feat: manual only deployment

helm/airflow/values.yaml

@@ -32,9 +32,33 @@ apiServer:
           "access_token_url": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/token",
           "authorize_url": "http://keycloak.49.13.143.254.nip.io/auth/realms/airflow-realm/protocol/openid-connect/auth",
           "jwks_uri": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/certs",
+          "userinfo_endpoint": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/userinfo",
           "client_kwargs": {
-            "scope": "openid email profile"
+            "scope": "openid email profile",
+            "verify": False
           }
         }
       }
     ]
+
+    from airflow.www.security import AirflowSecurityManager
+    from flask_appbuilder.security.manager import AUTH_OAUTH
+    import jwt
+    import logging
+
+    class CustomSecurityManager(AirflowSecurityManager):
+        def oauth_user_info(self, provider, response=None):
+            if provider == "keycloak":
+                token = response.get("access_token")
+                data = jwt.decode(token, options={"verify_signature": False})
+                logging.debug("Keycloak user info: %s", data)
+                return {
+                    "username": data.get("preferred_username", ""),
+                    "first_name": data.get("given_name", ""),
+                    "last_name": data.get("family_name", ""),
+                    "email": data.get("email", ""),
+                    "role_keys": data.get("roles", []),
+                }
+            return {}
+
+    SECURITY_MANAGER_CLASS = CustomSecurityManager