diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a7e8e05..8dcdf673 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ - Add new roles for dag-processor and triggerer processes ([#679]). - Added a note on webserver workers to the trouble-shooting section ([#685]). +### Changed + +- Use internal secrets for secret- and jwt-keys ([#686]). + ### Fixed - Don't panic on invalid authorization config. Previously, a missing OPA ConfigMap would crash the operator ([#667]). @@ -24,6 +28,7 @@ [#679]: https://github.com/stackabletech/airflow-operator/pull/679 [#683]: https://github.com/stackabletech/airflow-operator/pull/683 [#685]: https://github.com/stackabletech/airflow-operator/pull/685 +[#686]: https://github.com/stackabletech/airflow-operator/pull/686 ## [25.7.0] - 2025-07-23 diff --git a/Cargo.lock b/Cargo.lock index df41415b..0765299e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2606,6 +2606,7 @@ name = "stackable-airflow-operator" version = "0.0.0-dev" dependencies = [ "anyhow", + "base64", "built", "clap", "const_format", @@ -2613,6 +2614,7 @@ dependencies = [ "futures 0.3.31", "indoc", "product-config", + "rand", "rstest", "serde", "serde_json", diff --git a/Cargo.nix b/Cargo.nix index becc710f..ee4e7f97 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -6682,7 +6682,7 @@ rec { "std_rng" = [ "dep:rand_chacha" ]; "thread_rng" = [ "std" "std_rng" "os_rng" ]; }; - resolvedDefaultFeatures = [ "alloc" "os_rng" "small_rng" "std" "std_rng" "thread_rng" ]; + resolvedDefaultFeatures = [ "alloc" "default" "os_rng" "small_rng" "std" "std_rng" "thread_rng" ]; }; "rand_chacha" = rec { crateName = "rand_chacha"; @@ -8451,6 +8451,10 @@ rec { name = "anyhow"; packageId = "anyhow"; } + { + name = "base64"; + packageId = "base64"; + } { name = "clap"; packageId = "clap"; @@ -8476,6 +8480,10 @@ rec { name = "product-config"; packageId = "product-config"; } + { + name = "rand"; + packageId = "rand"; + } { name = "serde"; packageId = "serde"; diff --git a/Cargo.toml b/Cargo.toml index bbe8df44..2ae95e0c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,12 +14,14 @@ product-config = { git = "https://github.com/stackabletech/product-config.git", stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["telemetry", "versioned"], tag = "stackable-operator-0.95.0" } anyhow = "1.0" +base64 = "0.22" built = { version = "0.8", features = ["chrono", "git2"] } clap = "4.5" const_format = "0.2" fnv = "1.0" futures = { version = "0.3", features = ["compat"] } indoc = "2.0" +rand = "0.9.0" rstest = "0.26" semver = "1.0" serde = { version = "1.0", features = ["derive"] } diff --git a/docs/modules/airflow/examples/example-airflow-secret.yaml b/docs/modules/airflow/examples/example-airflow-secret.yaml index 4df23926..5e112e91 100644 --- a/docs/modules/airflow/examples/example-airflow-secret.yaml +++ b/docs/modules/airflow/examples/example-airflow-secret.yaml @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/docs/modules/airflow/examples/getting_started/code/airflow-credentials.yaml b/docs/modules/airflow/examples/getting_started/code/airflow-credentials.yaml index 4df23926..5e112e91 100644 --- a/docs/modules/airflow/examples/getting_started/code/airflow-credentials.yaml +++ b/docs/modules/airflow/examples/getting_started/code/airflow-credentials.yaml @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/docs/modules/airflow/pages/getting_started/first_steps.adoc b/docs/modules/airflow/pages/getting_started/first_steps.adoc index 3ee569ff..f25fcd2c 100644 --- a/docs/modules/airflow/pages/getting_started/first_steps.adoc +++ b/docs/modules/airflow/pages/getting_started/first_steps.adoc @@ -23,9 +23,6 @@ And apply it: [source,bash] include::example$getting_started/code/getting_started.sh[tag=apply-airflow-credentials] -The `connections.secretKey` is used for securely signing the session cookies and can be used for any other security related needs by extensions. -It should be a long random string of bytes. - `connections.sqlalchemyDatabaseUri` must contain the connection string to the SQL