airflow3-kub/helm/airflow/values.yaml

executor: KubernetesExecutor

ingress:
  apiServer:
    enabled: true
    ingressClassName: nginx
    hosts:
      - name: airflow.49.13.143.254.nip.io
        tls:
          enabled: false
    path: "/"
    pathType: "Prefix"

apiServer:
  apiServerConfig: |
    from flask_appbuilder.security.manager import AUTH_OAUTH

    AUTH_TYPE = AUTH_OAUTH
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "Viewer"

    OAUTH_PROVIDERS = [
      {
        "name": "keycloak",
        "token_key": "access_token",
        "icon": "fa-key",
        "remote_app": {
          "client_id": "airflow",
          "client_secret": "kbUXWFjemGqHdfEZg5gxgcCnjK0y6eel",
          "api_base_url": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect",
          "request_token_url": None,
          "access_token_url": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/token",
          "authorize_url": "http://keycloak.49.13.143.254.nip.io/auth/realms/airflow-realm/protocol/openid-connect/auth",
          "jwks_uri": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/certs",
          "userinfo_endpoint": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/userinfo",
          "client_kwargs": {
            "scope": "openid email profile",
            "verify": False
          }
        }
      }
    ]

    from airflow.www.security import AirflowSecurityManager
    from flask_appbuilder.security.manager import AUTH_OAUTH
    import jwt
    import logging

    class CustomSecurityManager(AirflowSecurityManager):
        def oauth_user_info(self, provider, response=None):
            if provider == "keycloak":
                token = response.get("access_token")
                data = jwt.decode(token, options={"verify_signature": False})
                logging.debug("Keycloak user info: %s", data)
                return {
                    "username": data.get("preferred_username", ""),
                    "first_name": data.get("given_name", ""),
                    "last_name": data.get("family_name", ""),
                    "email": data.get("email", ""),
                    "role_keys": data.get("roles", []),
                }
            return {}

    SECURITY_MANAGER_CLASS = CustomSecurityManager