zhaorui2022 opened a new issue, #61876: URL: https://github.com/apache/airflow/issues/61876
### Apache Airflow version 3.1.7 ### If "Other Airflow 3 version" selected, which one? It is related to airflow task sdk, and all 3.x versions are affected ### What happened? With a more secured Airflow setup, for example, putting Airflow API server behind reverse proxy like Envoy and requires client certificate verifications, the current implementation of Airflow task sdk will cause workers not able be to communicate with the API server because the reverse proxy like Envoy will reject the request due to lack of client certificate. The client passes [verify](https://github.com/apache/airflow/blob/main/task-sdk/src/airflow/sdk/api/client.py#L914) for TLS truststore cert but never passes cert and send the client certifications. As a result, in the request, it is missing client information. ### What you think should happen instead? This should be reading a client side configuration and allow pass the client certs for a secured setup. ### How to reproduce Put Airflow API behind a reserve proxy like envoy and force client certificates verification ### Operating System We are deploying using the official Docker image ### Versions of Apache Airflow Providers It can be reproduced for all the versions available till 02/13/2026 ### Deployment Other Docker-based deployment ### Deployment details Our API server is behind Envoy, and Envoy is configured to do client verification ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
