[I] Airflow secret backend for k8s role missing "audience" parameter setting which is required from vault 1.21+ [airflow]

[via GitHub]

JJtheNOOB opened a new issue, #55460:
URL: https://github.com/apache/airflow/issues/55460

   ### Official Helm Chart version
   
   1.18.0 (latest released)
   
   ### Apache Airflow version
   
   2.9
   
   ### Kubernetes Version
   
   v1.32
   
   ### Helm Chart configuration
   
   ```
   
   env:
   
     - name: "AIRFLOW__SECRETS__BACKEND_KWARGS"
   
           value: |
   
             {
   
             "auth_type":"kubernetes",
   
             "kubernetes_role": "airflow-dev",
   
             "connections_path": "airflow/connections",
   
             "variables_path": "airflow/variables",
   
             "auth_mount_point": "xxxxx",
   
             "mount_point": "stage",
   
             "url": "xxxxx",
   
             }
   
   ```
   
   ### Docker Image customizations
   
   _No response_
   
   ### What happened
   
   _No response_
   
   ### What you think should happen instead
   
   Dear airflow community:
   
    
   
   Hello!
   
    
   
   I would like to raise attention that starting from vault 1.21+, we will need 
to set audience for k8s role for secret backend. Warning messages looks like 
this `A role without an audience was used to authenticate into Vault. Vault 
v1.21+ will require roles to have an audience.`
   
    
   
   Below is our current airflow secret backend settings used in the 
`vaules.yaml` file:
   
   ```
   
   env:
   
     - name: "AIRFLOW__SECRETS__BACKEND_KWARGS"
   
           value: |
   
             {
   
             "auth_type":"kubernetes",
   
             "kubernetes_role": "airflow-dev",
   
             "connections_path": "airflow/connections",
   
             "variables_path": "airflow/variables",
   
             "auth_mount_point": "xxxxx",
   
             "mount_point": "stage",
   
             "url": "xxxxx",
   
             }
   
   ```
   
   This works currently but we are seeing the above warning messages, adding 
"audience" parameter suppresses the warning however it also make airflow no 
longer able to connect to vault secret backend. Confirming we had done proper 
set up on both vault side and k8s side. Either I am missing something or this 
feature was not yet released by airflow.
   
   I am looking forward to see if someone could add, test and release the 
audience parameter to ensure it will allow k8s roles to proper access vault 
secret backend. Thank you!
   
   ### How to reproduce
   
   1. set up airflow helm chart 
   2. set up vault
   3. connect airflow with vault secret backend with the env variables provided
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org