[bitnami/airflow] Invalid Login on Web UI Despite Correct Credentials in Helm Values

[BMelekAlan]

Name and Version

bitnami/airflow 21.1.1

What architecture are you using?

amd64

What steps will reproduce the bug?

1. Deploy the Bitnami Airflow Helm Chart using ArgoCD:

• Create an ArgoCD Application resource to deploy the bitnami/airflow Helm chart on an Amazon EKS cluster.
• In the values.yaml configuration under helm.values, set custom values for auth.username and auth.password to specify the login credentials

2. Sync the ArgoCD Application:

• Sync the ArgoCD application to apply the Helm chart, which deploys Airflow on the EKS cluster with the specified custom credentials.

3. Verify the Created Airflow Secret:

• After deployment, check the airflow secret in the airflow namespace to confirm it contains the username and password.
• Decode the password from the secret to confirm it matches the intended value set in values.yaml using:
  kubectl get secret airflow -n airflow -o yaml echo "<base64-encoded-password>" | base64 --decode

4. Attempt to Log In to the Airflow Web UI:

• Open the Airflow Web UI and try logging in with the username and password defined in values.yaml.
• Observe that the login fails with an "invalid login" error, even though the credentials are set correctly.
• Inspect the Airflow Web Server Logs:
  Check the logs from the Airflow web server pod to confirm the login failure:

[2024-11-05T09:05:36.753+0000] {override.py:2203} INFO - Login Failed for user: user

Are you using any custom parameters or values?

auth:
  username: user
  password: L2UPI0gBbu
  fernetKey: YVRZeVJVWnlXbU4wY1dOalVrdE1SV3cxWWtKeFIzWkVRVTVrVjNaTFR6WT0=
  secretKey: a25mQ1FHTUh3MnFRSk5KMEIyVVU2YmN0VGRyYTVXY08=

redis:
  enabled: true
  auth:
    enabled: true
    password: "redis-password"
  architecture: standalone

ingress:
  enabled: true
  ingressClassName: "nginx"
  hostname: "airflow.xxx.xxx.xxx"
  annotations:
    kubernetes.io/ingress.class: nginx

postgresql:
  enabled: true
  auth:
    enablePostgresUser: true
    username: bn_airflow
    password: "cG9zdGdyZXMK"
    database: bitnami_airflow

What is the expected behavior?

The Airflow Web UI should allow successful login with the credentials specified in the auth.username and auth.password fields of the Helm values.yaml file. Specifically:

1. The airflow Kubernetes secret should be created or updated with the correct username and password as specified in values.yaml.
2. Users should be able to access the Airflow Web UI using the specified auth.username and auth.password.
3. No "invalid login" error should occur, and the login process should complete successfully.

What do you see instead?

When attempting to log in to the Airflow Web UI using the credentials specified in values.yaml (auth.username and auth.password), the login fails with an "invalid login" error.

In the Airflow web server logs, the following message is observed:

[2024-11-05T09:05:36.753+0000] {override.py:2203} INFO - Login Failed for user: user

This occurs despite the correct username and password being configured in the Helm chart values. Verification of the Kubernetes secret confirms that the airflow-password does not match the intended value, suggesting that the configured values are not being correctly applied.

Additional information

No response

[javsalgar]

Hi! Thank you for the detailed information. Could you confirm that you do not have leftovers from previous installations?

[BMelekAlan]

Hi! Thank you for the detailed information. Could you confirm that you do not have leftovers from previous installations?

I removed all components, deleted the Airflow namespace, and redeployed the Helm chart, but the same issue persists.

[juan131]

Hi @BMelekAlan

Verification of the Kubernetes secret confirms that the airflow-password does not match the intended value

I'm unable to reproduce that error. See how I double-checked that airflow-password matches whatever value I set in the auth.password parameter:

$ kubectl create namespace airflow
namespace/airflow created
$ helm install airflow oci://registry-1.docker.io/bitnamicharts/airflow --version 21.1.1 --set auth.password="L2UPI0gBbu" --namespace airflow
NAME: airflow
LAST DEPLOYED: Wed Nov  6 16:20:43 2024
NAMESPACE: airflow
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: airflow
CHART VERSION: 21.1.1
APP VERSION: 2.10.2
(...)
$ echo "$(kubectl get secret airflow -n airflow -o json | jq -r '.data["airflow-password"]' | base64 --decode)"
L2UPI0gBbu

[BMelekAlan]

Hi @juan131
Unfortunately, I am facing the same issue even though I followed the procedure you outlined. I can't log in with the username and password I set up using Helm. When I create a new user through the web pod using the command, I can successfully log in as that new user via the web user interface. However, I am unable to log in with the user account that was created using Helm.

airflow users create \
    --username admin \
    --firstname admin \
    --lastname admin \
    --role Admin \
    --email [email protected]

[juan131]

Hi @BMelekAlan

We're creating the user during the 1st bootstrap (when there's no data in the persisted volumes) in the webserver pods. Check these logs from a successful installation:

$ kubectl logs deploy/airflow-web -c airflow-web
(...)
airflow 09:28:44.91 INFO  ==> No injected configuration file found. Creating default config file
airflow 09:28:44.94 INFO  ==> Configuring Airflow webserver authentication
airflow 09:28:44.98 INFO  ==> Configuring Airflow database
(...)

Can you confirm that your logs look similar? It could happen that you have some environment where Airflow requires more time to complete the 1st bootstrap and the container get restarted (due to failing readiness probes) before it successfully create the user. In that case, the "create user" step could be skipped on the restart hence you face the issue you're describing.