Apache Airflow Helm Chart 1.20.0

Significant Changes

Support for old versions of Apache Airflow <2.11 has been dropped (#61018)

Minimum supported version of Apache Airflow is now 2.11.0. If you want to deploy an
old version of Apache Airflow, please use the last released version of the chart 1.19.0.

workers specific sections have been moved to workers.celery / workers.kubernetes sections

Please update your configuration accordingly:

• workers.command command is now deprecated in favor of workers.celery.command/workers.kubernetes.command (#60067).
• workers.securityContexts command is now deprecated in favor of workers.celery.securityContexts/workers.kubernetes.securityContexts (#60396).
• workers.containerLifecycleHooks command is now deprecated in favor of workers.celery.containerLifecycleHooks/workers.kubernetes.containerLifecycleHooks (#61369).
• workers.kerberosSidecar section is now deprecated in favor of workers.celery.kerberosSidecar/workers.kubernetes.kerberosSidecar (#61881).
• workers.kerberosInitContainer section is now deprecated in favor of workers.celery.kerberosInitContainer/workers.kubernetes.kerberosInitContainer (#60751).
• workers.terminationGracePeriodSeconds command is now deprecated in favor of workers.celery.terminationGracePeriodSeconds/workers.kubernetes.terminationGracePeriodSeconds (#61892).
• workers.nodeSelector command is now deprecated in favor of workers.celery.nodeSelector/workers.kubernetes.nodeSelector (#61957).
• workers.podDisruptionBudget section is now deprecated in favor of workers.celery.podDisruptionBudget. Please update your configuration accordingly. (#61414)
• workers.keda section is now deprecated in favor of workers.celery.keda. Please update your configuration accordingly. (#61820)
• workers.resources section is now deprecated in favor of workers.celery.resources and workers.kubernetes.resources. Please update your configuration accordingly. (#61890)

The previous configuration options are still working, but are deprecated and will be removed in a future version.

As Git-Sync is not service-type object, the readiness probe will be removed. (#62334)

To enable feature behaviour set dags.gitSync.recommendedProbeSetting to true. Section itself will be removed in future release as to not break setups during upgrades.

As Git-Sync has dedicated liveness service, the liveness probe behaviour will be changed. To enable feature behaviour set dags.gitSync.recommendedProbeSetting to true.

Please update your configuration accordingly.

Automatic env variables removed from container_extra_envs and custom_airflow_environment (#60750)

The automatic prefix addition for Kubernetes Executor environment variables and secrets has been removed from both the container_extra_envs and custom_airflow_environment helper functions.

What changed:

Previously, when you added environment variables to component-specific configurations (e.g., .Values.scheduler.env), the chart automatically created an additional environment variable (to specified in the env section) with the AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__ prefix for Kubernetes Executor worker pods. After this change, only the variable specified in env section will be created.
Furthermore, for values specified under .Values.secret section, the AIRFLOW__KUBERNETES_SECRETS__ prefix is no longer automatically added. Secrets are now passed as-is via secretKeyRef without the prefixed copy for worker pods.

Why this change:

• Prevent unintended exposure of sensitive data like client_secret information. Previously, due to prefix, it was recognized as internal Airflow configuration leading to unintended exposure in Airflow UI (under Admin -> Configuration), even when AIRFLOW__API__EXPOSE_CONFIG is set to non-sensitive-only.
• Avoid unintended environment propagation to workers: component-specific env configurations are intended strictly for specific components. Previous behaviour caused these variables to be passed to worker pods, which could result in configuration conflicts and unexpected side effects.

Migration Required:

If you need to pass environment variables specifically to Kubernetes Executor worker pods, use one of the following approaches:

Option 1: Use .Values.env

.. code-block:: yaml

env:
  - name: my_var
    value: "my_value"

Environment variables specified under .Values.env are now passed as-is without the automatic prefix (same behaviour as component-specific env).

Option 2: Use .Values.config.kubernetes_environment_variables

.. code-block:: yaml

config:
  kubernetes_environment_variables:
    my_var: "my_value"

Default Airflow image is updated to 3.1.8 (#63392)

The default Airflow image that is used with the Chart is now 3.1.8, previously it was 3.1.7.

Features

• Support Helm template expressions in podAnnotations and airflowPodAnnotations values (#63019)
• Add minute-level log retention to clean-logs script (#61855)
• Add LOG_MAX_SIZE environment variables to log groomer (#61559)

Improvements

• Remove automatic KUBERNETES_ENVIRONMENT_VARIABLES and KUBERNETES_SECRETS prefixes from chart helpers (#60750)
• Remove JWT secrets from triggerer, worker and dag-processor (#63204)
• Add workers.celery.nodeSelector & workers.kubernetes.nodeSelector (#61957)
• Add workers.celery.terminationGracePeriodSeconds & workers.kubernetes.terminationGracePeriodSeconds (#61892)
• Add workers.celery.resources & workers.kubernetes.resources (#61890)
• Add workers.celery.keda section (#61820)
• Add workers.celery.podDisruptionBudget (#61414)
• Add workers.celery.containerLifecycleHooks & workers.kubernetes.containerLifecycleHooks (#61369)
• Refactor Git-Sync livenessProbe & deprecate readinessProbe & add startupProbe (#62334)
• Warn on deprecated per-component securityContext values (#62729)
• Add ingress deprecation warnings for apiServer, statsd, and pgbouncer (#62490)
• Add missing support for: securityContexts and containerLifecycleHook (#60677)

Bug Fixes

• More restrictive chart rendering logic (#63464)
• Omit api-server spec.replicas when HPA is enabled (#63187)
• Add workers.celery.kerberosSidecar & workers.kubernetes.kerberosSidecar sections (#61881)
• Fix chart NOTES.txt showing deprecation warnings only without secret key (#62722)
• Fix tpl rendering for TLS hosts in ingress templates #62358 (#62548)
• Fix webserver.defaultUser.enabled=false not honored (#62143)

