kaxil commented on code in PR #47946:
URL: https://github.com/apache/airflow/pull/47946#discussion_r2005304733
##########
airflow/config_templates/config.yml:
##########
@@ -1416,6 +1416,29 @@ api:
version_added: 2.7.0
example: ~
default: "False"
+workers:
+ description: Configuration related to workers that run Airflow tasks.
+ options:
+ secrets_backend:
+ description: |
+ Full class name of secrets backend to enable for workers (will precede
env vars backend)
+ version_added: 3.0.0
+ type: string
+ example:
"airflow.providers.amazon.aws.secrets.systems_manager.SystemsManagerParameterStoreBackend"
+ default: ""
+ secrets_backend_kwargs:
+ description: |
+ The secrets_backend_kwargs param is loaded into a dictionary and
passed to ``__init__``
+ of secrets backend class. See documentation for the secrets backend
you are using.
+ JSON is expected.
+
+ Example for AWS Systems Manager ParameterStore:
+ ``{"connections_prefix": "/airflow/connections", "profile_name":
"default"}``
+ version_added: 3.0.0
+ type: string
+ sensitive: true
+ example: ~
+ default: ""
Review Comment:
I am not sold on requiring a separate config.
We can re-use the same config on both workers and api-server. As that
configuration just tells us how to connect to a secrets backend.
If users want to have separate secrets backend on API-server and Workers,
they can have different values set for the same config.
E.g.
Worker has
```env
AIRFLOW__SECRETS__BACKEND=airflow.providers.amazon.aws.secrets.systems_manager.SystemsManagerParameterStoreBackend
```
and API-server has:
```env
AIRFLOW__SECRETS__BACKEND=airflow.providers.hashicorp.secrets.vault.VaultBackend
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
