Miretpl commented on PR #68265: URL: https://github.com/apache/airflow/pull/68265#issuecomment-4663680183
I think that this can make things worse for some people if we merge it. Fernet Key is doing encryption of Airflow Connection and Variables in the metadata database. With the rollover of Airflow components after generating a new Fernet Key and without execution of the `airflow rotate-fernet-key` command, it can result in a lot of errors in the production environment (probably the Secret Backend is not affected by this). From my perspective, the change of Fernet Key is not restarting components for that reason, as the whole Fernet Key rollover requires a little more than just component restarts and probably it would require some synchronisation between the rotation command execution and running components of Airflow to make sure that the key rollover will not be disruptive for operations. This is the reason why I would stay with the current behaviour and just add info in the doc regarding it (I recall that we have something like that, but I couldn't find it quickly). *Addition* Not sure how the setup is done, but the `pre-install` hook is in the fernet secret for a reason: to make sure that it will not rotate during the helm upgrade operation. It is a bit weird to me that a release upgrade would happen by removing the release and creating a new one every time (this is basically the case where this issue will happen - of course, no state change on the db side is needed too). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