Doc only changes

• Cleanup Helm Chart documentation (#62544)
• Add missing deprecation warnings for workers section (#63659)

Misc

• Drop support for all Airflow versions below 2.11 in Helm Chart (#61018)
• Default airflow version to 3.1.8 (#63392)
• Add *.iml to .gitignore in all distributions (#63636)
• Upgrade important CI environment (#62792, #62610)
• Allow to use short SPDX license identifier for selected files (#62073)
• Fix all build-system/requires including transitive dependencies (#62570)

airflow-ctl/0.1.3

📦 PyPI: https://pypi.org/project/apache-airflow-ctl/0.1.3/
📚 Docs: https://airflow.apache.org/docs/apache-airflow-ctl/0.1.3/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow-ctl/0.1.3/release_notes.html

Thanks to all the contributors who made this possible. Next time, Release notes will be available through public documentation.

Significant Changes

• Add airflowctl auth token command to print JWT access tokens (#62843)
• Add --action-on-existing-key to pools import and connections import (#62702)
• Add retry mechanism to airflowctl and remove flaky integration mark (#63016)
• airflowctl auth login: prompt for credentials interactively when none are provided (#62549)
• feat(airflowctl): support on headless environments (#62217)

Bug Fixes

• Fix airflowctl pools export ignoring --output table/yaml/plain (#62665)
• Fix airflowctl connections import failure when JSON omits extra field (#62662)
• Amend compatibility issues for airflowctl (#63388)

Improvements

• Send limit parameter in execute_list server requests (#63048)
• Run test coverage when airflowctl command has any change (#63216)
• airflow-ctl: add coverage tests for console formatting output (#62627)
• Clean up stale Python 3.9 workaround in airflow-ctl CLI config parser (#62206)
• Expose timetable_partitioned in UI API (#62777)

Apache Airflow 3.1.8

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.8/
📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.8/
🛠️ Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.8/release_notes.html
🐳 Docker Image: "docker pull apache/airflow:3.1.8"
🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.8

Significant Changes

Backfill permissions are now handled via DagAccessEntity.Run (#61456)

is_authorized_backfill of the BaseAuthManager interface has been removed. Core will no longer call this method and their
provider counterpart implementation will be marked as deprecated.
Permissions for backfill operations are now checked against the DagAccessEntity.Run permission using the existing
requires_access_dag decorator. In other words, if a user has permission to run a DAG, they can perform backfill operations on it.

Please update your security policies to ensure that users who need to perform backfill operations have the appropriate DagAccessEntity.Run permissions. (Users
having the Backfill permissions without having the DagRun ones will no longer be able to perform backfill operations without any update)

Elasticsearch is now fully compatible with remote logging along (#62940)

Elasticsearch is now fully compatible with remote logging along side with apache-airflow-providers-elasticsearch>=6.5.0. Please review elasticsearch provider release notes for more information https://airflow.apache.org/docs/apache-airflow-providers-elasticsearch/6.5.0/changelog.html (#62121) (#62940)

Bug Fixes

• Fix SQLite migration disable disable_sqlite_fkeys in revision 509b94a1042d (#63256) (#63272)
• Fix: 404 queued asset events from API server logs (#62934) (#62976)
• Fix: Always include kid in JWT header for symmetric key tokens (#62883) (#62943)
• Fix: Scope session token in cookie to base_url (#62771) (#62851)
• Fix: UI of Scope session token in cookie to base_url (#62771) (#62859)
• Fix: UI tasks log missing in UP_FOR_RETRY and UP_FOR_RESCHEDULE states (#54547) (#62862)
• Fix: Backfill permissions (#62856) (#62873)
• Fix: Use useAssetServiceGetDagAssetQueuedEvents to get the correct number of ADRQs (#62868) (#62902)
• Fix: Adds task instance validation for HITL (#62886) (#62909)
• Fix: Restore task_instance_history sequence on downgrade (#62759)
• Fix broken dag_processing.total_parse_time metric (#62128) (#62764)
• Fix Trigger UI form rendering for null enum values (#62060) (#62767)
• Fix timer.duration unit labels in logs (#61824) (#62757)
• Fix XCom migration failing for NaN/Infinity float values (#62686) (#62760)
• Fix SQL not rendered in Rendered Templates view (#60739) (#62348)
• Fix missing DAG read permission checks on dependencies endpoint (#62046) (#62586)
• Changed dag_bundle.signed_url_template from varchar(200) to text (#61041) (#62568)
• Fix WASB remote logging base path handling (#58946) (#61013) (#62456)
• Handle non-dictionary json payload during logging to avoid internal server error. (#62355) (#62367)
• Fix grid view crash when task converted to TaskGroup (#61208) (#61279) (#62181)
• Fix running task duration showing as null in UI (#61898) (#62136)
• Fix deferrable sensors not respecting soft_fail on timeout (#61132) (#61421)
• Fix task failure details being obscured by finalization errors (#62070) (#62113)
• Add missing ti.start and ti.finish metrics in Airflow 3 (#62019) (#62110)
• Fix DepContext mutation leak and restore reschedule-mode guard (#62089)
• Fix scheduler heartbeat misses caused by slow reschedule dependency check (#61983) (#62068)
• Flush in-memory OTEL metrics at process shutdown (#61808) (#61869)
• Fix executor slots showing negative infinity (#61140) (#61768)
• Fix recursion depth error in _redact_exception_with_context (#61776) (#61795)
• Fix API server segfault when PYTHONASYNCIODEBUG=1 is set (#61281) (#61933)
• Fix scheduler crash when queuing TI with null dag_version_id (#61813) (#61846)
• Fix secrets masking in Rendered Templates for complex objects (#61394) (#61763)
• Fix list dag versions permissions (#61675) (#61733)
• Fix Triggerer crashing if Trigger uses builtin print function (#60258) (#61703)
• Fix GZipMiddleware with correct comment placement (#61538) (#61566)
• Fix middleware order to prevent chunked FastAPI responses (#61043) (#61539)
• Fix XCom serialization for pendulum.date.Date values (#61176) (#61717)
• Fix access_key and connection_string not being masked in logs (#61580) (#61582)
• Fix minimatch ReDoS vulnerabilities via pnpm overrides (#62805)
• Fix language selector state not updating on change (#61060) (#61263)
• Make conn_type optional in task SDK Connection data model (#61728) (#61835)
• UI: optimize grid view refresh pressure on the API (#62085) (#62135)
• UI: Fix main content margin to align with navigation sidebar width (#61614) (#61622)
• UI: Fix Preserve variable value formatting in edit dialog (#58757) (#62339)
• UI: Fix missing translation keys for blocking dependencies in UI (#61314) (#61366) (#61638)
• UI: Add error handling for pause/unpause toggle permission errors (#61389) (#61533)
• UI: Flatten grid structure endpoint memory consumption (#61273) (#61393)
• UI: Reduce memory usage in grid view by optimizing node data storage (#61656) (#61789)
• UI: Fix variable table word-break when values are expanded (#62416) (#62781)
• UI: Fix use ISO dates in Gantt chart for cross-browser consistency (#61250) (#62784)
• UI: Fix DataTable overflow on narrow screens (#62603)
• UI: Fix unique keys for pagination ellipses (#62352) (#62366)
• UI: Fix elk.portConstraints for LR orientation in graph view (#62144) (#62187)
• UI: Fix show active backfill in banner instead of first one (#61851) (#62137)
• UI: Fix star icon visibility in Favorite filter buttons when selected (#61862)
• UI: Fix grid view tooltip z-index issue (#61275) (#61403)
• UI: Fix mini-map on DAG graph view not showing DAG nodes (#61511) (#61530)
• UI: Fix pale appearance of filter buttons when selected (#60346 backport fix) (#61457)

