chore: Use internal secret for JWT key (#686)

* chore: Use internal secret for JWT token

* remove connections.secretKey references, changelog, env-var comments

* cleaned up comments

* review feedback: refactoring

* replace openssl with rand crate

* use rand crate for generating keys

* corrected error text

Author: adwk67

CHANGELOG.md

@@ -9,6 +9,10 @@
 - Added a note on webserver workers to the trouble-shooting section ([#685]).
 - Helm: Allow Pod `priorityClassName` to be configured ([#687]).
 
+### Changed
+
+- Use internal secrets for secret- and jwt-keys ([#686]).
+
 ### Fixed
 
 - Don't panic on invalid authorization config. Previously, a missing OPA ConfigMap would crash the operator ([#667]).
@@ -25,6 +29,7 @@
 [#679]: https://github.com/stackabletech/airflow-operator/pull/679
 [#683]: https://github.com/stackabletech/airflow-operator/pull/683
 [#685]: https://github.com/stackabletech/airflow-operator/pull/685
+[#686]: https://github.com/stackabletech/airflow-operator/pull/686
 [#687]: https://github.com/stackabletech/airflow-operator/pull/687
 
 ## [25.7.0] - 2025-07-23

Cargo.lock

@@ -14,12 +14,14 @@ product-config = { git = "https://github.com/stackabletech/product-config.git",
 stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["telemetry", "versioned"], tag = "stackable-operator-0.95.0" }
 
 anyhow = "1.0"
+base64 = "0.22"
 built = { version = "0.8", features = ["chrono", "git2"] }
 clap = "4.5"
 const_format = "0.2"
 fnv = "1.0"
 futures = { version = "0.3", features = ["compat"] }
 indoc = "2.0"
+rand = "0.9.0"
 rstest = "0.26"
 semver = "1.0"
 serde = { version = "1.0", features = ["derive"] }

Cargo.nix

@@ -10,7 +10,6 @@ stringData:
   adminUser.lastname: Admin
   adminUser.email: airflow@airflow.com
   adminUser.password: airflow
-  connections.secretKey: thisISaSECRET_1234
   connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow
   # Only needed when using celery workers (instead of Kubernetes executors)
   connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow

Cargo.toml

@@ -10,7 +10,6 @@ stringData:
   adminUser.lastname: Admin
   adminUser.email: airflow@airflow.com
   adminUser.password: airflow
-  connections.secretKey: thisISaSECRET_1234
   connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow
   # Only needed when using celery workers (instead of Kubernetes executors)
   connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow

docs/modules/airflow/examples/example-airflow-secret.yaml

@@ -23,9 +23,6 @@ And apply it:
 [source,bash]
 include::example$getting_started/code/getting_started.sh[tag=apply-airflow-credentials]
 
-The `connections.secretKey` is used for securely signing the session cookies and can be used for any other security related needs by extensions.
-It should be a long random string of bytes.
-
 `connections.sqlalchemyDatabaseUri` must contain the connection string to the SQL database storing the Airflow metadata.
 
 `connections.celeryResultBackend` must contain the connection string to the SQL database storing the job metadata (the example above uses the same PostgreSQL database for both).

docs/modules/airflow/examples/getting_started/code/airflow-credentials.yaml

@@ -10,7 +10,6 @@ stringData:
   adminUser.lastname: Admin
   adminUser.email: airflow@airflow.com
   adminUser.password: airflow
-  connections.secretKey: thisISaSECRET_1234
   connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow
   # Only needed when using celery workers (instead of Kubernetes executors)
   connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow

docs/modules/airflow/pages/getting_started/first_steps.adoc

@@ -138,7 +138,6 @@ stringData:
   adminUser.lastname: Admin
   adminUser.email: airflow@airflow.com
   adminUser.password: airflow
-  connections.secretKey: thisISaSECRET_1234
   connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow
   # Only needed when using celery workers (instead of Kubernetes executors)
   connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow

examples/simple-airflow-cluster-dags-cmap.yaml

@@ -136,7 +136,6 @@ stringData:
   adminUser.lastname: Admin
   adminUser.email: airflow@airflow.com
   adminUser.password: airflow
-  connections.secretKey: thisISaSECRET_1234
   connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow
   # Only needed when using celery workers (instead of Kubernetes executors)
   connections.celeryResultBackend: db+postgresql://airflow:airflow@airflow-postgresql.default.svc.cluster.local/airflow