database storing the Airflow metadata. `connections.celeryResultBackend` must contain the connection string to the SQL database storing the job metadata (the example above uses the same PostgreSQL database for both). diff --git a/examples/simple-airflow-cluster-dags-cmap.yaml b/examples/simple-airflow-cluster-dags-cmap.yaml index ae8145ca..8899293a 100644 --- a/examples/simple-airflow-cluster-dags-cmap.yaml +++ b/examples/simple-airflow-cluster-dags-cmap.yaml @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/examples/simple-airflow-cluster-ldap-insecure-tls.yaml b/examples/simple-airflow-cluster-ldap-insecure-tls.yaml index 80168a86..334c4c70 100644 --- a/examples/simple-airflow-cluster-ldap-insecure-tls.yaml +++ b/examples/simple-airflow-cluster-ldap-insecure-tls.yaml @@ -138,7 +138,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/examples/simple-airflow-cluster-ldap.yaml b/examples/simple-airflow-cluster-ldap.yaml index a22fda12..a0e17a4e 100644 --- a/examples/simple-airflow-cluster-ldap.yaml +++ b/examples/simple-airflow-cluster-ldap.yaml @@ -136,7 +136,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/examples/simple-airflow-cluster.yaml b/examples/simple-airflow-cluster.yaml index 39aebe6c..54b66d4c 100644 --- a/examples/simple-airflow-cluster.yaml +++ b/examples/simple-airflow-cluster.yaml @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow # Only needed when using celery workers (instead of Kubernetes executors) connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow diff --git a/rust/operator-binary/Cargo.toml b/rust/operator-binary/Cargo.toml index 3edfae3e..8abd5e6f 100644 --- a/rust/operator-binary/Cargo.toml +++ b/rust/operator-binary/Cargo.toml @@ -13,10 +13,13 @@ product-config.workspace = true stackable-operator.workspace = true anyhow.workspace = true +base64.workspace = true clap.workspace = true const_format.workspace = true fnv.workspace = true futures.workspace = true +indoc.workspace = true +rand.workspace = true serde.workspace = true serde_json.workspace = true serde_yaml.workspace = true @@ -24,7 +27,6 @@ snafu.workspace = true strum.workspace = true tokio.workspace = true tracing.workspace = true -indoc.workspace = true [build-dependencies] built.workspace = true diff --git a/rust/operator-binary/src/airflow_controller.rs b/rust/operator-binary/src/airflow_controller.rs index 13419ff1..28cb3c8f 100644 --- a/rust/operator-binary/src/airflow_controller.rs +++ b/rust/operator-binary/src/airflow_controller.rs @@ -92,7 +92,9 @@ use crate::{ AirflowAuthenticationClassResolved, AirflowClientAuthenticationDetailsResolved, }, authorization::AirflowAuthorizationResolved, - build_recommended_labels, v1alpha1, + build_recommended_labels, + internal_secret::{ENV_INTERNAL_SECRET, ENV_JWT_SECRET, create_random_secret}, + v1alpha1, }, env_vars::{self, build_airflow_template_envs}, operations::{ @@ -346,6 +348,9 @@ pub enum Error { ResolveProductImage { source: product_image_selection::Error, }, + + #[snafu(display("failed to create internal secret"))] + InvalidInternalSecret { source: crd::internal_secret::Error }, } type Result = std::result::Result; @@ -470,6 +475,24 @@ pub async fn reconcile_airflow( .await?; } + create_random_secret( + airflow.shared_internal_secret_name().as_ref(), + ENV_INTERNAL_SECRET, + airflow, + client, + ) + .await + .context(InvalidInternalSecretSnafu)?; + + create_random_secret( + airflow.shared_jwt_secret_name().as_ref(), + ENV_JWT_SECRET, + airflow, + client, + ) + .await + .context(InvalidInternalSecretSnafu)?; + for (role_name, role_config) in validated_role_config.iter() { let airflow_role = AirflowRole::from_str(role_name).context(UnidentifiedAirflowRoleSnafu { diff --git a/rust/operator-binary/src/crd/internal_secret.rs b/rust/operator-binary/src/crd/internal_secret.rs new file mode 100644 index 00000000..4267be20 --- /dev/null +++ b/rust/operator-binary/src/crd/internal_secret.rs @@ -0,0 +1,101 @@ +use std::collections::BTreeMap; + +use base64::{Engine as _, engine::general_purpose}; +use snafu::{OptionExt, ResultExt, Snafu}; +use