Miscellaneous

• Add logging to detect try number race (#62703) (#62821)
• Override tar dependency in Simple auth manager (#62787)
• Remove mp_start_method remnants (#61150) (#62762)
• Expose literal and ParamsDict at SDK top level (#59782) (#62756)
• Add on_task_instance_skipped listener hookspec (#59467) (#61863)
• Persist table columns visibility in local storage (#61858) (#61868)
• Add run_after alias to XComResponse for backward compatibility (#61443) (#61672)
• UI: Add task_display_name to LightGridTaskInstanceSummary model (#61440) (#61505)
• UI: Add multi-line text display option on Variables page (#61679) (#62779)
• UI: Add bulk actions for connections and variables (#61570) (#62076)
• UI: Allow selecting file path using cursor in log viewer (#61011) (#61506)

Doc Only Changes

• Fix Liveness / Readiness / Startup probe path for Airflow 3.x (#58734) (#61411)
• Update health check command syntax for celery worker (#58861) (#61412)
• Translation fixes: Polish (#62031) (#62761), Catalan (#62477), Taiwanese Mandarin (#62397),
  German (#61478), Polish (#61423)
• Remove docs mentioning old, unsupported hybrid executors (#62093) (#62096)
• Clarify security model of Airflow (#61754) (#61770)
• Clarify ExternalTaskSensor path in dags.rst (#61555) (#61617)
• Clarify policy for exposing sensitive data (#59864) (#61392)
• Clarify template context for asset-triggered DAGs in airflow-core docs (#61258) (#61282)
• Add Keycloak token documentation to Security/API (#61228) (#61248)

Apache Airflow Ctl (airflowctl) 0.1.2

📦 PyPI: https://pypi.org/project/apache-airflow-ctl/0.1.2/
📚 Docs: https://airflow.apache.org/docs/apache-airflow-ctl/0.1.2/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow-ctl/0.1.2/release_notes.html

Thanks to all the contributors who made this possible. Next time, Release notes will be available through public documentation.

Significant Changes

• Add XCom CLI commands to airflowctl (#61021)
• Add auth list-envs command to list CLI environments and their auth status (#61426)
• Add allowed_run_types to whitelist specific dag run types (#61833)
• Default logical_date to now in airflowctl dagrun trigger to match UI behavior (#61047)

Bug Fixes

• Allow listing dag runs without specifying dag_id (#61525)
• Fix infinite password retry loop in airflowctl EncryptedKeyring initialization (#61329)
• Fix airflowctl auth login reporting success when keyring backend is unavailable (#61296)
• Fix airflowctl crash when incorrect keyring password is entered (#61042)
• Strip api-url for airflowctl auth login which fails with trailing slash (#61245)
• Fix airflow-ctl-tests files not triggering pre-commit integration tests (#61023)

Improvements

• Print debug mode warning to stderr to avoid polluting stdout JSON output (#61302)
• Refactor datamodel defaulting logic into dedicated method (#61236)
• Alias run_after for XComResponse (#61443)
• Add test for sensitive config masking in airflowctl (#60361)

Apache Airflow Helm Chart 1.19.0

Significant Changes

StatsD metrics aggregation now supports configurable TTL-enabled LRU cache to prevent memory growth in long-running daemons (#60933)

The Helm Chart now includes new configuration options for StatsD aggregation management:

• statsd.cache.type - Enable TTL-enabled lru cache or random cache for metrics aggregation (default: lru)
• statsd.cache.size - Maximum number of metrics to cache (default: 1000)
• statsd.cache.ttl - Time-to-live for cached metrics in seconds (0s is TTL disabled) (default: 0s)

This feature addresses uncontrolled memory growth in StatsD daemons by automatically cleaning up stale or unused metric entries. When enabled, the cache uses both LRU (Least Recently Used) eviction and TTL (Time To Live) expiration to manage memory usage effectively.

