Add skipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposure#60783
Add skipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposure#60783uplsh580 wants to merge 1 commit into
skipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposure#60783Conversation
skipKubernetesEnvVars option for all components in chart to prevent UI exposure of sensitive env vars
skipKubernetesEnvVars option for all components in chart to prevent UI exposure of sensitive env varsskipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposure
skipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposureskipKubernetesEnvVars option for all components in chart to prevent env var conflicts and UI exposure
|
@jedcunningham I am not sure about why this option actually was made - is there a historc reason you are aware or a need in a specific deployment condition? If this is changed like proposed - and in general this makes sense - will this be a breaking change we need to postpone into a version 2.0 which we are planning and take the option to wipe this in general? |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
|
un-stale this PR to mark it as reminder to drop this feature in geneal in Helm Chart 2.0 (proposal) |
|
I'm pretty sure this was for pre-pod-template-file KE. In which case, we can drop it now even. |
@jedcunningham then I'd propose to re-vitalize PR #60750 which was there before which proposes to nuke these variables. Initially tagged this as 2.0 but if okay for you and actually not used then we should make this in 1.20. - WDYT? |
|
@uplsh580 This PR has been converted to draft because it does not yet meet our Pull Request quality criteria. Issues found:
What to do next:
Converting a PR to draft is not a rejection — it is an invitation to bring the PR up to the project's standards so that maintainer review time is spent productively. There is no rush — take your time and work at your own pace. We appreciate your contribution and are happy to wait for updates. If you have questions, feel free to ask on the Airflow Slack. Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you. |
|
Resolved by #60750 |
Related PR
KUBERNETES_ENVIRONMENT_VARIABLESandKUBERNETES_SECRETSprefixes from chart helpers #60750 by providing a non-breaking alternative.Summary
This PR adds the
skipKubernetesEnvVarsoption to all Airflow components (workers, scheduler, apiServer, webserver, triggerer, dagProcessor, flower, cleanup, databaseCleanup, createUserJob) as an alternative solution to address the breaking change introduced in PR #60750.Problem
When using KubernetesExecutor, Airflow automatically creates

AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__prefixed environment variables for each env var defined in component-specificenvarrays (e.g.,workers.env,scheduler.env,apiServer.env). These automatically generated environment variables are exposed in the Airflow web UI config page, which poses a security risk when env vars contain sensitive information such as API keys, passwords, or tokens (Like below image).Additionally, this automatic behavior can cause unexpected conflicts. When users add environment variables to component-specific arrays like
scheduler.env, they expect those variables to only apply to the scheduler component. However, the automatically generatedAIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__prefixed variables are propagated to worker pods created by KubernetesExecutor, potentially causing conflicts or unintended behavior when the same variable names exist in different components.Solution
This PR introduces a
skipKubernetesEnvVarsboolean option (default:false) for each component that allows users to prevent the automatic creation of these prefixed env vars. When set totrue, sensitive values will not be exposed in the UI while maintaining backward compatibility.For users who still need
AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__prefixed env vars for KubernetesExecutor task pods, they can use:envconfiguration, orconfig.kubernetes_environment_variablessectioninstead of component-specific env arrays.
Changes
skipKubernetesEnvVarsoption and comprehensive documentation tovalues.yamlfor all componentsskipKubernetesEnvVarsschema definitions tovalues.schema.jsonfor all componentsBackward Compatibility
The default value is
false, ensuring backward compatibility with existing deployments. Users must explicitly setskipKubernetesEnvVars: trueto enable this security feature.Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.