The GitHub Actions job "Tests" on airflow.git/main has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 43b51932f90d27d94c4e8d13fcb7ef85a97ebe98 / Piotr Klinski <[email protected]> Add JWT/OIDC authentication support to Hashicorp Vault provider (#61439) * Add JWT/OIDC authentication support to Hashicorp Vault provider This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation. Key features: - New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend - Support for jwt_token parameter or automatic token retrieval from jwt_path - Configurable jwt_role for Vault role binding - Full backwards compatibility with existing auth methods Use cases enabled: - Kubernetes workload identity with projected service account tokens - Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD) - CI/CD pipelines (GitHub Actions OIDC, GitLab CI) - External identity providers (Auth0, Okta, Keycloak) Co-Authored-By: Claude Opus 4.5 <[email protected]> * Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Wei Lee <[email protected]> * Update providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py Co-authored-by: Wei Lee <[email protected]> * update the args order for methods * Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Wei Lee <[email protected]> * apply fixes for oorder in new jwt parameter for docsstring * Address PR review: use stricter mock assertions and inline kwargs Replace assert_called_with with call_args_list assertions in JWT tests to verify exact number of calls. Inline kwargs dicts directly into VaultHook() constructor calls where they are only used once. Co-Authored-By: Claude Opus 4.6 <[email protected]> * - remove jwt token defaults - fix documentaion - minor fiex * Remove DEFAULT_JWT_TOKEN_PATH constant and K8s fallback from JWT auth JWT is a general-purpose Vault auth method, not tied to Kubernetes. Remove the DEFAULT_JWT_TOKEN_PATH constant (which pointed to the K8s service account token path) and its fallback in VaultHook. Users must now explicitly provide either jwt_token or jwt_token_path when using JWT auth, otherwise _VaultClient raises a clear validation error. Co-Authored-By: Claude Opus 4.6 <[email protected]> --------- Co-authored-by: Claude Opus 4.5 <[email protected]> Co-authored-by: Wei Lee <[email protected]> Report URL: https://github.com/apache/airflow/actions/runs/21831735392 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
