This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 07080366916 Fix Keycloak provider redirect_uri to use HTTPS behind
reverse proxy (#61095)
07080366916 is described below
commit 07080366916ab7f53d42123400d619b31cfff13e
Author: Arjav Patel <[email protected]>
AuthorDate: Tue Jan 27 21:17:03 2026 +0530
Fix Keycloak provider redirect_uri to use HTTPS behind reverse proxy
(#61095)
* docs: Enhance Airflow API server configuration in values.yaml
* docs: Update Airflow API server args description to include reverse proxy
support and provide usage example
* docs: Update API server env vars description to include reverse proxy
configuration and provide example usage
* docs: Add Helm chart configuration details for running Airflow behind a
reverse proxy
---
airflow-core/docs/howto/run-behind-proxy.rst | 44 ++++++++++++++++++++++++++++
chart/values.schema.json | 19 ++++++++++--
chart/values.yaml | 7 +++++
3 files changed, 68 insertions(+), 2 deletions(-)
diff --git a/airflow-core/docs/howto/run-behind-proxy.rst
b/airflow-core/docs/howto/run-behind-proxy.rst
index 483f3e79690..64675e33e29 100644
--- a/airflow-core/docs/howto/run-behind-proxy.rst
+++ b/airflow-core/docs/howto/run-behind-proxy.rst
@@ -66,6 +66,50 @@ To do so, you need to set the following setting in your
``airflow.cfg``::
- Please make sure your proxy does not enforce http-only status on the
Set-Cookie headers.
Airflow frontend needs to access the cookies through javascript, and a
http-only flag would disturb this functionality.
+Helm Chart Configuration
+------------------------
+
+When deploying Airflow using the Helm chart behind a reverse proxy (e.g.,
nginx ingress), you need to configure the API server to respect proxy headers.
+
+Configure the API server arguments to include the ``--proxy-headers`` flag::
+
+ apiServer:
+ args: ["bash", "-c", "exec airflow api-server --proxy-headers"]
+
+If your proxy server is not on the same host as Airflow, set the
``FORWARDED_ALLOW_IPS`` environment variable::
+
+ apiServer:
+ args: ["bash", "-c", "exec airflow api-server --proxy-headers"]
+ env:
+ - name: FORWARDED_ALLOW_IPS
+ value: "*" # Use "*" for trusted environments, or specify proxy IP
ranges for production
+
+Additionally, configure your ingress annotations to pass the necessary
headers. For nginx ingress, add these annotations::
+
+ ingress:
+ apiServer:
+ enabled: true
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+ nginx.ingress.kubernetes.io/proxy-redirect-off: "true"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ hosts:
+ - name: airflow.example.com
+ tls:
+ enabled: true
+ secretName: airflow-tls
+
+Make sure to also set the ``base_url`` in your Airflow configuration::
+
+ config:
+ api:
+ base_url: https://airflow.example.com
+
.. spelling::
Uvicorn
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 5035bfa7d1e..7cc0c0976b1 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -5821,7 +5821,7 @@
"default": null
},
"args": {
- "description": "Args to use when running the Airflow API
server (templated).",
+ "description": "Args to use when running the Airflow API
server (templated). When running behind a reverse proxy, add `--proxy-headers`
to enable Uvicorn to respect X-Forwarded-Proto, X-Forwarded-For, and
X-Forwarded-Port headers.",
"type": [
"array",
"null"
@@ -5833,6 +5833,13 @@
"bash",
"-c",
"exec airflow api-server"
+ ],
+ "examples": [
+ [
+ "bash",
+ "-c",
+ "exec airflow api-server --proxy-headers"
+ ]
]
},
"strategy": {
@@ -6351,9 +6358,17 @@
}
},
"env": {
- "description": "Add additional env vars to API server.",
+ "description": "Add additional env vars to API server.
When running behind a reverse proxy, set `FORWARDED_ALLOW_IPS` to specify which
IPs are trusted to send X-Forwarded-* headers. Use `\"*\"` for trusted
environments, or specify proxy IP ranges for production.",
"type": "array",
"default": [],
+ "examples": [
+ [
+ {
+ "name": "FORWARDED_ALLOW_IPS",
+ "value": "*"
+ }
+ ]
+ ],
"items": {
"type": "object",
"properties": {
diff --git a/chart/values.yaml b/chart/values.yaml
index 97fa9901f65..3170fa35a16 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1617,8 +1617,15 @@ apiServer:
# Command to use when running the Airflow API server (templated).
command: ~
# Args to use when running the Airflow API server (templated).
+ # Example: To enable proxy headers support when running behind a reverse
proxy:
+ # args: ["bash", "-c", "exec airflow api-server --proxy-headers"]
args: ["bash", "-c", "exec airflow api-server"]
allowPodLogReading: true
+ # Environment variables for the Airflow API server.
+ # Example: To configure FORWARDED_ALLOW_IPS when running behind a reverse
proxy:
+ # env:
+ # - name: FORWARDED_ALLOW_IPS
+ # value: "*" # Use "*" for trusted environments, or specify proxy IP
ranges for production
env: []
# Allow Horizontal Pod Autoscaler (HPA) configuration for apiServer.
(optional)