To maintain backward compatibility, the default behaviour remains unchanged. Users experiencing memory growth issues with StatsD can enable this feature by setting statsd.cache.ttl to value higher than 0 in their Helm values.

Support for Multiple Celery Worker Sets in the Helm Chart (#58547)

This change introduces support for advanced Celery Workers topologies to Apache Airflow Helm Chart, enabling more flexible resource allocation and precise autoscaling configurations.

Flexible Worker Topologies: The new workers.celery.enableDefault flag allows users to configure a deployment consisting only of specialized worker sets defined in workers.celery.sets section.

Multi-Queue Autoscaling Support: Updates the KEDA ScaledObject generation to support comma-separated queue lists. By using the SQL IN (...) clause, we ensure that KEDA scales worker sets based on the precise aggregate workload of all their assigned queues.

Granular Configuration Overrides: This change allows for overwrite of any currently available workers configuration per worker set. For example, a user can enable KEDA globally, but explicitly disable it for a specific worker set that requires a static number of replicas.

Options to create a default user have been moved under the createUserJob section

Please update your configuration accordingly:

• webserver.defaultUser section is now deprecated in favor of createUserJob (#59767)

The previous configuration options are still working but are deprecated and will be removed in a future version.

Note that the previous documentation described also the option apiServer.defaultUser, which was never implemented in the chart. The only supported option is now createUserJob. Using apiServer.defaultUser will raise an error.

Celery specific config options have been moved under the celery section in workers

Please update your configuration accordingly:

• workers.replicas command is now deprecated in favor of workers.celery.replicas (#59730)
• workers.revisionHistoryLimit command is now deprecated in favor of workers.celery.revisionHistoryLimit (#60056)
• workers.args command is now deprecated in favor of workers.celery.args (#60163)
• workers.livenessProbe section is now deprecated in favor of workers.celery.livenessProbe (#60186)
• workers.updateStrategy section is now deprecated in favor of workers.celery.updateStrategy (#60351)
• workers.strategy section is now deprecated in favor of workers.celery.strategy (#60354)
• workers.podManagementPolicy section is now deprecated in favor of workers.celery.podManagementPolicy (#60359)
• workers.persistence section is now deprecated in favor of workers.celery.persistence (#60238)

The previous configuration options are still working but are deprecated and will be removed in a future version.

Manual Service Account Token Volume configuration for pod-launching executors (#59156)

Added support for manual Service Account Token Volume configuration when using pod-launching executors
(CeleryExecutor, CeleryKubernetesExecutor, KubernetesExecutor, LocalKubernetesExecutor).
This implements defense-in-depth security with both ServiceAccount and Pod-level controls, providing
compatibility with security policies like Kyverno and enabling container-specific privilege assignment
following the Principle of Least Privilege.

Add imagePullSecrets option (#58094)

Add .Values.imagePullSecrets as the new mechanism for configuring registry credentials,
deprecating both .Values.registry.secretName and the automatic creation of the <RELEASE_NAME>-registry secret from .Values.registry.connection.

Default Airflow image is updated to 3.1.7 (#61447)

The default Airflow image that is used with the Chart is now 3.1.7, previously it was 3.0.2.

Default git-sync image is updated to 4.4.2 (#54085)

The default git-sync image that is used with the Chart is now 4.4.2, previously it was 4.3.0.

New Features

• Add PodDisruptionBudget for Dag Processor (#60294)
• Add PodDisruptionBudget for Triggerer and Workers (#59068)
• Add HorizontalPodAutoscaler (HPA) for API Server (#52392)
• Add support for launching jobs with KubernetesJobOperator (#52024)
• Add CronJob to clean old records in the database (#58155)

Improvements

• Improve dag_bundle_config_list Configuration (#60645)
• Add workers.celery.kerberosInitContainer & workers.kubernetes.kerberosInitContainer (#60751, #60427)
• Add workers.celery.securityContexts & workers.kubernetes.securityContexts (#60396)
• Add workers.celery.podManagementPolicy field (#60359)
• Add workers.celery.strategy field (#60354)
• Add workers.celery.updateStrategy field (#60351)
• Add workers.celery.persistence section (#60238)
• Add workers.celery.livenessProbe section (#60186)
• Add workers.celery.args field (#60163)
• Add workers.celery.command & workers.kubernetes.command (#60067)
• Allow custom volumeClaimTemplates when logs.persistence.enabled is true (#60118)
• Add checksum for JWT secret in API server and scheduler deployments (#60111)
• Add workers.celery.revisionHistoryLimit field (#60056)
• Add Redis StatefulSet persistentVolumeClaimRetentionPolicy support (#59955)
• Add workers.celery.replicas field (#59730)
• Add custom envs to database cleanup (#59804)
• Extend airflow_ti_running metrics by scheduled, queued and deferred (#58819)
• Create an explicit control for createUserJob (#56057)
• Make cleanup cronjob conditional on kubernetes executor (#58695)
• Add database cleanup options and remove deprecated securityContext field (#58663)
• Add ability to disable API Server (#56493)
• Add registry.secretNames and registry.connections options (#58094)
• Allow custom labels in StatsD, redis and Dag Processor (#55832)
• Allow setting restartPolicy for batch jobs in chart (#54354)
• Add readiness and liveliness support for git sync relay sidecars (#50218)
• Allow overriding schedulerName on worker/tasks pods (#53983)
• Allow additional PodDisruptionBudget config properties (#58864)
• Add EdgeExecutor to KEDA query (#55560)
• Allow revisionHistoryLimit to be set to 0 (#60340)
• Allow optional subPath for logs volume mount (#52350)
• Move triggerer from pod-log-reader-role to pod-launcher-role (#56872)

