Fix leak sensitive field via V1EnvVar on exception #29016
Merged
Commits on Feb 18, 2023
-
Fix leak sensitive field via V1EnvVar on exception
Currently the KubernetesPodOperator `env_vars` will be printed on the task logs if there is any templating error (like an `UndefinedError`, `TemplateSyntaxError` or `KeyError`) ``` [2023-01-16, 23:03:17 UTC] {abstractoperator.py:592} ERROR - Exception rendering Jinja template for task 'dry_run_demo', field 'env_vars'. Template: [{'name': 'password', 'value': 'secretpassword', 'value_from': None}, {'name': 'VAR2', 'value': '{{ var.value.nonexisting}}', 'value_from': None}] Traceback (most recent call last): File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/models/abstractoperator.py", line 585, in _do_render_template_fields rendered_content = self.render_template( File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/models/abstractoperator.py", line 657, in render_template return [self.render_template(element, context, jinja_env, oids) for element in value] File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/models/abstractoperator.py", line 657, in <listcomp> return [self.render_template(element, context, jinja_env, oids) for element in value] File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/models/abstractoperator.py", line 664, in render_template self._render_nested_template_fields(value, context, jinja_env, oids) File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py", line 321, in _render_nested_template_fields self._do_render_template_fields(content, ("value", "name"), context, jinja_env, seen_oids) ... ... File "/Users/rubelagu/.pyenv/versions/3.10.7/envs/venv-airflow-250/lib/python3.10/site-packages/airflow/models/variable.py", line 141, in get raise KeyError(f"Variable {key} does not exist") KeyError: 'Variable nonexisting does not exist' ``` this happens when there is any error on the templates. For example a `KeyError` raised when using `var.value.somemistypedvalue`: ``` env_vars={ "password": "{{ conn.test_connection.password }}", "VAR2": "{{ var.value.nonexisting}}", }, ``` This PR uses the `airflow.utils.log.secrets_maker.redact` to remove any field contained in `DEFAULT_SENSITIVE_FIELDS` or `sensitive_var_conn_names`. -
-
-
-
-
-
Commits on Feb 20, 2023
-
Update kubernetes_tests/test_kubernetes_pod_operator.py
Co-authored-by: Andrey Anshin <Andrey.Anshin@taragol.is>
Commits on Feb 21, 2023
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.