uplsh580 commented on issue #60668: URL: https://github.com/apache/airflow/issues/60668#issuecomment-3765378987
> I believe the logic that automatically converts and adds environment variables from individual components—such as apiServer, dagProcessor, and scheduler—into AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__ should be removed. > > As demonstrated in this issue, this automatic behavior leads to several critical downsides: > > Security Risks: It can unintentionally expose sensitive information (e.g., credentials, internal tokens) to worker pods that don't actually require them. As seen in this case, it could be unintentionally exposed on the web. > Unintended Side Effects: It forces environment variables into worker pods that aren't necessary, leading to an unnecessarily cluttered environment and potential configuration conflicts. > Furthermore, the custom_airflow_environment helper function already handles the automatic addition of the prefix based on values.env and values.secret. This existing functionality seems sufficient and provides a much more consistent way to manage global configurations. > > I propose refactoring this logic to stop the automatic addition for component-level env settings. > > Since this could lead to a broader discussion regarding backward compatibility and chart design, I will also bring this up on the Airflow Slack to gather more community feedback. I’ve put together a PR to address this issue. I’d love to hear your opinions on the approach. - https://github.com/apache/airflow/pull/60750 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
