This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4c0535857bc Generate JWT Secret of recommended length (#65082)
4c0535857bc is described below
commit 4c0535857bc56c9d7fb279cdb4e1dd4c0afa7317
Author: Przemysław Mirowski <[email protected]>
AuthorDate: Sun Apr 12 20:58:44 2026 +0200
Generate JWT Secret of recommended length (#65082)
* Increase jwt secret generated length
* Add doc regarding jwt secret
---
chart/docs/production-guide.rst | 11 +++++++++++
chart/templates/secrets/jwt-secret.yaml | 2 +-
chart/values.schema.json | 2 +-
chart/values.yaml | 2 ++
.../tests/helm_tests/airflow_aux/test_basic_helm_chart.py | 7 +++++++
5 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst
index 94c72aa5cb1..ee8f7efd16e 100644
--- a/chart/docs/production-guide.rst
+++ b/chart/docs/production-guide.rst
@@ -265,6 +265,17 @@ generated using the secret key has a short expiry time
though. Make sure that ti
that you run Airflow components on is synchronized (for example using ntpd).
You might get
"forbidden" errors when the logs are accessed otherwise.
+JWT Secret
+----------
+
+You should set a static JWT Secret key when deploying with Airflow chart as it
will increase environment
+stability. It can be achieved by using ``jwtSecretName`` field in the
``values.yaml`` file.
+
+.. note::
+
+ For increase security of production setup, consider creating custom JWT
Secret rollover procedure which will
+ not cause failures in dag runs due to mismatch in tokens.
+
Eviction configuration
----------------------
When running Airflow along with the `Kubernetes Cluster Autoscaler
<https://github.com/kubernetes/autoscaler>`_, it is important to configure
whether pods can be safely evicted.
diff --git a/chart/templates/secrets/jwt-secret.yaml
b/chart/templates/secrets/jwt-secret.yaml
index 04f04a3a70a..288a5490038 100644
--- a/chart/templates/secrets/jwt-secret.yaml
+++ b/chart/templates/secrets/jwt-secret.yaml
@@ -40,5 +40,5 @@ metadata:
{{- end }}
type: Opaque
data:
- jwt-secret: {{ .Values.jwtSecret | default (randAlphaNum 32) | b64enc |
quote }}
+ jwt-secret: {{ .Values.jwtSecret | default (randAlphaNum 128) | b64enc |
quote }}
{{- end }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index a9560366ffe..658de692e9b 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -1617,7 +1617,7 @@
"default": null
},
"jwtSecret": {
- "description": "Secret key used to encode and decode JWTs to
authenticate to public and private APIs (can only be set during install, not
upgrade).",
+ "description": "Secret key used to encode and decode JWTs to
authenticate to public and private APIs. Note: It is not recommended to use in
production as during helm upgrade it will be changed which can cause dag
failures during component rollover.",
"type": [
"string",
"null"
diff --git a/chart/values.yaml b/chart/values.yaml
index 75e0c979656..e9f7876450b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -580,6 +580,8 @@ apiSecretKeySecretName: ~
# api-secret-key: <base64_encoded_api_secret_key>
# Secret key used to encode and decode JWTs: '[api_auth] jwt_secret' in
airflow.cfg
+# Note: It is not advised to use in production as during helm upgrade it will
be changed
+# which can cause dag failures during component rollouts
jwtSecret: ~
# Add custom annotations to the JWT secret
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
b/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
index a6afbd69eab..046587cc14d 100644
--- a/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
+++ b/helm-tests/tests/helm_tests/airflow_aux/test_basic_helm_chart.py
@@ -738,6 +738,13 @@ class TestBaseChartTest:
==
"postgresql://postgres:postgres@overrideName:5432/postgres?sslmode=disable"
)
+ def test_jwt_secret_has_recommended_length(self):
+ doc = render_chart(
+ show_only=["templates/secrets/jwt-secret.yaml"],
+ )[0]
+
+ assert
len(base64.b64decode(doc["data"]["jwt-secret"]).decode("utf-8")) >= 64
+
def test_priority_classes(self):
pc = [
{"name": "class1", "preemptionPolicy": "PreemptLowerPriority",
"value": 1000},