Bug Fixes

• Remove kedaNetworkPolicySelector from helpers (#61564)
• Use the bitnamilegacy/postgresql image (#61156)
• Fix Compatibility of Celery Worker Sets with Workers Separation (#60420)
• Fix database cleanup cronjob ImagePullSecrets (#58626)
• Remove workers.celery breaking change (#61049)
• Fix missing templating in API Server extraInitContainers (#60812)
• Fix securityContext.containers/ingress.apiServer in values.schema.json (#60575)
• Remove unused containerLifecycleHooks field (#60239)
• Remove unneeded logic in api-server (#60147)
• Remove defaultUser from API Server in values.schema.json (#59762)
• Isolate defaultUser handling in createUserJob (#59767)
• Fix rendering condition of git_sync_ssh_key_volume (#59418)
• Add watch for events to the Pod launcher role (#59080)
• Ensure that git-sync actually runs when dags.gitSync.enabled=true and dags.persistence.enabled=true (#59123)
• Don't add labels to non-existent configuration options (#59213)
• Add log volume to init container for scheduler, triggerer and worker (#56418)
• Correctly derive celery sync_parallelism from scheduler CPU limits (#58733)
• Fix ingress notes (#59122)
• Fix Liveness / Readiness / Startup probe path for Airflow 3.x (#58734)
• Fix flower network policy condition when multiple executors (#58635)
• Missing SCC Role bindings for redis and api-server (#57985)
• Ensure graceful Redis shutdown(#58432)
• Start Redis directly, not via shell (#58790)
• Add missing airflow.fullname on kubernetes objects (#52953)
• StatsD deployment volume mount without subpath for live reloading (#54986)
• Fix KEDA query for Kubernetes Executor (#55559)
• Add API Server config in k8s pod template (#53533)
• Fix helm schema validation for executor value (#54682)
• Correct watch verb quoting in Airflow Job Launcher Role (#53822)
• Trim non-alphanumeric characters from the executor label (#53534)
• Fix KEDA Query to Use executor Field Instead of queue for Multiple Executors (#52840)

Doc only changes

• Document how to run the API server behind a reverse proxy (#61095)
• Clarify ingress settings for Airflow 2 vs 3 in values.yaml (#60434)
• Add database cleanup docs to Helm productions docs (#58707)
• KEDA best practices + better documentation (#58246)
• Update chart info about built-in secrets and environment variables (#58317)
• Fix typo in PgBouncer section of the Production Guide (#56754)
• Update webserver secr...

Apache Airflow 3.1.7

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.7/
📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.7/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.7/release_notes.html
🐳 Docker Image: "docker pull apache/airflow:3.1.7"
🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.7

Significant Changes

No significant changes.

Bug Fixes

• Fix JWT token generation with unset issuer/audience config (#61331)
• Fix callback files losing priority during queue resort (#61232) (#61243)
• Fix Dag callback for versioned bundles in the processor (#60734) (#61230)
• Add 404 handling for non-existent Dag (#61131) (#61225)
• Add guardrail to handle Dag deserialization errors in scheduler (#61162) (#61210)
• Fix asset scheduling for stale Dags (#59337) (#60022) (#61106)
• Fix unnecessary Dag version churn when Dag file paths change (#60799)
• Fix missing warning when Bundle path may not be accessible to impersonated user (#60278)
• Fix TriggerDagRunOperator deferring when wait_for_completion=False (#60052)
• Fix NoneType error when updating serialized Dag (#56422)
• Fix Pool API slots validation (#61071) (#61114)
• Fix DagBag parsing by adding bundle_path temporarily to sys.path (#55894) (#61053)
• Fix API to respect maximum page limit (#60989) (#61073)
• Prevent Triggerer from crashing when a trigger event isn't serializable (#60152) (#60981)
• Fix permissions on get_event_logs endpoint (#60936) (#60958)
• Fix Dag access control for dag_id in query param (#60935) (#60959)
• Fix root logger to use log_level instead of hardcoded INFO level (#60784) (#60970)
• Fix Dag processor OOM by Avoid loading all TaskInstances when checking DagVersion in write_dag (#60937) (#60962)
• Fix worker startup Dag load failures by rescheduling tasks instead of exiting (#59604) (#60926)
• Fix permissions check in import error APIs (#60801) (#60884)
• Fix refresh-token invalidation by logging out the user (#60781) (#60881)
• Fix connection test API to restore masked password/extra from existing connections (#59643) (#60873)
• Fix Dag processor overhead by applying gc.freeze (#60505) (#60845)
• Fix Dag processor crashing due to MySQL deadlock errors (#60166) (#60418)
• Ensure unique run_id across manually triggered Dags with schedules (#59477) (#60468)
• UI: Avoid gantt annotation error during resize (#60877)
• UI: Fix react apps plugins router (#61206)
• UI: Reset pagination on search in all pages (#61169)
• UI: Explicitly set UI table ordering (#60609) (#61216)
• UI: Plugins pagination fix #61055 (#61059) (#61129)
• UI: Fix ui get dags permission endpoint for user without Dag run permissions (#60979) (#60988)
• UI: Convert Tasks Table from card to table mode (#60830) (#60874)
• UI: Fix slow log scrolling for large task logs (#60806) (#60875)
• UI: Grey out trigger button on API 403 (#60648) (#60777)
• UI: Remove API error from disabling submit (#60473) (#60658)
• UI: Added toasters for permission denied (#57966) (#58016) (#60646)
• UI: Move row count and display toggle into DataTable (#57680) (#60639)
• UI: Fix/backfill permission error handling (#60582) (#60587)
• UI: Improve Dags Filter UI (#60346) (#60547)
• UI: Update PoolBar to separate Scheduled and Deferred slots (#59270) (#60538)
• UI: Correct the access for the externalLogUrl (#60412) (#60479)
• UI: Fix gantt chart styling (#60347) (#60457)
• UI: Reset pagination on DagList search (#60326) (#60336)
• UI: Move dags list filters to buttongroups (#60298) (#60337)
• UI: Fix table filters resetting when deleting a Dag (#60279) (#60287)
• UI: Fix sidebar visibility issue when main content exceeds viewport height (#59660) (#60286)
• UI: Add virtualization to grid view (#60241) (#60285)

