deepujain commented on PR #63204: URL: https://github.com/apache/airflow/pull/63204#issuecomment-4027698003
Thanks for the review. Triggerer and workers : They act as clients (consume/execute), they don’t issue JWTs, so they don’t need to be restarted when the JWT secret rotates. And from a security perspective, they ideally shouldn’t have access to the JWT secret at all. Dag processor, Same idea: if it only runs the internal API server (and may become an API client later), it doesn’t need the JWT secret to process DAGs, so no need to restart it on JWT rotation. The PR only added the checksum where the chart already injects the JWT secret (via the shared env when enableBuiltInSecretEnvVars.AIRFLOW__API_AUTH__JWT_SECRET is true), so the intent was “when the secret is rotated, restart these pods so they pick up the new value.” -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
