uplsh580 opened a new pull request, #60783: URL: https://github.com/apache/airflow/pull/60783
## Related PR - Related Issue: https://github.com/apache/airflow/issues/60668 - This addresses concerns raised in PR #60750 by providing a non-breaking alternative. ## Summary This PR adds the `skipKubernetesEnvVars` option to all Airflow components (workers, scheduler, apiServer, webserver, triggerer, dagProcessor, flower, cleanup, databaseCleanup, createUserJob) as an alternative solution to address the breaking change introduced in PR #60750. ## Problem When using KubernetesExecutor, Airflow automatically creates `AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__` prefixed environment variables for each env var defined in component-specific `env` arrays (e.g., `workers.env`, `scheduler.env`, `apiServer.env`). These automatically generated environment variables are exposed in the Airflow web UI config page, which poses a security risk when env vars contain sensitive information such as API keys, passwords, or tokens (Like below image). <img width="783" height="58" alt="image" src="https://github.com/user-attachments/assets/b10781f8-4d9b-4ba6-9910-49289afbe90c"; /> ## Solution This PR introduces a `skipKubernetesEnvVars` boolean option (default: `false`) for each component that allows users to prevent the automatic creation of these prefixed env vars. When set to `true`, sensitive values will not be exposed in the UI while maintaining backward compatibility. For users who still need `AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__` prefixed env vars for KubernetesExecutor task pods, they can use: - The top-level `env` configuration, or - The `config.kubernetes_environment_variables` section instead of component-specific env arrays. ## Changes - Added `skipKubernetesEnvVars` option and comprehensive documentation to `values.yaml` for all components - Added `skipKubernetesEnvVars` schema definitions to `values.schema.json` for all components ## Backward Compatibility The default value is `false`, ensuring backward compatibility with existing deployments. Users must explicitly set `skipKubernetesEnvVars: true` to enable this security feature. <!-- Thank you for contributing! Please provide above a brief description of the changes made in this pull request. Write a good git commit message following this guide: http://chris.beams.io/posts/git-commit/ Please make sure that your code changes are covered with tests. And in case of new features or big changes remember to adjust the documentation. Feel free to ping (in general) for the review if you do not see reaction for a few days (72 Hours is the minimum reaction time you can expect from volunteers) - we sometimes miss notifications. In case of an existing issue, reference it using one of the following: * closes: #ISSUE * related: #ISSUE --> --- ##### Was generative AI tooling used to co-author this PR? <!-- If generative AI tooling has been used in the process of authoring this PR, please change below checkbox to `[X]` followed by the name of the tool, uncomment the "Generated-by". --> - [X] Yes (please specify the tool below) - Cursor <!-- Generated-by: [Tool Name] following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) --> --- * Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)** for more information. Note: commit author/co-author name and email in commits become permanently public when merged. * For fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed. * When adding dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). * For significant user-facing changes create newsfragment: `{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in [airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