Miscellaneous

• UI: Upgrade react-dom-router in Airflow UI (#60316) (#60456)
• Use bulk DELETE for XComModel.clear() instead of loading records (#60955)
• Refactor Dag file queuing and fix redundant processing (#60124)
• Optimized Dag processing queue order on bundle refresh (#60003)
• Remove unused method is_default_pool in Pool model (#61084) (#61128)
• Translation fixes: Taiwaness Mandarin (#61126), Catalan (#61093), German (#61097), Polish (#61099),
  Arabic (#60635 #60782, (#60635) (#60782)), Spanish (#60775 #60785, (#60775) (#60785)),
  Hebrew (#60633 #60686, (#60633) (#60686))

Doc Only Changes

• Fix minor display issue with migration to airflow 3 docs (#60749)
• Fix airflow.utils.context.Context import path in Airflow 3 migration doc (#59937)
• Add missing links to airflow.sdk classes and functions in public interface docs (#61005) (#61012)
• Clarify BaseSensorOperator parameters in Sensors guide (#60275)
• Fix docstring for RuntimeTaskInstance.xcom_pull (#60220) (#60252)
• Fix broken syntax highlighting in AIR rules note section (#59188)

Apache Airflow 3.1.6

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.6/
📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.6/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.6/release_notes.html
🐳 Docker Image: "docker pull apache/airflow:3.1.6"
🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.6

Significant Changes

is_authorized_hitl_task() method now available in auth managers(#59399).

This method is now available in auth managers to check whether a user is authorized to approve a HITL task

proxy and proxies added to DEFAULT_SENSITIVE_FIELDS (#59688)

proxy and proxies have been added to DEFAULT_SENSITIVE_FIELDS in secrets_masker to treat proxy configurations as sensitive by default

Bug Fixes

• Protect against hanging thread in aiosqlite 0.22+ (#60217) (#60245)
• Fix log task instance sqlalchemy join query (#59973) (#60222)
• Fix invalid uri created when extras contains non string elements (#59339) (#60219)
• Fix operator template fields via callable serialization that causes unstable DAG serialization (#60065) (#60221)
• Fix real-time extra links updates for TriggerDagRunOperator (#59507) (#60225)
• Fix signal handling in triggerer job runner (#60190) (#60214)
• Added state validation to delete dag run endpoint (#60195) (#60207)
• Fix text overflow issue (#60080)
• UI: Add toggle functionality to Dags state filters (#59089)
• Fix deprecated_options entry for dag_file_processor_timeout (#59181) (#60162)
• Fix ApprovalOperator with SimpleAuthManager when all_admins=True (#59399) (#60116)
• Record missing ti_failure metrics for tasks (#59731) (#59964)
• Fix missing TaskInstanceHistory on scheduler TI resets (#59639) (#59752)
• Add proxy and proxies as sensitive fields in DEFAULT_SENSITIVE_FIELDS (#59688) (#59792)
• Fix compat deprecation handling for [webserver] base_url (#59659) (#59781)
• Fix Execution API refresh token (#58782) (#59713)
• Fix eager-loading DagRun asset relationships before creating DagRunContext (#59714) (#59732)
• Redact secrets in rendered templates properly when truncating it (#59566) (#59704)
• Add Content-Type to request headers in Task SDK calls when missing (#59676) (#59687)
• UI: Fix Expand+Collapse Translation Key (#59672) (#59674)
• Fix server context for connections (#59624) (#59652)
• Fix clear task instance dialog tasks states (#59363) (#59580)
• Add log record when listening dag is partitioned but run has no key (#59375) (#59582)
• Fix Dag Processor logging crash (#59317) (#59581)
• Flush session before processing Event Buffer in dag test (#59314) (#59559)
• Add task group ID filtering support to task instance query (#58092) (#59511)
• Fix message of _read_from_logs_server when status_code is 403 (#59489) (#59504)
• Fix import errors not cleared for files without Dags (#58242) (#59500)
• Fix backfill run_on_latest_version defaulting to False instead of True (#59304) (#59328)
• Add toaster notifications for Connection Test (#59354) (#59368)
• Fix .airflowignore negation not working in subfolders (#58740) (#59305)
• Fix XCom key handling when keys contain special characters like slash (#58344) (#59311)
• Fix an odd import of pendulum from sqlalchemy_utils instead of elsewhere. (#59258) (#59265)
• Fix links for DurationChart (#59095) (#59237)
• Fix misleading error message when GitHook creation fails (#59236)
• Show asset extra in asset list (#59195) (#59201)
• Prevent dag processor crash on encountering excel files in the Dag directory (#59069) (#59170)
• Fix DagRun.queued_at not updating when clearing (#59066) (#59177)
• Fix Rendered Templates not showing dictionary items (#58071) (#59176)
• UI: Change task log source display to hidden by default (#58749) (#59045)
• Fix button to go back from FAB iframe (#58997) (#59007)
• Fix task instance and run tooltips in Grid view (#58359) (#59013)

Miscellaneous

• Don't depend upon FastAPI inside Task-SDK client (#59250) (#59257)
• Align the term Dag in all translations (#59155)

