[PR] Fix error messages in `PythonVirtualenvOperator` when Azure Key Vault secret backend is configured [airflow]

[via GitHub]

wolfdn opened a new pull request, #67157:
URL: https://github.com/apache/airflow/pull/67157

    <!-- SPDX-License-Identifier: Apache-2.0
         https://www.apache.org/licenses/LICENSE-2.0 -->
   
   <!--
   Thank you for contributing!
   
   Please provide above a brief description of the changes made in this pull 
request.
   Write a good git commit message following this guide: 
http://chris.beams.io/posts/git-commit/
   
   Please make sure that your code changes are covered with tests.
   And in case of new features or big changes remember to adjust the 
documentation.
   
   Feel free to ping (in general) for the review if you do not see reaction for 
a few days
   (72 Hours is the minimum reaction time you can expect from volunteers) - we 
sometimes miss notifications.
   
   In case of an existing issue, reference it using one of the following:
   
   * closes: #ISSUE
   * related: #ISSUE
   -->
   
   ## Problem
   
   The Azure Key Vault secrets backend raises an `HttpResponseError` 
(BadParameter) when Airflow requests a variable whose key contains a dot. Azure 
Key Vault secret names only allow alphanumeric characters and dashes 
(`[a-zA-Z0-9-]`), so dots in the variable key cause the API call to fail.
   
   This affects:
   
   - **Any user-defined variable with a dot in its name** — e.g. a variable 
named `my.app.setting` will fail when looked up through this backend.
   - **The `PythonVirtualenvOperator` specifically** — it calls 
`Variable.get("PythonVirtualenvOperator.cache_key", "")` on every execution to 
compute its virtualenv cache hash. This means every DAG using 
`PythonVirtualenvOperator` produces an ERROR on every run when the Azure Key 
Vault backend is configured, even though the variable not existing is perfectly 
fine (it defaults to `""`).
   
   The resulting error floods the logs:
   
   ```
   ERROR - Unable to retrieve variable from secrets backend 
(AzureKeyVaultBackend).
   HttpResponseError: (BadParameter) The request URI contains an invalid name: 
airflow-variables-PythonVirtualenvOperator.cache-key
   ```
   
   ## Fix
   
   1. **Rename the `PythonVirtualenvOperator` cache variable** from 
`PythonVirtualenvOperator.cache_key` to `python_virtualenv_operator_cache_key`. 
This avoids the dot that is incompatible with secrets backends that restrict 
allowed characters (like Azure Key Vault). The underscore-only name is properly 
normalized by the existing `build_path` logic.
   
   2. **Add a validation guard in the Azure Key Vault backend** — 
`_get_secret_value` now validates the constructed secret name against Azure Key 
Vault's naming rules (1-127 chars, alphanumeric and dashes only) before making 
the API call. Invalid names return `None` with a WARNING log, alerting the user 
that their variable cannot be resolved via Key Vault. This replaces the 
previous behavior of letting Azure throw an unhandled `HttpResponseError` at 
ERROR level.
   
   ## Migration note
   
   The cache hash computation for `PythonVirtualenvOperator` now reads from 
`python_virtualenv_operator_cache_key` instead of 
`PythonVirtualenvOperator.cache_key`. Since most users never set this variable 
(it's an optional manual cache-busting override), the only effect is a one-time 
rebuild of cached virtual environments due to the changed hash input.
   
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   <!--
   If generative AI tooling has been used in the process of authoring this PR, 
please
   change below checkbox to `[X]` followed by the name of the tool, uncomment 
the "Generated-by".
   -->
   
   - [x] Yes (please specify the tool below)
     GitHub Copilot - Claude Opus 4.6
   
   <!--
   Generated-by: [Tool Name] following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   -->
   
   ---
   
   * Read the **[Pull Request 
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
 for more information. Note: commit author/co-author name and email in commits 
become permanently public when merged.
   * For fundamental code changes, an Airflow Improvement Proposal 
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
 is needed.
   * When adding dependency, check compliance with the [ASF 3rd Party License 
Policy](https://www.apache.org/legal/resolved.html#category-x).
   * For significant user-facing changes create newsfragment: 
`{pr_number}.significant.rst`, in 
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
 You can add this file in a follow-up commit after the PR is created so you 
know the PR number.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org