-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redacting the sensitive env variables in env_vars for KPO #39003
base: main
Are you sure you want to change the base?
Conversation
It reminds me about #28086 |
mask_secret(self.env_vars) | ||
self.env_vars = redact(self.env_vars) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we test it to make sure values are masked?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have added the testing results in the PR description. @eladkal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unit test cases are needed for this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, looking at it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I override the KPO to create a secret object and mount it to the pod, then I use the KPO callbacks to make the pod its owner (for auto-cleanup). I think we should resolve the issue @eladkal mentioned, but there is no harm in protecting environment vars, but we need to add some tests for it.
@hussein-awala yea some test coverage would be nice. Just wanted to understand how the portion of interacting with a DB can be tested here. I was trying something along these lines:
But I constantly get this:
The pod object also contains the un protected env_vars, so we need a DB interaction for sure. Any suggestions? |
@hussein-awala @potiuk @eladkal I need some help in adding the unit tests here. I tried, but looks like I am unable to store the results to a DB and check it. Also, static check issues. |
I think your problems were with not recreated DB -> the error indicates you need to reset db with latest changes - this column has been added recently. |
@ashb @potiuk @eladkal Need some help with fixing the unit tests here on this change also want to ask what kind of testing needs to be performed here to mark this task complete. So I am trying to write a UT here which calls KPO init and then checks the DB for the
Basically i want to validate this:
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
env_vars in the KPO can have secret values sometimes and this will be blindly rendered by the rendered template.
To fix this, I am passing the env_vars through the redact filter in secrets masker so that it is hidden from the rendered template as well as from the task logs.
The example DAG i tried and the results are here:
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rst
or{issue_number}.significant.rst
, in newsfragments.