Airflow task sdk doesn't send client certificates with HTTPS calls #61876
Description
Apache Airflow version
3.1.7
If "Other Airflow 3 version" selected, which one?
It is related to airflow task sdk, and all 3.x versions are affected
What happened?
With a more secured Airflow setup, for example, putting Airflow API server behind reverse proxy like Envoy and requires client certificate verifications, the current implementation of Airflow task sdk will cause workers not able be to communicate with the API server because the reverse proxy like Envoy will reject the request due to lack of client certificate.
The client passes verify for TLS truststore cert but never passes cert and sends the client certifications (ssl_key and ssl_cert for clients). As a result, in the request, it is missing client information and reverse proxies will just reject the requests with a 403 error.
What you think should happen instead?
Although not everyone uses client certifications in their environments, this should be configurable, like reading a client side airflow configuration (for example task_sdk.ssl_cert, task_sdk.ssl_key, task_sdk.cacert) and allowing us to pass the client certs for a secured setup.
How to reproduce
Put Airflow API behind a reserve proxy like envoy and force client certificates verification. And then workers will not be able to send any execution API request to API server.
Operating System
We are deploying using the official Docker image
Versions of Apache Airflow Providers
It can be reproduced for all the versions of task sdk available as of 02/13/2026
Deployment
Other Docker-based deployment
Deployment details
Our API server is behind Envoy, and Envoy is configured to do client verification
Anything else?
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct