From b3e4769d820ca03f62b734ba9e8c04c312b543e1 Mon Sep 17 00:00:00 2001
From: Tudor <tudor@sitaru.org>
Date: Thu, 26 Mar 2026 16:42:02 +0000
Subject: [PATCH] fix(airflow): set shared internal API secret key

When scheduler and api-server run in the same container, both generate
independent JWT signing keys on startup. The scheduler's task workers
then fail with 'Invalid auth token: Signature verification failed'
when communicating with the api-server. Fix by setting a shared
INTERNAL_API_SECRET_KEY via env var.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.portainer.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.portainer.yml b/docker-compose.portainer.yml
index 6287969..c8a9ff0 100644
--- a/docker-compose.portainer.yml
+++ b/docker-compose.portainer.yml
@@ -196,6 +196,7 @@ services:
       AIRFLOW__DATABASE__SQL_ALCHEMY_CONN: postgresql+psycopg2://${DB_USERNAME}:${DB_PASSWORD}@sc_database:5432/${DB_DATABASE_NAME}
       AIRFLOW__CORE__DAGS_FOLDER: /opt/pipeline/dags
       AIRFLOW__CORE__LOAD_EXAMPLES: "false"
+      AIRFLOW__CORE__INTERNAL_API_SECRET_KEY: "${DB_PASSWORD}-airflow-internal"
       AIRFLOW__CORE__SIMPLE_AUTH_MANAGER_USERS: "${AIRFLOW_ADMIN_USER:-admin}:admin"
       AIRFLOW__LOGGING__BASE_LOG_FOLDER: /opt/airflow/logs
       PG_HOST: sc_database