This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new fa2b4acbe82 Remove JWT secrets from triggerer, worker and
dag-processor (#63204)
fa2b4acbe82 is described below
commit fa2b4acbe82e69f26215de97c449d10cf019b35f
Author: Deepak Jain <[email protected]>
AuthorDate: Sun Mar 15 13:02:25 2026 -0700
Remove JWT secrets from triggerer, worker and dag-processor (#63204)
* Add missing checksum/jwt-secret annotation to dag-processor, triggerer,
workers (#62146)
* Only inject JWT secret into api-server and scheduler; update test
expectations
Made-with: Cursor
* Do not inject JWT secret into wait-for-migrations init container
(api-server, scheduler)
---
chart/templates/_helpers.yaml | 2 +-
chart/templates/api-server/api-server-deployment.yaml | 4 ++--
.../dag-processor/dag-processor-deployment.yaml | 4 ++--
chart/templates/scheduler/scheduler-deployment.yaml | 4 ++--
chart/templates/triggerer/triggerer-deployment.yaml | 4 ++--
chart/templates/workers/worker-deployment.yaml | 8 ++++----
.../tests/helm_tests/airflow_aux/test_airflow_common.py | 17 ++++++++++++++---
7 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index 42848a9e22e..4410d142adf 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -103,7 +103,7 @@ If release name contains chart name it will be used as a
full name.
name: {{ template "api_secret_key_secret" . }}
key: api-secret-key
{{- end }}
- {{- if and (semverCompare ">=3.0.0" .Values.airflowVersion)
.Values.enableBuiltInSecretEnvVars.AIRFLOW__API_AUTH__JWT_SECRET }}
+ {{- if and .IncludeJwtSecret (semverCompare ">=3.0.0"
.Values.airflowVersion)
.Values.enableBuiltInSecretEnvVars.AIRFLOW__API_AUTH__JWT_SECRET }}
- name: AIRFLOW__API_AUTH__JWT_SECRET
valueFrom:
secretKeyRef:
diff --git a/chart/templates/api-server/api-server-deployment.yaml
b/chart/templates/api-server/api-server-deployment.yaml
index 29a84c74ed5..4ef8a5be3ea 100644
--- a/chart/templates/api-server/api-server-deployment.yaml
+++ b/chart/templates/api-server/api-server-deployment.yaml
@@ -147,7 +147,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- if .Values.apiServer.waitForMigrations.env }}
{{- tpl (toYaml .Values.apiServer.waitForMigrations.env) $ |
nindent 12 }}
{{- end }}
@@ -221,7 +221,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" true) .) | indent 10 }}
{{- include "container_extra_envs" (list . .Values.apiServer.env)
| indent 10 }}
{{- if .Values.apiServer.extraContainers }}
{{- tpl (toYaml .Values.apiServer.extraContainers) . | nindent 8 }}
diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml
b/chart/templates/dag-processor/dag-processor-deployment.yaml
index 88311ad48c3..0123c5b3e0c 100644
--- a/chart/templates/dag-processor/dag-processor-deployment.yaml
+++ b/chart/templates/dag-processor/dag-processor-deployment.yaml
@@ -135,7 +135,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- if .Values.dagProcessor.waitForMigrations.env }}
{{- tpl (toYaml .Values.dagProcessor.waitForMigrations.env) $ |
nindent 12 }}
{{- end }}
@@ -180,7 +180,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- include "container_extra_envs" (list .
