Fix empty paths in Vault secrets backend #29908
Conversation
| if self.connections_path is None or conn_key is None: | ||
| return None | ||
|
|
||
| secret_path = self.build_path(self.connections_path, conn_key) | ||
| if self.connections_path == "": | ||
| secret_path = conn_key |
There was a problem hiding this comment.
why do we consider None and "" to be dealt differently?
There was a problem hiding this comment.
If we want to use Vault secrets backend only for connections, we can provide None for variables_path and config_path to return a quick None, then Airflow will check in the other backend secrets (Metadata then environment variables).
So I kept None here to deactivate some functionalities in the secrets backend.
There was a problem hiding this comment.
I believe this is because None can really only happens if there is no "/" in path and mount_point is not defined. Which is a basic requirement for vault - any time you expect something from vault you need to specify the mount_point and "/" is a way how it can be specified directly in the path.
related: #29666
Currently when we provide an empty string for
connections_path,variables_pathandconfig_path, Vault secrets backend tries to read the key/secret_keyinstead ofsecret_key. This PR handle the case when those paths are empty string.Why this is necessary?
#29734 added support for multiple mount_point, and these mount points can have different paths for variables, config and secrets, so instead of supporting multiple paths, providing the full secret path with empty string for
connections_path,variables_pathandconfig_pathcan solve the problem.