executor: KubernetesExecutor dags: gitSync: enabled: true repo: git@github.com:idirbfs/dags.git branch: main rev: HEAD depth: 1 maxFailures: 3 subPath: "" sshKeySecret: airflow-gitsync-ssh period: 60s ingress: apiServer: enabled: true ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - name: airflow.idir-belfares.fr tls: enabled: true secretName: airflow-tls path: "/" pathType: "Prefix" apiServer: apiServerConfig: | from flask_appbuilder.security.manager import AUTH_OAUTH from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride import requests class CustomSecurityManager(FabAirflowSecurityManagerOverride): def get_oauth_user_info(self, provider, resp): if provider == "keycloak": token = resp.get("access_token") url = "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/protocol/openid-connect/userinfo" r = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10) r.raise_for_status() me = r.json() return { "username": me.get("preferred_username"), "email": me.get("email"), "first_name": me.get("given_name", ""), "last_name": me.get("family_name", ""), "role_keys": me.get("groups", []), } return super().get_oauth_user_info(provider, resp) SECURITY_MANAGER_CLASS = CustomSecurityManager AUTH_TYPE = AUTH_OAUTH AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Viewer" OAUTH_PROVIDERS = [ { "name": "keycloak", "token_key": "access_token", "icon": "fa-key", "remote_app": { "client_id": "airflow", "client_secret": "TON_SECRET", "server_metadata_url": "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/.well-known/openid-configuration", "client_kwargs": { "scope": "openid email profile", "token_endpoint_auth_method": "client_secret_post" } } } ]