stackable_operator::{ + builder::meta::ObjectMetaBuilder, client::Client, k8s_openapi::api::core::v1::Secret, + kube::ResourceExt, logging::controller::ReconcilerError, +}; +use strum::{EnumDiscriminants, IntoStaticStr}; + +use crate::{airflow_controller::AIRFLOW_CONTROLLER_NAME, crd::v1alpha1}; + +// Used for env-vars: AIRFLOW__WEBSERVER__SECRET_KEY, AIRFLOW__API__SECRET_KEY +// N.B. AIRFLOW__WEBSERVER__SECRET_KEY is deprecated as of 3.0.2. +// Secret key used to run the api server. It should be as random as possible. +// It should be consistent across instances of the webserver. The webserver key +// is also used to authorize requests to Celery workers when logs are retrieved. +pub const ENV_INTERNAL_SECRET: &str = "INTERNAL_SECRET"; +// Used for env-var: AIRFLOW__API_AUTH__JWT_SECRET +// Secret key used to encode and decode JWTs to authenticate to public and +// private APIs. It should be as random as possible, but consistent across +// instances of API services. +pub const ENV_JWT_SECRET: &str = "JWT_SECRET"; + +type Result = std::result::Result; + +impl ReconcilerError for Error { + fn category(&self) -> &'static str { + ErrorDiscriminants::from(self).into() + } +} + +#[derive(Snafu, Debug, EnumDiscriminants)] +#[strum_discriminants(derive(IntoStaticStr))] +pub enum Error { + #[snafu(display("object defines no namespace"))] + ObjectHasNoNamespace, + + #[snafu(display("object is missing metadata to build owner reference"))] + ObjectMissingMetadataForOwnerRef { + source: stackable_operator::builder::meta::Error, + }, + + #[snafu(display("failed to retrieve secret for internal communications"))] + FailedToRetrieveInternalSecret { + source: stackable_operator::client::Error, + }, + + #[snafu(display("failed to apply internal secret"))] + ApplyInternalSecret { + source: stackable_operator::client::Error, + }, +} + +pub async fn create_random_secret( + secret_name: &str, + secret_key: &str, + airflow: &v1alpha1::AirflowCluster, + client: &Client, +) -> Result<()> { + let mut internal_secret = BTreeMap::new(); + internal_secret.insert(secret_key.to_string(), get_random_base64()); + + let secret = Secret { + immutable: Some(true), + metadata: ObjectMetaBuilder::new() + .name(secret_name) + .namespace_opt(airflow.namespace()) + .ownerreference_from_resource(airflow, None, Some(true)) + .context(ObjectMissingMetadataForOwnerRefSnafu)? + .build(), + string_data: Some(internal_secret), + ..Secret::default() + }; + + if client + .get_opt::( + &secret.name_any(), + secret + .namespace() + .as_deref() + .context(ObjectHasNoNamespaceSnafu)?, + ) + .await + .context(FailedToRetrieveInternalSecretSnafu)? + .is_none() + { + client + .apply_patch(AIRFLOW_CONTROLLER_NAME, &secret, &secret) + .await + .context(ApplyInternalSecretSnafu)?; + } + + Ok(()) +} + +fn get_random_base64() -> String { + let serial_number = rand::random::(); + let bytes = serial_number.to_le_bytes(); + general_purpose::STANDARD.encode(bytes) +} diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index 772fd43c..8311ad22 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -60,6 +60,7 @@ use crate::{ pub mod affinity; pub mod authentication; pub mod authorization; +pub mod internal_secret; pub const APP_NAME: &str = "airflow"; pub const OPERATOR_NAME: &str = "airflow.stackable.tech"; @@ -452,6 +453,14 @@ impl v1alpha1::AirflowCluster { tracing::debug!("Merged executor config: {:?}", conf_executor); fragment::validate(conf_executor).context(FragmentValidationFailureSnafu) } + + pub fn shared_internal_secret_name(&self) -> String { + format!("{}-internal-secret", &self.name_any()) + } + + pub fn shared_jwt_secret_name(&self) -> String { + format!