arkadiuszbach opened a new pull request, #57415: URL: https://github.com/apache/airflow/pull/57415
**What:** Use a pre-install Helm hook to generate the jwt-secret only once during installation, instead of regenerating it on each upgrade. **Why:** Currently, the jwt-secret is regenerated on every Helm upgrade. This can lead to inconsistent JWT secrets across Airflow components and result in authentication or communication failures. Related discussion: https://github.com/apache/airflow/discussions/54178 Problem Scenarios 1. Multiple Airflow API Server Replicas - Example: Modify Helm values (e.g., change StatsD resource allocation) — this triggers an upgrade but does not redeploy the API server pods. - If one API server pod is manually restarted, it receives a new jwt-secret, while others still use the previous one. - Result: UI becomes inaccessible due to an infinite redirect loop with InvalidSignatureError: Signature verification failed. 2. Scheduler and Worker Using Different JWT Secrets - Similar scenario — Helm upgrade without redeployment of Scheduler/Worker pods. - Restarting either component causes a mismatch in JWT secrets. Result: Tasks fail with InvalidSignatureError: Signature verification failed. --- **^ Add meaningful description above** Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)** for more information. In case of fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed. In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). In case of backwards incompatible changes please leave a note in a newsfragment file, named `{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in [airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