.Values.dagProcessor.env) | indent 10 }}
livenessProbe:
initialDelaySeconds: {{
.Values.dagProcessor.livenessProbe.initialDelaySeconds }}
diff --git a/chart/templates/scheduler/scheduler-deployment.yaml
b/chart/templates/scheduler/scheduler-deployment.yaml
index 2a476740088..ec563b880da 100644
--- a/chart/templates/scheduler/scheduler-deployment.yaml
+++ b/chart/templates/scheduler/scheduler-deployment.yaml
@@ -175,7 +175,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- if .Values.scheduler.waitForMigrations.env }}
{{- tpl (toYaml .Values.scheduler.waitForMigrations.env) $ |
nindent 12 }}
{{- end }}
@@ -204,7 +204,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" true) .) | indent 10 }}
{{- include "container_extra_envs" (list . .Values.scheduler.env)
| indent 10 }}
livenessProbe:
initialDelaySeconds: {{
.Values.scheduler.livenessProbe.initialDelaySeconds }}
diff --git a/chart/templates/triggerer/triggerer-deployment.yaml
b/chart/templates/triggerer/triggerer-deployment.yaml
index e4a394b3ad1..d43ab05ec53 100644
--- a/chart/templates/triggerer/triggerer-deployment.yaml
+++ b/chart/templates/triggerer/triggerer-deployment.yaml
@@ -157,7 +157,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- if .Values.triggerer.waitForMigrations.env }}
{{- tpl (toYaml .Values.triggerer.waitForMigrations.env) $ |
nindent 12 }}
{{- end }}
@@ -205,7 +205,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- include "container_extra_envs" (list . .Values.triggerer.env)
| nindent 10 }}
livenessProbe:
initialDelaySeconds: {{
.Values.triggerer.livenessProbe.initialDelaySeconds }}
diff --git a/chart/templates/workers/worker-deployment.yaml
b/chart/templates/workers/worker-deployment.yaml
index 96069aa1ff5..3838e32e43e 100644
--- a/chart/templates/workers/worker-deployment.yaml
+++ b/chart/templates/workers/worker-deployment.yaml
@@ -223,7 +223,7 @@ spec:
- name: KRB5CCNAME
value: {{ include "kerberos_ccache_path" . | quote }}
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- end }}
{{- if .Values.workers.waitForMigrations.enabled }}
- name: wait-for-airflow-migrations
@@ -251,7 +251,7 @@ spec:
envFrom: {{- include "custom_airflow_environment_from" . | default
"\n []" | indent 10 }}
env:
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- if .Values.workers.waitForMigrations.env }}
{{- tpl (toYaml .Values.workers.waitForMigrations.env) $ |
nindent 12 }}
{{- end }}
@@ -337,7 +337,7 @@ spec:
- name: DUMB_INIT_SETSID
value: "0"
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- include "container_extra_envs" (list . .Values.workers.env) |
indent 10 }}
{{- if .Values.workers.kerberosSidecar.enabled }}
- name: KRB5_CONFIG
@@ -449,7 +449,7 @@ spec:
- name: KRB5CCNAME
value: {{ include "kerberos_ccache_path" . | quote }}
{{- include "custom_airflow_environment" . | indent 10 }}
- {{- include "standard_airflow_environment" . | indent 10 }}
+ {{- include "standard_airflow_environment" (merge (dict
"IncludeJwtSecret" false) .) | indent 10 }}
{{- end }}
{{- if .Values.workers.extraContainers }}
{{- tpl (toYaml .Values.workers.extraContainers) . | nindent 8 }}
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
b/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
index b3ad40e42ab..5d715985da9 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
@@ -439,7 +439,9 @@ class TestAirflowCommon:
"templates/dag-processor/dag-processor-deployment.yaml",
],
)
- expected_vars = [
+ # JWT secret is only injected into scheduler (and api-server); not
into workers,
+ # webserver, triggerer, dag-processor (security: no JWT where not
needed).
+ expected_vars_with_jwt = [
"AIRFLOW__CORE__FERNET_KEY",
"AIRFLOW_HOME",
"AIRFLOW__DATABASE__SQL_ALCHEMY_CONN",
@@ -448,10 +450,19 @@ class TestAirflowCommon:
"AIRFLOW__API_AUTH__JWT_SECRET",
"AIRFLOW__CELERY__BROKER_URL",
]
- expected_vars_in_worker = ["DUMB_INIT_SETSID"] + expected_vars
+ expected_vars_no_jwt = [
+ "AIRFLOW__CORE__FERNET_KEY",
+ "AIRFLOW_HOME",
+ "AIRFLOW__DATABASE__SQL_ALCHEMY_CONN",
+ "AIRFLOW_CONN_AIRFLOW_DB",
+ "AIRFLOW__API__SECRET_KEY",
+ "AIRFLOW__CELERY__BROKER_URL",
+ ]
for doc in docs:
component = doc["metadata"]["labels"]["component"]
- variables = expected_vars_in_worker if component == "worker" else
expected_vars
+ expected = expected_vars_with_jwt if component == "scheduler" else
expected_vars_no_jwt
+ expected_in_worker = ["DUMB_INIT_SETSID"] + expected
+ variables = expected_in_worker if component == "worker" else
expected
assert variables ==
jmespath.search("spec.template.spec.containers[0].env[*].name", doc), (
f"Wrong vars in {component}"
)
