PrithviBadiga commented on code in PR #65694:
URL: https://github.com/apache/airflow/pull/65694#discussion_r3133139754
##########
providers/cncf/kubernetes/docs/secrets-backends/kubernetes-secrets-backend.rst:
##########
@@ -207,6 +208,74 @@ You can create a variable secret with ``kubectl``:
airflow.apache.org/variable-key=my_var \
--namespace=airflow
+Multi-team lookup
+"""""""""""""""""
+
+In multi-team mode, when ``team_name`` is provided, this backend first looks
for a secret whose
+identifier label matches the requested connection or variable and whose
``team_label`` matches the
+current team. If no team-scoped secret is found, it falls back to a global
secret with the same
+identifier label and no team label.
+
+To use this mode, keep the backend enabled as usual and make sure your
Kubernetes secrets include
+both:
+
+* the regular identifier label (for example
``airflow.apache.org/connection-id=my_db``)
+* the configured ``team_label`` with the team name (for example
``airflow.apache.org/team=team_a``)
+
+For example, this configuration keeps the default team label:
+
+.. code-block:: ini
+
+ [secrets]
+ backend =
airflow.providers.cncf.kubernetes.secrets.kubernetes_secrets_backend.KubernetesSecretsBackend
+ backend_kwargs = {"team_label": "airflow.apache.org/team"}
+
+If you use a custom team label instead, configure it in ``backend_kwargs`` and
apply the same label
+to your Kubernetes secrets.
+
+When ``team_name`` is not provided, the backend only queries for global
secrets by requiring that
+the configured ``team_label`` is absent (``!team_label``). This means secrets
that have a team label
+are not eligible in the non-team case, even if their connection or variable
identifier matches.
+As a result, team-scoped identifiers cannot be accessed without a team context.
+
+For example, with ``team_label="airflow.apache.org/team"``,
``team_name="team_a"``, and
+``conn_id="my_db"``, the backend queries:
+
+* Team-scoped:
``airflow.apache.org/connection-id=my_db,airflow.apache.org/team=team_a``
+* Global fallback:
``airflow.apache.org/connection-id=my_db,!airflow.apache.org/team``
+
+If ``team_name`` is unset for the same ``conn_id``, the backend queries only:
+
+* Global only:
``airflow.apache.org/connection-id=my_db,!airflow.apache.org/team``
Review Comment:
Makes sense. I removed that extra section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
