This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new a3652001860 Remove automatic `KUBERNETES_ENVIRONMENT_VARIABLES` and
`KUBERNETES_SECRETS` prefixes from chart helpers (#60750)
a3652001860 is described below
commit a36520018604ae0a7c341e43e237c58bc0bd37eb
Author: SeonghwanLee <[email protected]>
AuthorDate: Tue Mar 17 06:06:03 2026 +0900
Remove automatic `KUBERNETES_ENVIRONMENT_VARIABLES` and
`KUBERNETES_SECRETS` prefixes from chart helpers (#60750)
* Remove automatic KUBERNETES_ENVIRONMENT_VARIABLES prefix from
container_extra_envs
* Add Significant document
* Apply review of @jscheffi - Remove KUBERNETES_ENVIRONMENT_VARIABLES
prefix from custom_airflow_environment
* Remove KUBERNETES_ENVIRONMENT_VARIABLES and KUBERNETES_SECRETS prefixes
from custom_airflow_environment
---------
Co-authored-by: Jens Scheffler <[email protected]>
---
chart/newsfragments/60750.significant.rst | 57 +++++++++++++++++++++++++++++++
chart/templates/_helpers.yaml | 27 ---------------
2 files changed, 57 insertions(+), 27 deletions(-)
diff --git a/chart/newsfragments/60750.significant.rst
b/chart/newsfragments/60750.significant.rst
new file mode 100644
index 00000000000..049058d1316
--- /dev/null
+++ b/chart/newsfragments/60750.significant.rst
@@ -0,0 +1,57 @@
+Automatic ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__`` and
``AIRFLOW__KUBERNETES_SECRETS__`` prefix addition removed from
``container_extra_envs`` and ``custom_airflow_environment``
+
+The automatic prefix addition for Kubernetes Executor environment variables
and secrets has been removed from both the ``container_extra_envs`` and
``custom_airflow_environment`` helper functions.
+
+**What changed:**
+
+Previously, when you added environment variables to component-specific
configurations (e.g., ``.Values.scheduler.env``, ``.Values.workers.env``,
``.Values.apiServer.env``, ``.Values.dagProcessor.env``), the chart
automatically created an additional environment variable with the
``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__`` prefix for Kubernetes Executor
worker pods.
+
+**Example - Before:**
+.. code-block:: yaml
+
+ apiServer:
+ env:
+ - name: MY_VAR
+ value: "my_value"
+
+This would automatically create both:
+* ``MY_VAR=my_value`` (for the apiServer)
+* ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__MY_VAR=my_value`` (for worker
pods)
+
+**Example - After:**
+.. code-block:: yaml
+
+ apiServer:
+ env:
+ - name: MY_VAR
+ value: "my_value"
+
+Now only ``MY_VAR=my_value`` is created for the apiServer. The
``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__MY_VAR`` is **no longer
automatically created**.
+
+**Why this change:**
+
+* **Prevent Unintended Exposure of Sensitive Data**: Sensitive information
(e.g., ``client_secret``) that should be securely handled via ``secretKeyRef``
for specific components was being automatically prefixed with
``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__``. This prefixing causes these
variables to be recognized as part of Airflow's internal configuration, leading
to their unintended exposure in the Airflow Web UI (under Admin ->
Configuration), even when ``AIRFLOW__API__EXPOSE_CON [...]
+
+* **Avoid Unintended Environment Propagation to Workers**: Component-specific
env configurations are intended strictly for specific components. However, the
previous behavior caused these variables to be inadvertently passed to worker
pods, which may result in unintended configuration conflicts and unexpected
side effects.
+
+**Migration Required:**
+
+If you need to pass environment variables specifically to Kubernetes Executor
worker pods, use one of the following approaches:
+
+**Option 1: Use ``.Values.env``**
+.. code-block:: yaml
+
+ env:
+ - name: my_var
+ value: "my_value"
+
+Environment variables in ``.Values.env`` are now passed as-is without the
automatic prefix (same behavior as component-specific env).
+
+**Option 2: Use ``.Values.config.kubernetes_environment_variables``**
+.. code-block:: yaml
+
+ config:
+ kubernetes_environment_variables:
+ my_var: "my_value"
+
+**Secrets (``.Values.secret``):** The ``AIRFLOW__KUBERNETES_SECRETS__`` prefix
is no longer automatically added. Secrets are now passed as-is via
``secretKeyRef`` without the prefixed copy for worker pods.
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
index 4410d142adf..46391a7bdb6 100644
--- a/chart/templates/_helpers.yaml
+++ b/chart/templates/_helpers.yaml
@@ -154,10 +154,6 @@ If release name contains chart name it will be used as a
full name.
{{- range $i, $config := .Values.env }}
- name: {{ $config.name }}
value: {{ $config.value | quote }}
- {{- if or (contains "KubernetesExecutor" $.Values.executor) (contains
"LocalKubernetesExecutor" $.Values.executor) (contains
"CeleryKubernetesExecutor" $.Values.executor) }}
- - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
- value: {{ $config.value | quote }}
- {{- end }}
{{- end }}
# Dynamically created secret envs
{{- range $i, $config := .Values.secret }}
@@ -167,12 +163,6 @@ If release name contains chart name it will be used as a
full name.
name: {{ $config.secretName }}
key: {{ default "value" $config.secretKey }}
{{- end }}
- {{- if or (contains "LocalKubernetesExecutor" $.Values.executor) (contains
"KubernetesExecutor" $.Values.executor) (contains "CeleryKubernetesExecutor"
$.Values.executor) }}
- {{- range $i, $config := .Values.secret }}
- - name: AIRFLOW__KUBERNETES_SECRETS__{{ $config.envName }}
- value: {{ printf "%s=%s" $config.secretName $config.secretKey }}
- {{- end }}
- {{ end }}
# Extra env
{{- $Global := . }}
{{- with .Values.extraEnv }}
@@ -999,23 +989,6 @@ capabilities:
key: {{ $config.valueFrom.configMapKeyRef.key }}
{{- end }}
{{- end }}
- {{- if or (contains "KubernetesExecutor" $.Values.executor) (contains
"LocalKubernetesExecutor" $.Values.executor) (contains
"CeleryKubernetesExecutor" $.Values.executor) }}
- - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
- {{- if $config.value }}
- value: {{ $config.value | quote }}
- {{- else if $config.valueFrom }}
- valueFrom:
- {{- if $config.valueFrom.secretKeyRef }}
- secretKeyRef:
- name: {{ $config.valueFrom.secretKeyRef.name }}
- key: {{ $config.valueFrom.secretKeyRef.key }}
- {{- else if $config.valueFrom.configMapKeyRef }}
- configMapKeyRef:
- name: {{ $config.valueFrom.configMapKeyRef.name }}
- key: {{ $config.valueFrom.configMapKeyRef.key }}
- {{- end }}
- {{- end }}
- {{- end }}
{{- end }}
{{- end }}
