -15,6 +15,8 @@
 {{- if .Values.manifests.deployment_airflow_scheduler }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
+{{- $serviceAccountName := "airflow-scheduler" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_scheduler := .Values.pod.mounts.airflow_scheduler.airflow_scheduler }}
 {{- $mounts_airflow_scheduler_init := .Values.pod.mounts.airflow_scheduler.init_container }}
 ---
@@ -33,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       restartPolicy: Always

charts/shipyard/templates/deployment-airflow-web.yaml

@@ -15,6 +15,8 @@
 {{- if .Values.manifests.deployment_airflow_web }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
+{{- $serviceAccountName := "airflow-web" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_web := .Values.pod.mounts.airflow_web.airflow_web }}
 {{- $mounts_airflow_web_init := .Values.pod.mounts.airflow_web.init_container }}
 ---
@@ -33,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       restartPolicy: Always

charts/shipyard/templates/deployment-airflow-worker.yaml

@@ -15,6 +15,8 @@
 {{- if .Values.manifests.deployment_airflow_worker }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
+{{- $serviceAccountName := "airflow-worker" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_worker := .Values.pod.mounts.airflow_worker.airflow_worker }}
 {{- $mounts_airflow_worker_init := .Values.pod.mounts.airflow_worker.init_container }}
 ---
@@ -33,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       restartPolicy: Always

charts/shipyard/templates/job-airflow-db-init.yaml

@@ -17,6 +17,8 @@ limitations under the License.
 {{- if .Values.manifests.job_airflow_db_init }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_db_init }}
+{{- $serviceAccountName := "airflow-db-init" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -28,6 +30,7 @@ spec:
       labels:
 {{ tuple $envAll "airflow" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}

charts/shipyard/templates/job-airflow-db-sync.yaml

@@ -17,6 +17,8 @@ limitations under the License.
 {{- if .Values.manifests.job_airflow_db_sync }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_db_sync }}
+{{- $serviceAccountName := "airflow-db-sync" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -28,6 +30,7 @@ spec:
       labels:
 {{ tuple $envAll "airflow" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}