Sanitize end of line character when loading token from a file

[mmenarguezpear]

Apache Airflow version: 2.1.0

Kubernetes version (if you are using kubernetes) (use kubectl version):

Environment: Kubernetes with base image apache/airflow:2.1.0-python3.8

Cloud provider or hardware configuration: bare metal k8s in AWS EC2
OS (e.g. from /etc/os-release):

cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Install tools:
Others:
What happened:
While reading the vault token through token_path parameter injected by vault sidecar on an operator run to load connections, the process fails with the following stacktrace due to the end of line \n character not being stripped correctly.

[2021-06-11 22:15:25,854] {taskinstance.py:1481} ERROR - Task failed with exception
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/models/taskinstance.py", line 1137, in _run_raw_task
    self._prepare_and_execute_task_with_callbacks(context, task)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/models/taskinstance.py", line 1311, in _prepare_and_execute_task_with_callbacks
    result = self._execute_task(context, task_copy)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/models/taskinstance.py", line 1341, in _execute_task
    result = task_copy.execute(context=context)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/operators/glue.py", line 106, in execute
    s3_hook.load_file(self.script_location, self.s3_bucket, self.s3_artifacts_prefix + script_name)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 62, in wrapper
    return func(*bound_args.args, **bound_args.kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 91, in wrapper
    return func(*bound_args.args, **bound_args.kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 499, in load_file
    if not replace and self.check_for_key(key, bucket_name):
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 62, in wrapper
    return func(*bound_args.args, **bound_args.kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 91, in wrapper
    return func(*bound_args.args, **bound_args.kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/s3.py", line 323, in check_for_key
    self.get_conn().head_object(Bucket=bucket_name, Key=key)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/base_aws.py", line 461, in get_conn
    return self.conn
  File "/usr/local/lib/python3.8/functools.py", line 967, in __get__
    val = self.func(instance)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/base_aws.py", line 443, in conn
    return self.get_client_type(self.client_type, region_name=self.region_name)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/base_aws.py", line 409, in get_client_type
    session, endpoint_url = self._get_credentials(region_name)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/amazon/aws/hooks/base_aws.py", line 372, in _get_credentials
    connection_object = self.get_connection(self.aws_conn_id)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/hooks/base.py", line 67, in get_connection
    conn = Connection.get_connection_from_secrets(conn_id)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/models/connection.py", line 376, in get_connection_from_secrets
    conn = secrets_backend.get_connection(conn_id=conn_id)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/secrets/base_secrets.py", line 64, in get_connection
    conn_uri = self.get_conn_uri(conn_id=conn_id)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/hashicorp/secrets/vault.py", line 195, in get_conn_uri
    response = self.vault_client.get_secret(secret_path=secret_path)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/hashicorp/_internal_client/vault_client.py", line 358, in get_secret
    response = self.client.secrets.kv.v2.read_secret_version(
  File "/usr/local/lib/python3.8/functools.py", line 967, in __get__
    val = self.func(instance)
  File "/home/airflow/.local/lib/python3.8/site-packages/airflow/providers/hashicorp/_internal_client/vault_client.py", line 227, in client
    if _client.is_authenticated():
  File "/home/airflow/.local/lib/python3.8/site-packages/hvac/v1/__init__.py", line 555, in is_authenticated
    self.lookup_token()
  File "/home/airflow/.local/lib/python3.8/site-packages/hvac/v1/__init__.py", line 383, in lookup_token
    return self._adapter.get(path, wrap_ttl=wrap_ttl)
  File "/home/airflow/.local/lib/python3.8/site-packages/hvac/adapters.py", line 97, in get
    return self.request('get', url, **kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/hvac/adapters.py", line 353, in request
    response = super(JSONAdapter, self).request(*args, **kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/hvac/adapters.py", line 298, in request
    response = self.session.request(
  File "/home/airflow/.local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/home/airflow/.local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/home/airflow/.local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
    httplib_response = self._make_request(
  File "/home/airflow/.local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 392, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/local/lib/python3.8/http/client.py", line 1252, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.8/http/client.py", line 1293, in _send_request
    self.putheader(hdr, value)
  File "/usr/local/lib/python3.8/http/client.py", line 1230, in putheader
    raise ValueError('Invalid header value %r' % (values[i],))
ValueError: Invalid header value b's.REDACTED\n'

What you expected to happen: Vault backend plugin should read the file and strip whitespaces and end of line characters

How to reproduce it:

Set up vault injection, replace the service account by the one generated, then add Helm chart values (specific):

airflow:
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "your_role"
    vault.hashicorp.com/agent-inject-token: "true"
 config:
    AIRFLOW__SECRETS__BACKEND: airflow.providers.hashicorp.secrets.vault.VaultBackend
    AIRFLOW__SECRETS__BACKEND_KWARGS: '{"connections_path": "connections", "variables_path": "variables", "mount_point": "your-path", "url": "https://vault-url-here.com", "auth_type": "token", "token_path": "/vault/secrets/token"}'
serviceAccount:
  create: false
  name: "your-vault-service-account"

Anything else we need to know: to resolve it is as easy as add a .strip() here
so

with open(self.token_path) as f:
    _client.token = f.read().strip()

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[mik-laj]

Are you willing to submit a PR?

[mmenarguezpear]

I have just submitted #16407

[eladkal]

fixed by #16407