Doc Only Changes

• Bump Sphinx Airflow theme to 0.3.0 (#59538)
• Translations updates [French: (#60157) (#60167), German: (#59673), PL: (#59675) (#59251) (#59256), Japanese: (#59557),(#59313),
  Taiwanese Mandarin (#59513) (#59515), Hebrew: (#59133) (#59255), Ca: (#59216) (#60199), TR: (#59169) (#60191)]
• Update webserver probe health check doc (#59942) (#59982)
• Update API auth. instructions in Docker running docs (#59830) (#59832)
• Improve CLI date argument help text documentation (#59797) (#59810)
• Add fast client-side search to Airflow documentation (#59658)
• Fix broken permalink icon (#58763)
• Add Refresh Token logic to auth manager docs (#54196) (#59482)
• Update json to JSON for consistency in translations (#59323) (#59333)
• Fix outdated dependency documentation (#58970) (#59219)
• Add UI/API performance tips (#59004) (#59052)
• Provide a clear naming and description for the attribute caching get_template_context (#59023) (#59036)
• Update the documentation for the LocalExecutor (#58990) (#59022)

Apache Airflow Ctl (airflowctl) 0.1.1

📦 PyPI: https://pypi.org/project/apache-airflow-ctl/0.1.1/
📚 Docs: https://airflow.apache.org/docs/apache-airflow-ctl/0.1.1/
🛠 Release Notes: https://github.com/apache/airflow/blob/airflow-ctl/0.1.1/airflow-ctl/RELEASE_NOTES.rst

Thanks to all the contributors who made this possible. Next time, Release notes will be available through public documentation.

Significant Changes

• Make pause/unpause commands positional for improved CLI consistency (#59936)
  Provides separate airflowctl dags pause/unpause dag_id
• Remove deprecated export functionality from airflowctl (#59850)
  airflowctl won't export from
• Add team_name to connection commands (#59336)
  Team name feature added to connections command
• Add team_id to variable commands (#57102)
• Add pre-commit checks for airflowctl test coverage (#58856)
  Provided more coverage and further checks on integration tests to release with more confidence.
• Display active DAG run count in header with auto-refresh support (#58332)
  active_runs_count has been added to the dags command.

Bug Fixes

• Simplify airflowctl exception handling in safe_call_command (#59808)
• Fix backfill default behavior for run_on_latest_version (#59304)
• Update BulkDeleteAction to use generic typing (#59207)
• Bump minimum supported prek version to 0.2.0 (#58952)
• Fix RST formatting to ensure blank lines before bullet lists (#58760)
• Update Python compatibility requirements and airflowctl documentation (#58653)
• Consistently exclude unsupported Python 3.14 (#58657)
• Improve cross-distribution dependency management (#58430)
• Synchronize documentation between official and convenience source installs (#58379)
• Add retry multiplier support (#56866)
• Fix documentation issues for installing from source distributions (#58366)
• Update pyproject.toml files to support pytest>=9.0.0 TOML syntax (#58182)

Apache Airflow 3.1.5

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.5/
📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.5/
📚 Task SDK Docs: https://airflow.apache.org/docs/task-sdk/1.1.5/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.5/release_notes.html
🐳 Docker Image: "docker pull apache/airflow:3.1.5"
🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.5

Significant Changes

No significant changes.

Bug Fixes

Handle invalid token in JWTRefreshMiddleware (#56904)
Fix inconsistent Dag hashes when template fields contain unordered dicts (#59091) (#59175)
Fix assets used only as inlets being incorrectly orphaned (#58986)
Fix exception when logging stdout with a custom %-format string (#58963)
Fix backfill max_active_runs race condition with concurrent schedulers (#58935)
Fix LocalExecutor memory spike by applying gc.freeze (#58934)
Fix string to datetime pydantic conversion (#58916)
Fix deadlines being incorrectly pruned for DAG runs with the same run_id (#58910)
Fix handling of pre-AIP-39 DAG runs (#58773)
Mask secrets properly when using deprecated import path (#58726)
Preserve Asset.extra when using AssetAlias (#58712)
Fix timeout_after in run_trigger method of TriggerRunner (#58703)
Fix connection retrieval from secrets backend without conn_type (#58664)
Fix task retry logic to respect retries for all exit codes (#58478)
Respect default_args in DAG when set to a "falsy" value (#58396)
Fix airflow config list output for multi-line values (#58378)
Fix TriggerDagRunOperator stuck in deferred state with reset_dag_run=True (#58333)
Fix HITLTrigger params serialization (#58297)
Fix atomicity issue in SerializedDagModel.write_dag preventing orphaned DAG versions (#58281)
Mask kwargs when illegal arguments are passed (#58283)
Fix supervisor communications not reconnecting when using dag.test() (#58266)
Fix supervisor communications and logs not reconnecting in task subprocesses (#58263)
Make pool description optional when patching pools (#58169)
Fix check_files.py script after source tarball was renamed (#58192)
Fix db cleanup logging behavior and docstrings (#58523)
Fix Asset URI normalization for user info without password (#58485)
UI: Fix object rendering in Human-in-the-Loop (HITL) interface (#58611)
UI: Fix "Consuming Tasks" section not in asset header (#58060)
UI: Fix timezone string parsing to use dayjs correctly (#57880)
UI: Ensure task instance endDate is not null (#58435)
UI: Fix trigger parameter field showing as dict when param.value is null (#58899)
UI: Remove unnecessary refresh state consumption for DAG header (#58692)
UI: Fix mobile responsiveness of Dashboard sections (#58853)
UI: Fix incorrect backfill duration calculation in Grid view (#58816)
UI: Redact secrets in rendered templates to not expose them in UI (#58772)
UI: Add fallback value of 1 for number of DAG runs in Grid view (#58735)
UI: Update refresh token flow (#58649)
UI: Fix 404 handling with fallback route for invalid URLs (#58629)
UI: Fix excessive database queries in UI grid endpoint by adding query count guard (#57977, #58632)
UI: Fix DAG documentation markdown display issue (#58627)
UI: Fix duration chart duration format (#58564)
UI: Fix TaskGroup nodes not being properly highlighted when selected in Graph view (#58559)
UI: Fix tag filter with special characters (#58558)
UI: Fix group task instance tab memory leak (#58557)
UI: Fix popup automatically closing when DAG run completes (#58538)
UI: Fix operator extra links not appearing on failed tasks (#58508)
UI: Fix TypeError in parseStreamingLogContent for non-string data (#58399)
UI: Fix Dag tag order (#58904)

