[PR] Fix webserver.defaultUser.enabled=false not honored [airflow]

Wed, 18 Feb 2026 10:57:34 -0800 


jedcunningham opened a new pull request, #62143:
URL: https://github.com/apache/airflow/pull/62143

   When webserver.defaultUser.enabled was set to false, the create-user job 
still ran because createUserJob.enabled defaults to true and the OR condition 
let it through. This adds a helper template that gives the deprecated 
webserver.defaultUser precedence when present, only falling back to 
createUserJob.enabled otherwise. Also fixes NOTES.txt to display credentials 
from the correct source.
   
   
   ## `helm template` Test Results
   
     All scenarios tested against 3 templates: create-user-job.yaml, NOTES.txt, 
and security-context-constraint-rolebinding.yaml.
   
      | # | `webserver.defaultUser`  | `createUserJob.enabled` | Job Created? | 
NOTES Creds?    | SCC Subject? | Status           |
     
|---|--------------------------|-------------------------|--------------|-----------------|--------------|------------------|
     | 1 | *(not set)*              | `true` (default)        | Yes          | 
`admin/admin`   | Yes          | PASS             |
     | 2 | *(not set)*              | `false`                 | No           | 
Hidden          | No           | PASS             |
     | 3 | `enabled: false`         | `true` (default)        | **No**       | 
Hidden          | No           | PASS (bug fix)   |
     | 4 | `enabled: true`          | `true` (default)        | Yes          | 
`depuser/deppass`| Yes          | PASS             |
     | 5 | `enabled: true`          | `false`                 | **Yes**      | 
`depuser/deppass`| Yes          | PASS (precedence)|
     | 6 | `enabled: false`         | `true`                  | **No**       | 
Hidden          | No           | PASS (precedence)|
   
   
     ## Key Behaviors Verified
   
     • Scenario 3 is the core bug fix: webserver.defaultUser.enabled=false now 
correctly suppresses the job. Before the fix, the old or condition would
       still evaluate createUserJob.enabled (default true) and create the job 
anyway.
     • Scenarios 5 & 6 confirm that when the deprecated webserver.defaultUser 
is set, it always takes precedence over createUserJob.enabled, regardless of
       conflict.
     • NOTES.txt correctly uses webserver.defaultUser credentials when that 
section is present, falling back to createUserJob.defaultUser otherwise.
     • SCC rolebinding consistently includes/excludes the create-user-job 
service account in lockstep with whether the job itself is created.
   
   Fixed a missed compat scenario left from #61337.
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   
   - [x] Yes (please specify the tool below)
   
   Generated-by: Cursor CLI (Clause Opus 4.6)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to