uplsh580 opened a new pull request, #60750: URL: https://github.com/apache/airflow/pull/60750
## Description Remove the automatic addition of the `AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__` prefix from the `container_extra_envs` helper functions. ## Related Issue - **Issue**: [https://github.com/apache/airflow/issues/60668#issuecomment-3765323980](https://github.com/apache/airflow/issues/60668#issuecomment-3765323980) ## Changes - Modified `container_extra_envs` helper functions to stop automatically prepending the `AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__` prefix. ## Motivation * **Prevent Unintended Exposure of Sensitive Data** * Sensitive information (e.g., `client_id`, `client_secret`) that should be securely handled via `secretKeyRef` for specific component is being automatically prefixed with `AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__`. * This prefixing causes these variables to be recognized as part of Airflow's internal configuration, leading to their unintended exposure in the Airflow Web UI (under Admin -> Configuration). * This occurs even when `AIRFLOW__API__EXPOSE_CONFIG` is set to `non-sensitive-only`, creating a security vulnerability. For more details, see the [issue description](https://github.com/apache/airflow/issues/60668#issuecomment-3765323980). * **Avoid Unintended Environment Propagation to Workers** * These configurations(.`values.{SOME_COMPONENTS}.env`) **appear to be intended** strictly for specific components (e.g., `apiServer`, `Scheduler`). * However, the current behavior causes these variables to be inadvertently passed to worker pods, which may result in unintended configuration conflicts and unexpected side effects in the worker environment. ## Migration If you need to pass environment variables specifically to Kubernetes Executor worker pods, - **please use the `.values.env` field:** ### Example Configuration ```yaml env: - name: my_var value: "my_value" ``` or - **use `.values.config.kubernetes_environment_variables`** ```yaml config: kubernetes_environment_variables: my_var: "my_value" ``` <!-- Thank you for contributing! Please provide above a brief description of the changes made in this pull request. Write a good git commit message following this guide: http://chris.beams.io/posts/git-commit/ Please make sure that your code changes are covered with tests. And in case of new features or big changes remember to adjust the documentation. Feel free to ping (in general) for the review if you do not see reaction for a few days (72 Hours is the minimum reaction time you can expect from volunteers) - we sometimes miss notifications. In case of an existing issue, reference it using one of the following: * closes: #ISSUE * related: #ISSUE --> --- ##### Was generative AI tooling used to co-author this PR? <!-- If generative AI tooling has been used in the process of authoring this PR, please change below checkbox to `[X]` followed by the name of the tool, uncomment the "Generated-by". --> - [X] Yes (please specify the tool below) - Cursor <!-- Generated-by: [Tool Name] following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) --> --- * Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)** for more information. Note: commit author/co-author name and email in commits become permanently public when merged. * For fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed. * When adding dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). * For significant user-facing changes create newsfragment: `{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in [airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
