akhilesharora opened a new pull request, #63020: URL: https://github.com/apache/airflow/pull/63020
## Summary Fix `EksPodOperator` with `deferrable=True` failing with 401 Unauthorized when the triggerer runs on a different host from the worker. **Root Cause:** The kubeconfig exec block references a temp file path (`/tmp/tmpXYZ`) that only exists on the worker. When the trigger is serialized and sent to the triggerer, the exec block tries to source a file that doesn't exist. **Solution:** Generate a kubeconfig with an embedded bearer token instead of an exec block with temp file references. ## Changes - Added `EksHook.generate_config_dict_for_deferral()` - generates kubeconfig with embedded token - Override `EksPodOperator.invoke_defer_method()` to use token-based config for triggerer - Added comprehensive error handling for cluster lookup and token fetch failures - Added 5 new tests covering success and error scenarios ## Security Considerations - ✅ Token is encrypted at rest (Fernet encryption in trigger serialization) - ✅ Token has short lifespan (~14 minutes for EKS) - ✅ Token is never logged - ✅ Robust error handling with actionable messages ## Test Plan - [x] `test_generate_config_dict_for_deferral` - verifies embedded token config - [x] `test_generate_config_dict_for_deferral_cluster_not_found` - error handling - [x] `test_generate_config_dict_for_deferral_empty_token` - security validation - [x] `test_generate_config_dict_for_deferral_token_fetch_failure` - error handling - [x] `test_invoke_defer_method_generates_token_based_config` - operator integration - [x] All existing EKS tests pass Closes #61736 --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.5) Generated-by: Claude Code (Opus 4.5) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
