Re: [PR] Pass KE workload via mounted secret to workers [airflow]

[via GitHub]

github-advanced-security[bot] commented on code in PR #62129:
URL: https://github.com/apache/airflow/pull/62129#discussion_r2826423565


##########
providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/cli/kubernetes_command.py:
##########
@@ -199,3 +199,16 @@
     print(f'Deleting POD "{name}" from "{namespace}" namespace')
     api_response = kube_client.delete_namespaced_pod(name=name, 
namespace=namespace, body=delete_options)
     print(api_response)
+    _delete_workload_secret(name, namespace)
+
+
+def _delete_workload_secret(pod_name, namespace):
+    """Delete the workload secret associated with a pod if it exists."""
+    kube_client = get_kube_client()
+    secret_name = f"airflow-workload-{pod_name}"
+    try:
+        kube_client.delete_namespaced_secret(name=secret_name, 
namespace=namespace)
+        print(f'Deleted workload secret "{secret_name}" from "{namespace}" 
namespace')

Review Comment:
   ## Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   
   [Show more 
details](https://github.com/apache/airflow/security/code-scanning/581)



##########
providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/cli/kubernetes_command.py:
##########
@@ -199,3 +199,16 @@
     print(f'Deleting POD "{name}" from "{namespace}" namespace')
     api_response = kube_client.delete_namespaced_pod(name=name, 
namespace=namespace, body=delete_options)
     print(api_response)
+    _delete_workload_secret(name, namespace)
+
+
+def _delete_workload_secret(pod_name, namespace):
+    """Delete the workload secret associated with a pod if it exists."""
+    kube_client = get_kube_client()
+    secret_name = f"airflow-workload-{pod_name}"
+    try:
+        kube_client.delete_namespaced_secret(name=secret_name, 
namespace=namespace)
+        print(f'Deleted workload secret "{secret_name}" from "{namespace}" 
namespace')
+    except ApiException as e:
+        if str(e.status) != "404":
+            print(f'Failed to delete workload secret "{secret_name}": {e}')

Review Comment:
   ## Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   
   [Show more 
details](https://github.com/apache/airflow/security/code-scanning/582)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org