jscheffl commented on code in PR #61527: URL: https://github.com/apache/airflow/pull/61527#discussion_r2836421168
########## providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/secrets/kubernetes_secrets_backend.py: ########## @@ -0,0 +1,218 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +"""Objects relating to sourcing connections, variables, and configs from Kubernetes Secrets.""" + +from __future__ import annotations + +import base64 +from functools import cached_property +from pathlib import Path + +from kubernetes.client import ApiClient, CoreV1Api +from kubernetes.config import load_incluster_config + +from airflow.exceptions import AirflowException +from airflow.secrets import BaseSecretsBackend +from airflow.utils.log.logging_mixin import LoggingMixin + + +class KubernetesSecretsBackend(BaseSecretsBackend, LoggingMixin): + """ + Retrieve connections, variables, and configs from Kubernetes Secrets using labels. + + This backend discovers secrets by querying Kubernetes labels, enabling integration + with External Secrets Operator (ESO), Sealed Secrets, or any tool that creates + Kubernetes secrets — regardless of the secret's name. + + Configurable via ``airflow.cfg``: + + .. code-block:: ini + + [secrets] + backend = airflow.providers.cncf.kubernetes.secrets.kubernetes_secrets_backend.KubernetesSecretsBackend + backend_kwargs = {"namespace": "airflow", "connections_label": "airflow.apache.org/connection-id"} + + The secret must have a label whose key matches the configured label and whose value + matches the requested identifier (conn_id, variable key, or config key). The actual + secret value is read from the ``value`` key in the secret's data. + + Example Kubernetes secret for a connection named ``my_db``: + + .. code-block:: yaml + + apiVersion: v1 + kind: Secret + metadata: + name: anything + labels: + airflow.apache.org/connection-id: my_db + data: + value: <base64-encoded-connection-uri> + + **Authentication:** Uses ``kubernetes.config.load_incluster_config()`` directly + for in-cluster authentication. Does not use KubernetesHook or any Airflow connection, + avoiding circular dependencies since this IS the secrets backend. + The namespace can be set explicitly via ``backend_kwargs``. If not set, it is + auto-detected from the pod's service account metadata at + ``/var/run/secrets/kubernetes.io/serviceaccount/namespace``. If auto-detection + fails (e.g. automountServiceAccountToken is disabled), an error is raised. Review Comment: Either the terms needs to be added to spelling wordlist or you need to mark it as code, to make spellcheck in docs build happy... I think ```suggestion fails (e.g. ``automountServiceAccountToken`` is disabled), an error is raised. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
