hussein-awala commented on issue #31648:
URL: https://github.com/apache/airflow/issues/31648#issuecomment-1615262106
> I have a feeling that the discusion is happening not where it shoudl (but
I saw @hussein-awala chiming in before so maybe it has already been settled
that this is the fix referred to at the very beginning? Do you think this is it
@hussein-awala ?
@potiuk I believe there's a bug in `GKEStartPodOperator` related to issue
#29266.
Before the PR mentioned, we used to create a temporary configuration file by
running the command `gcloud container clusters get-credentials`. We would then
use this file in the Kubernetes client. The `get-credentials` command
configures kubectl to automatically refresh its credentials using the same
identity as gcloud.
However, the PR introduced a new pod GKE hook that uses the following client
code:
```python
ApiClient(
configuration,
header_name="Authorization",
header_value=f"Bearer {access_token}",
)
```
This client uses static oauth2 credentials and cannot refresh them when they
expire. Since the default lifetime for GCP credentials is 3600 seconds, the
operator fails with an Unauthorized exception after one hour.
I'm currently working on fixing this issue and hope to have it resolved
before the next providers wave.
> Want to confirm the latest "safe" version. Looks like the issue was
introduced somewhere between 2.1.15 and 2.3.1. Anyone running a 2.2.x release
able to vouch for its stability with regards to this?
@glevineLeap This issue is not related to the Airflow version, but rather to
the version of the Google provider. All versions prior to 9.0.0 should work
without any problems.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
