apache · jscheffl · Mar 16, 2026 · Jan 18, 2026 · Jan 18, 2026 · Mar 15, 2026
@@ -0,0 +1,57 @@
+Automatic ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__`` and ``AIRFLOW__KUBERNETES_SECRETS__`` prefix addition removed from ``container_extra_envs`` and ``custom_airflow_environment``
+
+The automatic prefix addition for Kubernetes Executor environment variables and secrets has been removed from both the ``container_extra_envs`` and ``custom_airflow_environment`` helper functions.
+
+**What changed:**
+
+Previously, when you added environment variables to component-specific configurations (e.g., ``.Values.scheduler.env``, ``.Values.workers.env``, ``.Values.apiServer.env``, ``.Values.dagProcessor.env``), the chart automatically created an additional environment variable with the ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__`` prefix for Kubernetes Executor worker pods.
+
+**Example - Before:**
+.. code-block:: yaml
+
+   apiServer:
+     env:
+       - name: MY_VAR
+         value: "my_value"
+
+This would automatically create both:
+* ``MY_VAR=my_value`` (for the apiServer)
+* ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__MY_VAR=my_value`` (for worker pods)
+
+**Example - After:**
+.. code-block:: yaml
+
+   apiServer:
+     env:
+       - name: MY_VAR
+         value: "my_value"
+
+Now only ``MY_VAR=my_value`` is created for the apiServer. The ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__MY_VAR`` is **no longer automatically created**.
+
+**Why this change:**
+
+* **Prevent Unintended Exposure of Sensitive Data**: Sensitive information (e.g., ``client_secret``) that should be securely handled via ``secretKeyRef`` for specific components was being automatically prefixed with ``AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__``. This prefixing causes these variables to be recognized as part of Airflow's internal configuration, leading to their unintended exposure in the Airflow Web UI (under Admin -> Configuration), even when ``AIRFLOW__API__EXPOSE_CONFIG`` is set to ``non-sensitive-only``.
+
+* **Avoid Unintended Environment Propagation to Workers**: Component-specific env configurations are intended strictly for specific components. However, the previous behavior caused these variables to be inadvertently passed to worker pods, which may result in unintended configuration conflicts and unexpected side effects.
+
+**Migration Required:**
+
+If you need to pass environment variables specifically to Kubernetes Executor worker pods, use one of the following approaches:
+
+**Option 1: Use ``.Values.env``**
+.. code-block:: yaml
+
+   env:
+     - name: my_var
+       value: "my_value"
+
+Environment variables in ``.Values.env`` are now passed as-is without the automatic prefix (same behavior as component-specific env).
+
+**Option 2: Use ``.Values.config.kubernetes_environment_variables``**
+.. code-block:: yaml
+
+   config:
+     kubernetes_environment_variables:
+       my_var: "my_value"
+
+**Secrets (``.Values.secret``):** The ``AIRFLOW__KUBERNETES_SECRETS__`` prefix is no longer automatically added. Secrets are now passed as-is via ``secretKeyRef`` without the prefixed copy for worker pods.
@@ -154,10 +154,6 @@ If release name contains chart name it will be used as a full name.
   {{- range $i, $config := .Values.env }}
   - name: {{ $config.name }}
     value: {{ $config.value | quote }}
-    {{- if or (contains "KubernetesExecutor" $.Values.executor) (contains "LocalKubernetesExecutor" $.Values.executor) (contains "CeleryKubernetesExecutor" $.Values.executor) }}
-  - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
-    value: {{ $config.value | quote }}
-    {{- end }}
   {{- end }}
   # Dynamically created secret envs
   {{- range $i, $config := .Values.secret }}
@@ -167,12 +163,6 @@ If release name contains chart name it will be used as a full name.
         name: {{ $config.secretName }}
         key: {{ default "value" $config.secretKey }}
   {{- end }}
-  {{- if or (contains "LocalKubernetesExecutor" $.Values.executor) (contains "KubernetesExecutor" $.Values.executor) (contains "CeleryKubernetesExecutor" $.Values.executor) }}
-    {{- range $i, $config := .Values.secret }}
-  - name: AIRFLOW__KUBERNETES_SECRETS__{{ $config.envName }}
-    value: {{ printf "%s=%s" $config.secretName $config.secretKey }}
-    {{- end }}
-  {{ end }}
   # Extra env
   {{- $Global := . }}
   {{- with .Values.extraEnv }}
@@ -999,23 +989,6 @@ capabilities:
         key: {{ $config.valueFrom.configMapKeyRef.key }}
       {{- end }}
     {{- end }}
-    {{- if or (contains "KubernetesExecutor" $.Values.executor) (contains "LocalKubernetesExecutor" $.Values.executor) (contains "CeleryKubernetesExecutor" $.Values.executor) }}
-  - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
-    {{- if $config.value }}
-    value: {{ $config.value | quote }}
-    {{- else if $config.valueFrom }}
-    valueFrom:
-      {{- if $config.valueFrom.secretKeyRef }}
-      secretKeyRef:
-        name: {{ $config.valueFrom.secretKeyRef.name }}
-        key: {{ $config.valueFrom.secretKeyRef.key }}
-      {{- else if $config.valueFrom.configMapKeyRef }}
-      configMapKeyRef:
-        name: {{ $config.valueFrom.configMapKeyRef.name }}
-        key: {{ $config.valueFrom.configMapKeyRef.key }}
-      {{- end }}
-    {{- end }}
-    {{- end }}
   {{- end }}
 {{- end }}