JDKnobloch opened a new issue, #44621:
URL: https://github.com/apache/airflow/issues/44621
### Official Helm Chart version
1.15.0 (latest released)
### Apache Airflow version
2.10.3
### Kubernetes Version
1.30
### Helm Chart configuration
```
config:
secrets:
backend: "custom_providers.vault_secret.VaultSecret"
backend_kwargs: '{"connections_path": "airflow/connections",
"mount_point": null, "url": "vault.vault.svc.cluster.local", "auth_type":
"aws_iam"}'
env:
- name: "AIRFLOW__SECRETS__BACKEND"
value: "custom_providers.vault_secret.VaultSecret"
- name: "AIRFLOW__SECRETS__BACKEND_KWARGS"
value: "{\"connections_path\": \"airflow/connections\", \"mount_point\":
null, \"url\": \"vault.vault.svc.cluster.local\", \"auth_type\": \"aws_iam\"}"
```
### Docker Image customizations
_No response_
### What happened
All log groomer sidecars (both on triggerer and scheduler) fail w/ the error:
> ERROR! Maximum number of retries (20) reached.
> Last check result:
> $ airflow db check
> Traceback (most recent call last):
> File "/home/airflow/.local/bin/airflow", line 5, in <module>
> from airflow.__main__ import main
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/__init__.py", line
53, in <module>
> from airflow import configuration, settings
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/configuration.py",
line 2371, in <module>
> secrets_backend_list = initialize_secrets_backends()
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/configuration.py",
line 2279, in initialize_secrets_backends
> custom_secret_backend = get_custom_secret_backend()
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/configuration.py",
line 2267, in get_custom_secret_backend
> return secrets_backend_cls(**backend_kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/hashicorp/secrets/vault.py",
line 141, in __init__
> self.vault_client = _VaultClient(
> ^^^^^^^^^^^^^
> File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/hashicorp/_internal_client/vault_client.py",
line 134, in __init__
> raise VaultError("The 'token' authentication type requires 'token' or
'token_path'")
> hvac.exceptions.VaultError: The 'token' authentication type requires
'token' or 'token_path', on None None
When I ssh to the container and echo for the env variables in question the
following outputs occur:
> airflow@ci-airflow-triggerer-0:/opt/airflow$ echo
$AIRFLOW__SECRETS__BACKEND
> custom_providers.vault_secret.VaultSecret
> airflow@ci-airflow-triggerer-0:/opt/airflow$ echo
$AIRFLOW__SECRETS__BACKEND_KWARGS
>
> airflow@ci-airflow-triggerer-0:/opt/airflow$
I can also see that the env section is properly filled out for other
sidecars / init containers in the live manifest but not for groomers - running
echos from the main containers have the expected results.
### What you think should happen instead
The groomers should populate configuration properly and be able to function
when using a Vault secret backend.
### How to reproduce
Attempt to use groomers while supplying a Vault secret backend
### Anything else
Initially we were supplying these arguments only via env variables - at
which point the Jobs created by the chart (create-user and
run-airflow-migration) were also failing with the same logs / the env variables
are not populated properly for these either.
Changing to hard coding the Values.config section fixed this issue. We
attempted only env variables, only Values.config, and both, and none populate
properly.
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