("{}-jwt-secret", &self.name_any()) + } } fn extract_role_from_webserver_config( diff --git a/rust/operator-binary/src/env_vars.rs b/rust/operator-binary/src/env_vars.rs index 610d9afe..9c60f4fb 100644 --- a/rust/operator-binary/src/env_vars.rs +++ b/rust/operator-binary/src/env_vars.rs @@ -21,6 +21,7 @@ use crate::{ AirflowAuthenticationClassResolved, AirflowClientAuthenticationDetailsResolved, }, authorization::AirflowAuthorizationResolved, + internal_secret::{ENV_INTERNAL_SECRET, ENV_JWT_SECRET}, v1alpha1, }, util::{env_var_from_secret, role_service_name}, @@ -58,11 +59,6 @@ const ADMIN_EMAIL: &str = "ADMIN_EMAIL"; const PYTHONPATH: &str = "PYTHONPATH"; -/// This key is only intended for use during experimental support and will -/// be replaced with a secret at a later stage. See the issue covering -/// this at . -const JWT_KEY: &str = "ThisKeyIsNotIntendedForProduction!"; - #[derive(Snafu, Debug)] pub enum Error { #[snafu(display( @@ -87,6 +83,7 @@ pub fn build_airflow_statefulset_envs( ) -> Result, Error> { let mut env: BTreeMap = BTreeMap::new(); let secret = airflow.spec.cluster_config.credentials_secret.as_str(); + let internal_secret_name = airflow.shared_internal_secret_name(); env.extend(static_envs(git_sync_resources)); @@ -95,14 +92,24 @@ pub fn build_airflow_statefulset_envs( add_version_specific_env_vars(airflow, airflow_role, resolved_product_image, &mut env); + // N.B. this has been deprecated and replaced with AIRFLOW__API__SECRET_KEY since 3.0.2. Can be removed when 3.0.1 is no longer supported. env.insert( AIRFLOW_WEBSERVER_SECRET_KEY.into(), - // The secret key is used to run the webserver flask app and also used to authorize - // requests to Celery workers when logs are retrieved. + // The secret key is used to run the webserver flask app and also + // used to authorize requests to Celery workers when logs are retrieved. env_var_from_secret( AIRFLOW_WEBSERVER_SECRET_KEY, - secret, - "connections.secretKey", + &internal_secret_name, + ENV_INTERNAL_SECRET, + ), + ); + // Replaces AIRFLOW__WEBSERVER__SECRET_KEY >= 3.0.2. + env.insert( + "AIRFLOW__API__SECRET_KEY".into(), + env_var_from_secret( + "AIRFLOW__API__SECRET_KEY", + &internal_secret_name, + ENV_INTERNAL_SECRET, ), ); env.insert( @@ -476,16 +483,16 @@ fn add_version_specific_env_vars( // This should be random, but must also be consistent across // api-services and replicas/roles for a given // cluster, but should also be cluster-specific. - // See issue : - // later it will be accessed from a secret to avoid cluster restarts + // It is accessed from a secret to avoid cluster restarts // being triggered by an operator restart. + let jwt_secret_name = airflow.shared_jwt_secret_name(); env.insert( "AIRFLOW__API_AUTH__JWT_SECRET".into(), - EnvVar { - name: "AIRFLOW__API_AUTH__JWT_SECRET".into(), - value: Some(JWT_KEY.into()), - ..Default::default() - }, + env_var_from_secret( + "AIRFLOW__API_AUTH__JWT_SECRET", + &jwt_secret_name, + ENV_JWT_SECRET, + ), ); if airflow_role == &AirflowRole::Webserver { // Sometimes a race condition can arise when both scheduler and diff --git a/tests/templates/kuttl/cluster-operation/08-install-airflow.yaml.j2 b/tests/templates/kuttl/cluster-operation/08-install-airflow.yaml.j2 index 8410596e..3aa50e6e 100644 --- a/tests/templates/kuttl/cluster-operation/08-install-airflow.yaml.j2 +++ b/tests/templates/kuttl/cluster-operation/08-install-airflow.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 diff --git a/tests/templates/kuttl/external-access/install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/external-access/install-airflow-cluster.yaml.j2 index 0ed7716b..84f6547a 100644 --- a/tests/templates/kuttl/external-access/install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/external-access/install-airflow-cluster.yaml.j2 @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 diff --git a/tests/templates/kuttl/ldap/60-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/ldap/60-install-airflow-cluster.yaml.j2 index fb8ced2c..cbba7152 100644 --- a/tests/templates/kuttl/ldap/60-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/ldap/60-install-airflow-cluster.yaml.j2 @@ -18,7 +18,6 @@ commands: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/logging/41-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/logging/41-install-airflow-cluster.yaml.j2 index 7ebb7d78..498f6db0 100644 --- a/tests/templates/kuttl/logging/41-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/logging/41-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/mount-dags-configmap/30-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/mount-dags-configmap/30-install-airflow-cluster.yaml.j2 index e11f6bc0..b3bf36c8 100644 --- a/tests/templates/kuttl/mount-dags-configmap/30-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/mount-dags-configmap/30-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/mount-dags-gitsync/30-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/mount-dags-gitsync/30-install-airflow-cluster.yaml.j2 index 5b0d5ca4..7d5d098f 100644 --- a/tests/templates/kuttl/mount-dags-gitsync/30-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/mount-dags-gitsync/30-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/oidc/install-airflow.yaml.j2 b/tests/templates/kuttl/oidc/install-airflow.yaml.j2 index 9fd843b0..48826e4b 100644 --- a/tests/templates/kuttl/oidc/install-airflow.yaml.j2 +++ b/tests/templates/kuttl/oidc/install-airflow.yaml.j2 @@ -11,7 +11,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow --- apiVersion: v1 diff --git a/tests/templates/kuttl/opa/30-install-airflow.yaml.j2 b/tests/templates/kuttl/opa/30-install-airflow.yaml.j2 index 631602ac..9fe3daa0 100644 --- a/tests/templates/kuttl/opa/30-install-airflow.yaml.j2 +++ b/tests/templates/kuttl/opa/30-install-airflow.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow --- apiVersion: airflow.stackable.tech/v1alpha1 diff --git a/tests/templates/kuttl/orphaned-resources/30-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/orphaned-resources/30-install-airflow-cluster.yaml.j2 index 8410596e..3aa50e6e 100644 --- a/tests/templates/kuttl/orphaned-resources/30-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/orphaned-resources/30-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 diff --git a/tests/templates/kuttl/overrides/10-install-airflow.yaml.j2 b/tests/templates/kuttl/overrides/10-install-airflow.yaml.j2 index 7c5324e6..efc2c61a 100644 --- a/tests/templates/kuttl/overrides/10-install-airflow.yaml.j2 +++ b/tests/templates/kuttl/overrides/10-install-airflow.yaml.j2 @@ -10,7 +10,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 @@ -26,7 +25,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 diff --git a/tests/templates/kuttl/remote-logging/40-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/remote-logging/40-install-airflow-cluster.yaml.j2 index 694322e8..c0719d48 100644 --- a/tests/templates/kuttl/remote-logging/40-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/remote-logging/40-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/resources/30-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/resources/30-install-airflow-cluster.yaml.j2 index cda76f90..5af22cb8 100644 --- a/tests/templates/kuttl/resources/30-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/resources/30-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow connections.celeryBrokerUrl: redis://:redis@airflow-redis-master:6379/0 diff --git a/tests/templates/kuttl/smoke/40-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/smoke/40-install-airflow-cluster.yaml.j2 index 61276545..5227979c 100644 --- a/tests/templates/kuttl/smoke/40-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/smoke/40-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow diff --git a/tests/templates/kuttl/triggerer/30-install-airflow-cluster.yaml.j2 b/tests/templates/kuttl/triggerer/30-install-airflow-cluster.yaml.j2 index 9ddad88b..2f728798 100644 --- a/tests/templates/kuttl/triggerer/30-install-airflow-cluster.yaml.j2 +++ b/tests/templates/kuttl/triggerer/30-install-airflow-cluster.yaml.j2 @@ -15,7 +15,6 @@ stringData: adminUser.lastname: Admin adminUser.email: airflow@airflow.com adminUser.password: airflow - connections.secretKey: thisISaSECRET_1234 connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow {% if test_scenario['values']['executor'] == 'celery' %} connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql/airflow