Restricting secrets to webserver only

[mikaeld]

Hi,

I use the official helm chart (1.4.0) for a deployment (2.2.4). I'm adding Google OpenID Connect to our deployment. I'm trying to find the best setup for passing secrets to webserver_config.py. At the moment, I added CLIENT_ID and CLIENT_SECRET to env, but this means that those two secrets will show up as environment variables in each pod, including the task pods. I'd rather restrict them to the webserver pod only.

One possible solution would be to use templating in webserverConfig. Is there a way to do this? Or, more generally, is there a way to ensure those secrets are available only on the webserver pod?

This is the current setup in my values override file (client_id and client_secret lines)

  webserverConfig: |-
    
    import os

    from airflow import configuration
    from airflow.www.fab_security.manager import AUTH_OAUTH
     
    # The SQLAlchemy connection string.
    SQLALCHEMY_DATABASE_URI = configuration.conf.get("core", "SQL_ALCHEMY_CONN")
    basedir = os.path.abspath(os.path.dirname(__file__))
    CSRF_ENABLED = True
    AUTH_TYPE = AUTH_OAUTH
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "User"
    OAUTH_PROVIDERS = [
        {
            "name": "google",
            "token_key": "access_token",
            "icon": "fa-google",
            "remote_app": {
                "api_base_url": "https://www.googleapis.com/oauth2/v2/",
                "client_kwargs": {"scope": "email profile"},
                "access_token_url": "https://accounts.google.com/o/oauth2/token",
                "authorize_url": "https://accounts.google.com/o/oauth2/auth",
                "request_token_url": None,
                "client_id": os.environ["CLIENT_ID"],
                "client_secret": os.environ["CLIENT_SECRET"],
            },
        }
    ]

Thanks!

[deenMuhammad]

As of chart version 1.10.0 and deployment version 2.6.2 you can pass env variables to webserver with webserver.env