Running Airflow with a self-signed certificate¶
Airflow can be configured to run with a self-signed certificate but this requires a couple of extra steps to enable Workers to trust the API Server. This guide is based on the Running Airflow in Docker setup.
Caution
This procedure is intended for learning, exploration and development. It is not suitable for production use.
Generating the certificate¶
The first step is the generation of the certificate. This requires the addition
of localhost
and airflow-apiserver
as Subject Alternative Names so that
the health check and Worker to API Server communications function.
export AIRFLOW_CN=example-common-name
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-sha256 -days 3650 -nodes \
-subj "/CN=$AIRFLOW_CN" \
-addext "subjectAltName=DNS:localhost,DNS:airflow-apiserver"
Where example-common-name
is the common name of your server. Place
cert.pem
and key.pem
in the config
folder.
Altering docker-compose.yaml
¶
Add the following two environment variables below and alter the API Server URL to HTTPS:
AIRFLOW__CORE__EXECUTION_API_SERVER_URL: 'https://airflow-apiserver:8080/execution/'
# Added to enable SSL
AIRFLOW__API__SSL_CERT: '/opt/airflow/config/cert.pem'
AIRFLOW__API__SSL_KEY: '/opt/airflow/config/key.pem'
Alter the API Server health check to trust the certificate:
airflow-apiserver:
<<: *airflow-common
command: api-server
ports:
- "8080:8080"
healthcheck:
# Add --cacert to trust certificate
test: ["CMD", "curl", "--fail", "--cacert", "${AIRFLOW_PROJ_DIR:-.}/config/cert.pem", "https://localhost:8080/api/v2/version"]
Running Airflow¶
Now you can start all services:
docker compose up
The webserver is available at: https://localhost:8080