From 6f2fc48d8d4eae618ce89168c704ea6c95b31412 Mon Sep 17 00:00:00 2001
From: rjgoyln <pt40419@gmail.com>
Date: Tue, 24 Mar 2026 12:12:33 +0800
Subject: [PATCH 1/2] document missing secret name keys

---
 chart/values.yaml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index 8c380e5af7362..e55463ffb1fd4 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -498,19 +498,14 @@ extraEnvFrom: ~
 
 # Airflow database & redis config
 data:
-  # If secret names are provided, use those secrets
-  # These secrets must be created manually, eg:
-  #
-  # kind: Secret
-  # apiVersion: v1
-  # metadata:
-  #   name: custom-airflow-metadata-secret
-  # type: Opaque
-  # data:
-  #   connection: base64_encoded_connection_string
-
+  # Must contain a 'connection' key (e.g., postgresql://user:pass@host:5432/db).
+  # Optional: 'kedaConnection'. Note: URL-encode special characters in passwords.
   metadataSecretName: ~
+
+  # Must contain a 'connection' key. If not provided, it falls back to 'metadataSecretName'.
   resultBackendSecretName: ~
+
+  # Must contain a 'connection' key (e.g., redis://:pass@host:6379/0).
   brokerUrlSecretName: ~
 
   # Otherwise pass connection values in
@@ -545,6 +540,10 @@ data:
 # Fernet key settings
 # Note: fernetKey can only be set during install, not upgrade
 fernetKey: ~
+# The Secret MUST contain a 'fernet-key' key.
+#
+# To handle rotation, provide multiple comma-separated keys in the Secret.
+# New values are encrypted with the first key; decryption is attempted with all keys.
 fernetKeySecretName: ~
 # Add custom annotations to the fernet key secret
 fernetKeySecretAnnotations: {}
@@ -553,18 +552,24 @@ fernetKeySecretAnnotations: {}
 apiSecretKey: ~
 # Add custom annotations to the api secret
 apiSecretAnnotations: {}
+# Must contain an 'api-secret-key' key (suggested: random 32-char string).
+# Note: Values in K8s Secrets must be Base64 encoded.
 apiSecretKeySecretName: ~
 
 # Secret key used to encode and decode JWTs: `[api_auth] jwt_secret` in airflow.cfg
 jwtSecret: ~
 # Add custom annotations to the JWT secret
 jwtSecretAnnotations: {}
+# Must contain a 'jwt-secret' key (suggested: random 32-char string).
+# Note: Values in K8s Secrets must be Base64 encoded.
 jwtSecretName: ~
 
 # Flask secret key for Airflow <3 Webserver: `[webserver] secret_key` in airflow.cfg
 webserverSecretKey: ~
 # Add custom annotations to the webserver secret
 webserverSecretAnnotations: {}
+# Must contain a 'webserver-secret-key' key (suggested: random 32-char string).
+# Note: Values in K8s Secrets must be Base64 encoded.
 webserverSecretKeySecretName: ~
 
 # In order to use kerberos you need to create secret containing the keytab file
@@ -2777,6 +2782,8 @@ flower:
     annotations: {}
 
   # A secret containing the connection
+  # The Secret MUST contain a 'basicAuth' key (formatted as 'username:password').
+  # Note: Values in K8s Secrets must be Base64 encoded.
   secretName: ~
   # Add custom annotations to the flower secret
   secretAnnotations: {}

From 04c954a5061af0ccadd0d76ae435572e99d0ed6a Mon Sep 17 00:00:00 2001
From: rjgoyln <pt40419@gmail.com>
Date: Tue, 24 Mar 2026 19:35:11 +0800
Subject: [PATCH 2/2] remove confusing base64 encoding mentions in secrets

---
 chart/values.yaml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index e55463ffb1fd4..c03272b09f7a1 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -553,7 +553,6 @@ apiSecretKey: ~
 # Add custom annotations to the api secret
 apiSecretAnnotations: {}
 # Must contain an 'api-secret-key' key (suggested: random 32-char string).
-# Note: Values in K8s Secrets must be Base64 encoded.
 apiSecretKeySecretName: ~
 
 # Secret key used to encode and decode JWTs: `[api_auth] jwt_secret` in airflow.cfg
@@ -561,7 +560,6 @@ jwtSecret: ~
 # Add custom annotations to the JWT secret
 jwtSecretAnnotations: {}
 # Must contain a 'jwt-secret' key (suggested: random 32-char string).
-# Note: Values in K8s Secrets must be Base64 encoded.
 jwtSecretName: ~
 
 # Flask secret key for Airflow <3 Webserver: `[webserver] secret_key` in airflow.cfg
@@ -569,7 +567,6 @@ webserverSecretKey: ~
 # Add custom annotations to the webserver secret
 webserverSecretAnnotations: {}
 # Must contain a 'webserver-secret-key' key (suggested: random 32-char string).
-# Note: Values in K8s Secrets must be Base64 encoded.
 webserverSecretKeySecretName: ~
 
 # In order to use kerberos you need to create secret containing the keytab file
@@ -2782,8 +2779,7 @@ flower:
     annotations: {}
 
   # A secret containing the connection
-  # The Secret MUST contain a 'basicAuth' key (formatted as 'username:password').
-  # Note: Values in K8s Secrets must be Base64 encoded.
+  # The Secret MUST contain a 'basicAuth' key (formatted as 'username:password')
   secretName: ~
   # Add custom annotations to the flower secret
   secretAnnotations: {}