Skip to content

Fix: Support workers-only deployments in Airflow < 3.0.0 by creating webserver secret #55411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
HsiuChuanHsu wants to merge 3 commits into from
Closed

Fix: Support workers-only deployments in Airflow < 3.0.0 by creating webserver secret #55411

HsiuChuanHsu wants to merge 3 commits into from

Conversation

@HsiuChuanHsu
Copy link
Contributor

@HsiuChuanHsu HsiuChuanHsu commented Sep 9, 2025

Description

This PR fixes an issue where the Airflow webserver-secret-key secret is not automatically created when deploying worker-only setups using the Helm chart (Airflow < 3.0.0).

Problem:
The Helm chart only creates the webserver-secret-key secret when .Values.webserver.enabled is true, but this global secret is needed by multiple Airflow components, including workers and scheduler

This causes the following problems:

  • When only workers or scheduler are deployed (e.g., in a worker-only namespace), the required secret is missing.
  • Users must manually create the secret in each namespace.

Solution

Only modified Airflow < 3.0.0 behavior:

# Before
{{- if and (semverCompare "<3.0.0" .Values.airflowVersion) .Values.webserver.enabled (not .Values.webserverSecretKeySecretName) }}

# After  
{{- if and (semverCompare "<3.0.0" .Values.airflowVersion) (or .Values.webserver.enabled .Values.workers.enabled .Values.scheduler.enabled) (not .Values.webserverSecretKeySecretName) }}

Airflow ≥ 3.0.0 behavior:

  • jwt-secret.yaml - No change needed (already works)
  • api-secret-key-secret.yaml - No change needed (already works)

Closes: #53375

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@HsiuChuanHsu
Fix: Support workers-only deployments by creating secrets when any co…
2228e3d 
…re component is enabled

- Update secret creation conditions to check for any enabled core component
  (webserver, workers, or scheduler) instead of only webserver
- Change component labels from specific service names to 'global-secret'
  to better reflect their shared nature
- Apply fix consistently across all Airflow versions:
  * < 3.0.0: webserver-secret-key-secret.yaml
  * >= 3.0.0: jwt-secret.yaml and api-secret-key-secret.yaml
@HsiuChuanHsu
No need to change for airflow > 3.0.0 setup
c134ab0
@HsiuChuanHsu
Change commponent name to original name: webserver
4231a95
@boring-cyborg boring-cyborg bot added the area:helm-chart Airflow Helm Chart label Sep 9, 2025
@romsharon98
Copy link
Contributor

romsharon98 commented Sep 17, 2025

closes as #52953 fix it

@HsiuChuanHsu HsiuChuanHsu deleted the bug/missing-webserver-secret-key-secret-separate-deployment branch October 14, 2025 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstandish dstandish Awaiting requested review from dstandish

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

Assignees

No one assigned

Labels

area:helm-chart Airflow Helm Chart

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing webserver-secret-key-secret

2 participants

@HsiuChuanHsu @romsharon98