Skip to content

chore: Use internal secret for JWT key #686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 22, 2025
Merged

chore: Use internal secret for JWT key #686

merged 9 commits into from
Sep 22, 2025

Conversation

@adwk67
Copy link
Member

@adwk67 adwk67 commented Sep 10, 2025
edited by maltesander
Loading

Description

Fixes #639

This change is non-breaking as the secret is created and used only "internally". The user does not have to create a secret themselves. The sample applies for the connections.secretKey that is part of the credentials secret used for DB connection information: this has been removed from all code (incl. examples, tests) and replaced with an internal secret. If the field is still provided it will be ignored.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible 🟢 tests
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@adwk67 adwk67 moved this to Development: In Progress in Stackable Engineering Sep 10, 2025
@adwk67 adwk67 self-assigned this Sep 10, 2025
@adwk67 adwk67 marked this pull request as ready for review September 10, 2025 15:41
@adwk67 adwk67 moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering Sep 10, 2025
@adwk67 adwk67 requested a review from a team September 10, 2025 16:13
@maltesander maltesander self-requested a review September 15, 2025 07:15
@maltesander maltesander moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Sep 15, 2025
maltesander
maltesander requested changes Sep 15, 2025
View reviewed changes
@adwk67 adwk67 enabled auto-merge September 15, 2025 14:59
@adwk67 adwk67 disabled auto-merge September 21, 2025 15:54
@adwk67
Copy link
Member Author

adwk67 commented Sep 22, 2025

Release notes

The JWT key is now created by the the operator internally. The same applies to the key previously defined in the credentials secret under connections.secretKey: this change is non-breaking, as connections.secretKey will be ignored if supplied.

maltesander
maltesander requested changes Sep 22, 2025
View reviewed changes
maltesander
maltesander approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@maltesander maltesander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@adwk67 adwk67 enabled auto-merge September 22, 2025 11:25
@adwk67 adwk67 added this pull request to the merge queue Sep 22, 2025
Merged via the queue into main with commit d87f005 Sep 22, 2025
42 of 47 checks passed
@adwk67 adwk67 deleted the chore/use-internal-secrets branch September 22, 2025 12:24
@adwk67 adwk67 moved this from Development: In Review to Development: Done in Stackable Engineering Sep 22, 2025
@lfrancke lfrancke moved this from Development: Done to Acceptance: In Progress in Stackable Engineering Sep 22, 2025
@lfrancke lfrancke added release/25.11.0 release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Sep 22, 2025
@lfrancke lfrancke moved this from Acceptance: In Progress to Done in Stackable Engineering Sep 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@razvan razvan razvan left review comments

@lfrancke lfrancke lfrancke left review comments

@maltesander maltesander maltesander approved these changes

@sbernauer sbernauer Awaiting requested review from sbernauer

Assignees

@adwk67 adwk67

Labels

release/25.11.0 release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

Stackable Engineering
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Airflow 3.x: replace hard-coded JWT secret key with one read from a secret (or auto-generated)

6 participants

@adwk67 @razvan @lfrancke @maltesander @sbernauer