Skip to content

Add multi-team lookup to Kubernetes secrets backend#65694

Open
PrithviBadiga wants to merge 3 commits intoapache:mainfrom
PrithviBadiga:prithvi/kubernetes-multi-team-secrets
Open

Add multi-team lookup to Kubernetes secrets backend#65694
PrithviBadiga wants to merge 3 commits intoapache:mainfrom
PrithviBadiga:prithvi/kubernetes-multi-team-secrets

Conversation

@PrithviBadiga
Copy link
Copy Markdown
Contributor

@PrithviBadiga PrithviBadiga commented Apr 22, 2026

Adds multi-team lookup support to KubernetesSecretsBackend.

Updates:

  • add team_label support for discovering team-scoped secrets
  • look up team-scoped secrets first when team_name is provided
  • fall back to unlabeled global secrets when no team-scoped secret exists
  • avoid resolving team-scoped identifiers as global secrets when team_name is not provided
  • document the Kubernetes team label selector behavior

Lookup behavior:

  • team-scoped: {id_label}={secret_id},{team_label}={team_name}
  • global fallback: {id_label}={secret_id},!{team_label}

Verification:

  • AIRFLOW_HOME=$(mktemp -d) PYTHONPATH=/Users/prith/Desktop/Codex/airflow-65682/airflow-core/src:/Users/prith/Desktop/Codex/airflow-65682/providers/cncf/kubernetes/src /Users/prith/Desktop/Codex/airflow/.venv/bin/python -m pytest /Users/prith/Desktop/Codex/airflow-65689-kubernetes/providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py
  • /Users/prith/Desktop/Codex/airflow/.venv/bin/python -m ruff check /Users/prith/Desktop/Codex/airflow-65689-kubernetes/providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/secrets/kubernetes_secrets_backend.py /Users/prith/Desktop/Codex/airflow-65689-kubernetes/providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py
  • /Users/prith/Desktop/Codex/airflow/.venv/bin/python -m ruff format --check /Users/prith/Desktop/Codex/airflow-65689-kubernetes/providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/secrets/kubernetes_secrets_backend.py /Users/prith/Desktop/Codex/airflow-65689-kubernetes/providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py

Part of: #65682

@PrithviBadiga PrithviBadiga mentioned this pull request Apr 22, 2026
Closed
@jscheffl jscheffl requested a review from Copilot April 22, 2026 21:06
jscheffl
jscheffl approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jscheffl jscheffl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. @o-nikolas can you make a second pass as multi-team expert?

Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds multi-team lookup behavior to the KubernetesSecretsBackend so Connections/Variables can be resolved as team-scoped secrets first (via a configurable team label), with a global (unlabeled) fallback and a guard to prevent team-scoped identifiers being accessed without a team context.

Changes:

  • Add team_label configuration and implement team-first then global-fallback label selection.
  • Add a guard preventing team-scoped secret identifiers from being resolved when team_name is not provided.
  • Update unit tests and provider docs to reflect the new selector behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/secrets/kubernetes_secrets_backend.py Implements team-aware secret lookup and the “team-scoped accessed as global” guard.
providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py Updates selectors in existing tests and adds new multi-team tests.
providers/cncf/kubernetes/docs/secrets-backends/kubernetes-secrets-backend.rst Documents the new team_label parameter and multi-team selector behavior.

Comment thread .../cncf/kubernetes/src/airflow/providers/cncf/kubernetes/secrets/kubernetes_secrets_backend.py
Comment thread providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py
Comment thread providers/cncf/kubernetes/docs/secrets-backends/kubernetes-secrets-backend.rst Outdated
Comment thread providers/cncf/kubernetes/tests/unit/cncf/kubernetes/secrets/test_kubernetes_secrets_backend.py
@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jscheffl jscheffl jscheffl approved these changes

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

Assignees

No one assigned

Labels

area:providers area:secrets kind:documentation provider:cncf-kubernetes Kubernetes (k8s) provider related issues ready for maintainer review Set after triaging when all criteria pass.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PrithviBadiga @jscheffl @potiuk