Manual pod rollout restart required for changes to jwt-secret

[jeff-cook]

Official Helm Chart version

1.19.0 (latest released)

Apache Airflow version

3.1.7

Kubernetes Version

v1.33.7-eks-ac2d5a0

Helm Chart configuration

Can duplicate issue with default values.yaml file.

Docker Image customizations

None

What happened

Not all manifests include checksum/jwt-secret annotation. This means when this value is updated the pods will not automatically be recreated.

I show following files use the secret with including the checksum annotation.

• dag-processor/dag-processor-deployment.yaml
• triggerer/triggerer-deployment.yaml
• workers/worker-deployment.yaml

The following jobs also don't have the annotation, but not sure it's an issue, due to it being a job.

• jobs/migrate-database-job.yaml
• jobs/create-user-job.yaml

What you think should happen instead

A Deployment and StatefulSet that use the jwt-secret Secret should include spec.template.metadata.annotation.checksum/jwt-secret

How to reproduce

Run in the chart/

helm template . --output-dir tmp 
find tmp/ -type f | xargs grep jwt-secret

This will show all the places the jwt-secret is used and where the checksum/jwt-secret annotation is.

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.