airflow3-kub/helm/airflow/values.yaml

executor: KubernetesExecutor

dags:
  gitSync:
    enabled: true
    repo: git@github.com:idirbfs/dags.git
    branch: main
    rev: HEAD
    depth: 1
    maxFailures: 3
    subPath: ""
    sshKeySecret: airflow-gitsync-ssh
    period: 60s

ingress:
  apiServer:
    enabled: true
    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - name: airflow.idir-belfares.fr
        tls:
          enabled: true
          secretName: airflow-tls
    path: "/"
    pathType: "Prefix"

apiServer:
  apiServerConfig: |
    from flask_appbuilder.security.manager import AUTH_OAUTH
    from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
    import requests

    class CustomSecurityManager(FabAirflowSecurityManagerOverride):
        def get_oauth_user_info(self, provider, resp):
            if provider == "keycloak":
                token = resp.get("access_token")
                url = "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/protocol/openid-connect/userinfo"
                r = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
                r.raise_for_status()
                me = r.json()
                return {
                    "username": me.get("preferred_username"),
                    "email": me.get("email"),
                    "first_name": me.get("given_name", ""),
                    "last_name": me.get("family_name", ""),
                    "role_keys": me.get("groups", []),
                }
            return super().get_oauth_user_info(provider, resp)

    SECURITY_MANAGER_CLASS = CustomSecurityManager
    AUTH_TYPE = AUTH_OAUTH
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "Viewer"

    OAUTH_PROVIDERS = [
      {
        "name": "keycloak",
        "token_key": "access_token",
        "icon": "fa-key",
        "remote_app": {
          "client_id": "airflow",
          "client_secret": "TEQqjspeIrGRVLSxyArkjBMF3StaltwL",
          "server_metadata_url": "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/.well-known/openid-configuration",
          "client_kwargs": {
            "scope": "openid email profile",
            "token_endpoint_auth_method": "client_secret_post"
          }
        }
      }
    ]