Miscellaneous

Do not remove .pyc and .pyo files after building Python (#58947)
Improve cross-distribution dependency management (#58472)
Bump glob from 10.4.5 to 10.5.0 in simple auth manager UI (#58463)
Bump glob in React core UI (#58461)

Doc Only Changes

Fix Chinese (Traditional) translations for trigger-related terminology (#58989)
Close translation gaps in German (#58971)
Add missing Polish translations (#58939)
Clarify that Connection extra JSON masking is keyword-dependent (#58587)
Add migration guide for Airflow 2 users accessing database in tasks (#57479)
Update UIAlert import path and usage for v3 (#58891)
Add clarifying documentation for TaskGroup parameters (#58880)
Enhance asset extra field documentation (#58830)
Update mask_secret documentation to use the latest import path (#58534)
Improve disable_bundle_versioning configuration documentation (#58405)
Fix documentation for installing from sources (#58373)
Fix broken link on installing-from-sources page (#58324)
Add missing DAG run table translations (#58572)

Apache Airflow 3.1.3

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.3/
📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.3/
🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.3/release_notes.html
🐳 Docker Image: "docker pull apache/airflow:3.1.3"
🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.3

Significant Changes

Fix Connection & Variable access in API server contexts (plugins, log handlers)(#56583)

Previously, hooks used in API server contexts (plugins, middlewares, log handlers) would fail with an ImportError
for SUPERVISOR_COMMS, because SUPERVISOR_COMMS only exists in task runner child processes.

This has been fixed by implementing automatic context detection with three separate secrets backend chains:

Context Detection:

1. Client contexts (task runner in worker): Detected via SUPERVISOR_COMMS presence
2. Server contexts (API server, scheduler): Explicitly marked with _AIRFLOW_PROCESS_CONTEXT=server environment variable
3. Fallback contexts (supervisor, unknown contexts): Neither marker present, uses minimal safe chain

Backend Chains:

• Client: EnvironmentVariablesBackend → ExecutionAPISecretsBackend (routes to Execution API via SUPERVISOR_COMMS)
• Server: EnvironmentVariablesBackend → MetastoreBackend (direct database access)
• Fallback: EnvironmentVariablesBackend only (+ external backends from config like AWS Secrets Manager, Vault)

The fallback chain is crucial for supervisor processes (worker-side, before task runner starts) which need to access
external secrets for remote logging setup but should not use MetastoreBackend (to maintain worker isolation).

Architecture Benefits:

• Workers (supervisor + task runner) never use MetastoreBackend, maintaining strict isolation
• External secrets backends (AWS Secrets Manager, Vault, etc.) work in all three contexts
• Supervisor falls back to Execution API client for connections not found in external backends
• API server and scheduler have direct database access for optimal performance

Impact:

• Hooks like GCSHook, S3Hook now work correctly in log handlers and plugins
• No code changes required for existing plugins or hooks
• Workers remain isolated from direct database access (network-level DB blocking fully supported)
• External secrets work everywhere (workers, supervisor, API server)
• Robust handling of unknown contexts with safe minimal chain

See: #56120 <https://github.com/apache/airflow/issues/56120>, #56583 <https://github.com/apache/airflow/issues/56583>, #51816 <https://github.com/apache/airflow/issues/51816>__

Remove insecure dag reports API endpoint that executed user code in API server (#56609)

The /api/v2/dagReports endpoint has been removed because it loaded user DAG files directly in the API server process,
violating Airflow's security architecture. This endpoint was not used in the UI and had no known consumers.
Use the airflow dags report CLI command instead for DAG loading reports.

Bug Fixes

• Fix HITL tasks not properly validating params (#57547) (#58144)
• Fix secrets being exposed in Jinja template rendering error messages (#57467) (#57962)
• UI: Fix slow loading on next run assets page (#58052) (#58064)
• Fix logout not working in airflow-core (#57990) (#58043)
• Fix slow loading on UI [(#57820) (#57856), (#57956) (#57973), (#57957) (#57972),(#57869) (#57882), (#57868) (#57918),(#57624) (#57757)]
• UI: Fix log download to include .txt file extension (#57991) (#58040)
• Fix scheduler using incorrect max_active_runs value from cached DAG (#57619) (#57959)
• Fix database migration failures when XCom contains NaN values (#57866) (#57893)
• Fix incorrect task context in trigger rule scenarios (#57884) (#57892)
• UI: Fix test connection not working (#57811) (#57852)
• Fix worker healthcheck timeout not respecting worker-timeout CLI option (#57731) (#57854)
• Fix provider hooks not loading when FAB provider is not installed (#57717) (#57830)
• Fix slow API responses for task instances list [(#57645) (#57794), (#57646) (#57664),(#57500) (#57735), (#57549) (#57738), (#57450) (#57736),(#57647) (#57732)]
• Fix task instance errors when tasks are triggered by trigger rules (#57474) (#57786)
• Fix type consistency for extra field in Asset, AssetAlias, and AssetEvent (#57352) (#57728)
• Fix upgrade failures when XCom contains NaN in string values (#57614)

Miscellaneous

• UI: Add resize functionality to DAG run and task instance notes (#57897) (#58068)
• Add Taiwan translation for UI (#58121)
• UI: Shorten German translation of Asset in navigation (#57671) (#57690)
• Fix code formatting via ruff preview (#57641) (#57670)
• Remove remnants from unlimited parallelism in local executor (#57579) (#57644)

Doc Only Changes

• Add learning from Airflow 3 migration guide (#57989) (#58083)
• Fix duplicate mention of 'DAGs' and 'tasks' in overview documentation (#57524) (#57793)
• Document asset event extra storage behavior (#57727) (#57734)