Version Next

Security — Airflow

The tdp-airflow chart supports optional LDAP authentication for the Airflow UI and API Server (Flask-AppBuilder). By default, tdp-airflow.ldap.enabled is false.

Prerequisites

LDAP server accessible from the Kubernetes cluster
Bind credentials (user and password), typically provided via a Secret

Bind password Secret

Create the Secret before installing or upgrading the release, or declare it in a manifest with placeholders:

Terminal input

kubectl -n <namespace> create secret generic <ldap-bind-secret> \
  --from-literal=password='<ldap-bind-password>'

Equivalent alternative (manifest):

apiVersion: v1
kind: Secret
metadata:
  name: <ldap-bind-secret>
  namespace: <namespace>
type: Opaque
stringData:
  password: "<ldap-bind-password>"

Important

If the Secret referenced in tdp-airflow.extraEnv does not exist, pods may fail to start.

Configure LDAP

In a values file (e.g. values-ldap.yaml), use the tdp-airflow.ldap.* prefix and inject the password with tdp-airflow.extraEnv:

tdp-airflow:
  ldap:
    enabled: true
    apiServerConfig: |
      import os
      from flask_appbuilder.security.manager import AUTH_LDAP

      AUTH_TYPE = AUTH_LDAP
      AUTH_LDAP_SERVER = "ldap://<ldap-host>:389"
      AUTH_LDAP_USE_TLS = False
      AUTH_LDAP_BIND_USER = "uid=<bind-user>,cn=users,cn=accounts,dc=example,dc=com"
      AUTH_LDAP_BIND_PASSWORD = os.environ.get("LDAP_BIND_PASSWORD", "")
      AUTH_LDAP_SEARCH = "cn=users,cn=accounts,dc=example,dc=com"
      AUTH_LDAP_UID_FIELD = "uid"
      AUTH_LDAP_EMAIL_FIELD = "mail"
      AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
      AUTH_LDAP_LASTNAME_FIELD = "sn"
      AUTH_USER_REGISTRATION = True
      AUTH_USER_REGISTRATION_ROLE = "User"

  extraEnv: |
    - name: LDAP_BIND_PASSWORD
      valueFrom:
        secretKeyRef:
          name: <ldap-bind-secret>
          key: password

tip

The bind password should not be stored in plain text in a versioned values.yaml; use valueFrom.secretKeyRef in tdp-airflow.extraEnv.

Install or upgrade with LDAP

Terminal input
helm upgrade --install <release> oci://registry.tecnisys.com.br/tdp/charts/tdp-airflow \
  -n <namespace> --create-namespace \
  -f values.yaml \
  -f values-ldap.yaml

LDAP Parameters

Parameter	Description
`tdp-airflow.ldap.enabled`	Enables LDAP authentication
`tdp-airflow.ldap.apiServerConfig`	Python Flask-AppBuilder snippet (AUTH_LDAP, etc.)
`tdp-airflow.extraEnv`	Extra variables; use for `LDAP_BIND_PASSWORD` via Secret

Troubleshooting

Problem	Probable cause	Solution
Pod does not start	Bind Secret missing or incorrect name	Create/fix Secret and align `secretKeyRef.name` in `tdp-airflow.extraEnv`
Invalid credentials	Incorrect bind DN or password	Validate bind using LDAP tools in your environment
User has no permission	Default registration role	Adjust `AUTH_USER_REGISTRATION_ROLE` in `tdp-airflow.ldap.apiServerConfig`

Prerequisites​

Bind password Secret​

Configure LDAP​

Install or upgrade with LDAP​

LDAP Parameters​

Troubleshooting​