(airflow) branch main updated: Update webserver secret note in Helm chart NOTES.txt and prod guide (#55106)

[rom]

This is an automated email from the ASF dual-hosted git repository.

rom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 27a4c30c0e0 Update webserver secret note in Helm chart NOTES.txt and 
prod guide (#55106)
27a4c30c0e0 is described below

commit 27a4c30c0e065a6688aad02f5be211e77102fb32
Author: Ariel Mordoch <amord...@users.noreply.github.com>
AuthorDate: Mon Oct 13 02:30:23 2025 -0400

    Update webserver secret note in Helm chart NOTES.txt and prod guide (#55106)
    
    * Update webserver secret note in Helm chart and prod guide
    
    * Add note block to clarify API/webserver differences
---
 chart/docs/production-guide.rst | 19 +++++++++++--------
 chart/templates/NOTES.txt       | 16 +++++++++++-----
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst
index ff19171d4aa..b83d4f535a0 100644
--- a/chart/docs/production-guide.rst
+++ b/chart/docs/production-guide.rst
@@ -182,12 +182,15 @@ Depending on the size of your Airflow instance, you may 
want to adjust the follo
     # The maximum number of server connections to the result backend database 
from PgBouncer
     resultBackendPoolSize: 5
 
-Webserver Secret Key
---------------------
+API Secret Key
+---------------
 
-You should set a static webserver secret key when deploying with this chart as 
it will help ensure
+You should set a static API secret key when deploying with this chart as it 
will help ensure
 your Airflow components only restart when necessary.
 
+.. note::
+  This section also applies to the webserver for Airflow <3 -- simply replace 
"API" with "webserver."
+
 .. warning::
   You should use a different secret key for every instance you run, as this 
key is used to sign
   session cookies and perform other security related functions!
@@ -202,22 +205,22 @@ Now add the secret to your values file:
 
 .. code-block:: yaml
 
-    webserverSecretKey: <secret_key>
+    apiSecretKey: <secret_key>
 
-Alternatively, create a Kubernetes Secret and use 
``webserverSecretKeySecretName``:
+Alternatively, create a Kubernetes Secret and use ``apiSecretKeySecretName``:
 
 .. code-block:: yaml
 
-    webserverSecretKeySecretName: my-webserver-secret
+    apiSecretKeySecretName: my-api-secret
     # where the random key is under `webserver-secret-key` in the k8s Secret
 
 Example to create a Kubernetes Secret from ``kubectl``:
 
 .. code-block:: bash
 
-    kubectl create secret generic my-webserver-secret 
--from-literal="webserver-secret-key=$(python3 -c 'import secrets; 
print(secrets.token_hex(16))')"
+    kubectl create secret generic my-api-secret 
--from-literal="api-secret-key=$(python3 -c 'import secrets; 
print(secrets.token_hex(16))')"
 
-The webserver key is also used to authorize requests to Celery workers when 
logs are retrieved. The token
+The API secret is also used to authorize requests to Celery workers when logs 
are retrieved. The token
 generated using the secret key has a short expiry time though - make sure that 
time on ALL the machines
 that you run Airflow components on is synchronized (for example using ntpd) 
otherwise you might get
 "forbidden" errors when the logs are accessed.
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 5e86b24980c..e6da264c3d0 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -177,7 +177,7 @@ DEPRECATION WARNING:
 
 {{- end }}
 
-{{- if not (or .Values.webserverSecretKey 
.Values.webserverSecretKeySecretName) }}
+{{- if not (or .Values.webserverSecretKey .Values.webserverSecretKeySecretName 
.Values.apiSecretKey .Values.apiSecretKeySecretName) }}
 
 {{- if .Values.securityContext }}
 
@@ -187,15 +187,21 @@ DEPRECATION WARNING:
 
 {{- end }}
 
+{{ if (semverCompare ">=3.0.0" .Values.airflowVersion) }}
+#####################################################
+#  WARNING: You should set a static API secret key  #
+#####################################################
+{{ else }}
 ###########################################################
 #  WARNING: You should set a static webserver secret key  #
 ###########################################################
-
-You are using a dynamically generated webserver secret key, which can lead to
+{{ end }}
+{{- $serverKind := ternary "API" "webserver" (semverCompare ">=3.0.0" 
.Values.airflowVersion) }}
+You are using a dynamically generated {{ $serverKind }} secret key, which can 
lead to
 unnecessary restarts of your Airflow components.
 
-Information on how to set a static webserver secret key can be found here:
-https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#webserver-secret-key
+Information on how to set a static {{ $serverKind }} secret key can be found 
here:
+https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#api-secret-key
 
 {{- end }}