fix: migrate immutable internal secrets to mutable versions

Author: razvan

CHANGELOG.md

@@ -6,7 +6,12 @@
 
 - Document Helm deployed RBAC permissions and remove unnecessary permissions ([#767]).
 
+### Fixed
+
+- Do not use immutable Secret objects for internal secrets. Migrate existing secrets to mutable versions ([#770]).
+
 - [#767]: https://github.com/stackabletech/airflow-operator/pull/767
+- [#770]: https://github.com/stackabletech/airflow-operator/pull/770
 
 ## [26.3.0] - 2026-03-16
 

rust/operator-binary/src/airflow_controller.rs

@@ -32,6 +32,7 @@ use stackable_operator::{
     cluster_resources::{ClusterResourceApplyStrategy, ClusterResources},
     commons::{
         product_image_selection::{self, ResolvedProductImage},
+        random_secret_creation,
         rbac::build_rbac_resources,
     },
     crd::{
@@ -92,12 +93,7 @@ use crate::{
             AirflowAuthenticationClassResolved, AirflowClientAuthenticationDetailsResolved,
         },
         authorization::AirflowAuthorizationResolved,
-        build_recommended_labels,
-        internal_secret::{
-            FERNET_KEY_SECRET_KEY, INTERNAL_SECRET_SECRET_KEY, JWT_SECRET_SECRET_KEY,
-            create_random_secret,
-        },
-        v1alpha2,
+        build_recommended_labels, v1alpha2,
     },
     env_vars::{self, build_airflow_template_envs},
     operations::{
@@ -113,6 +109,21 @@ use crate::{
     },
 };
 
+// Used for env-vars: AIRFLOW__WEBSERVER__SECRET_KEY, AIRFLOW__API__SECRET_KEY
+// N.B. AIRFLOW__WEBSERVER__SECRET_KEY is deprecated as of 3.0.2.
+// Secret key used to run the api server. It should be as random as possible.
+// It should be consistent across instances of the webserver. The webserver key
+// is also used to authorize requests to Celery workers when logs are retrieved.
+pub const INTERNAL_SECRET_SECRET_KEY: &str = "INTERNAL_SECRET";
+// Used for env-var: AIRFLOW__API_AUTH__JWT_SECRET
+// Secret key used to encode and decode JWTs to authenticate to public and
+// private APIs. It should be as random as possible, but consistent across
+// instances of API services.
+pub const JWT_SECRET_SECRET_KEY: &str = "JWT_SECRET";
+// Used for env-var: AIRFLOW__CORE__FERNET_KEY
+// See https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/fernet.html#security-fernet
+pub const FERNET_KEY_SECRET_KEY: &str = "FERNET_KEY";
+
 pub const AIRFLOW_CONTROLLER_NAME: &str = "airflowcluster";
 pub const DOCKER_IMAGE_BASE_NAME: &str = "airflow";
 pub const AIRFLOW_FULL_CONTROLLER_NAME: &str =
@@ -353,7 +364,9 @@ pub enum Error {
     },
 
     #[snafu(display("failed to create internal secret"))]
-    InvalidInternalSecret { source: crd::internal_secret::Error },
+    InvalidInternalSecret {
+        source: random_secret_creation::Error,
+    },
 }
 
 type Result<T, E = Error> = std::result::Result<T, E>;
@@ -479,7 +492,7 @@ pub async fn reconcile_airflow(
         .await?;
     }
 
-    create_random_secret(
+    random_secret_creation::create_random_secret_if_not_exists(
         &airflow.shared_internal_secret_secret_name(),
         INTERNAL_SECRET_SECRET_KEY,
         256,
@@ -489,7 +502,7 @@ pub async fn reconcile_airflow(
     .await
     .context(InvalidInternalSecretSnafu)?;
 
-    create_random_secret(
+    random_secret_creation::create_random_secret_if_not_exists(
         &airflow.shared_jwt_secret_secret_name(),
         JWT_SECRET_SECRET_KEY,
         256,
@@ -499,7 +512,7 @@ pub async fn reconcile_airflow(
     .await
     .context(InvalidInternalSecretSnafu)?;
 
-    create_random_secret(
+    random_secret_creation::create_random_secret_if_not_exists(
         &airflow.shared_fernet_key_secret_name(),
         FERNET_KEY_SECRET_KEY,
         // https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/fernet.html#security-fernet

rust/operator-binary/src/crd/internal_secret.rs

@@ -61,7 +61,6 @@ use crate::{
 pub mod affinity;
 pub mod authentication;
 pub mod authorization;
-pub mod internal_secret;
 
 pub const APP_NAME: &str = "airflow";
 pub const FIELD_MANAGER: &str = "airflow-operator";