fix(backend): resolve use_secret_as_env pipeline params in ParallelFor#13128
Merged
mprahl merged 6 commits intokubeflow:masterfrom Apr 3, 2026
Merged
fix(backend): resolve use_secret_as_env pipeline params in ParallelFor#13128mprahl merged 6 commits intokubeflow:masterfrom
mprahl merged 6 commits intokubeflow:masterfrom
Conversation
google-oss-prow
Bot
requested review from
droctothorpe,
gmfrasca,
hbelmiro and
zazulam
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes KFP v2 compilation/runtime gaps where Kubernetes platform-config inputs (e.g., use_secret_as_env(secret_name=<pipeline param>)) failed to resolve across sub-DAG boundaries such as dsl.ParallelFor, by (1) surfacing and propagating platform-config-only channels and (2) rewriting platform-config input references to the surfaced pipelinechannel--* inputs. Also hardens the SDK API for channel registration and adjusts driver behavior for DAG condition files.
Changes:
- Compiler: rewrite platform-config references (
componentInputParameter,taskOutputParameter) to surfacedpipelinechannel--*names when compiling sub-DAGs (including exit-handler path). - Kubernetes extension: ensure platform-config-only channels are registered so they propagate across sub-DAG boundaries; add a public SDK helper
PipelineTask.register_pipeline_channels(...)and unit coverage. - Backend driver: write
"nil"condition for DAG driver type and add regression test; add/update goldens and regression pipelines.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| test_data/sdk_compiled_pipelines/valid/pipeline_with_parallelfor_pipeline_param.yaml | New compiled-pipeline golden covering pipeline param + outer output inside ParallelFor. |
| test_data/sdk_compiled_pipelines/valid/pipeline_with_parallelfor_pipeline_param.py | New source pipeline to generate/validate the above golden. |
| test_data/sdk_compiled_pipelines/valid/critical/parallel_for_secret.yaml | New compiled-pipeline golden for the reported secret-in-ParallelFor regression. |
| test_data/sdk_compiled_pipelines/valid/critical/parallel_for_secret.py | New critical regression pipeline reproducing the secret-name pipeline param scenario. |
| test_data/sdk_compiled_pipelines/valid/critical/nested_parallel_for_secret.yaml | New golden for cross-DAG task output used as secret name in ParallelFor. |
| test_data/sdk_compiled_pipelines/valid/critical/nested_parallel_for_secret.py | New critical regression pipeline for cross-DAG taskOutputParameter rewriting. |
| test_data/compiled-workflows/pipeline_with_parallelfor_pipeline_param.yaml | New Argo workflow golden for parallel-for pipeline param propagation. |
| test_data/compiled-workflows/parallel_for_secret.yaml | New Argo workflow golden for secret-name pipeline param in ParallelFor. |
| test_data/compiled-workflows/nested_parallel_for_secret.yaml | New Argo workflow golden for cross-DAG output secret-name case. |
| sdk/python/test/local_execution/local_execution_test.py | Adds local execution coverage for the new ParallelFor pipeline-param scenario. |
| sdk/python/kfp/dsl/pipeline_task_test.py | Adds unit test for deduplicating channel registration via the new public helper. |
| sdk/python/kfp/dsl/pipeline_task.py | Introduces register_pipeline_channels(...) and reuses it to dedupe channels in existing paths. |
| sdk/python/kfp/compiler/pipeline_spec_builder_test.py | Adds end-to-end + unit tests for platform-config rewrite behavior across sub-DAG boundaries. |
| sdk/python/kfp/compiler/pipeline_spec_builder.py | Implements platform-config reference rewriting and wires it into DAG + exit-handler compilation. |
| kubernetes_platform/python/test/unit/test_secret.py | Adds unit tests asserting platform-config-only channels get registered for propagation. |
| kubernetes_platform/python/kfp/kubernetes/volume.py | Ensures PVC mount channel inputs propagate across sub-DAG boundaries. |
| kubernetes_platform/python/kfp/kubernetes/common.py | Registers pipeline channels referenced via Kubernetes platform config inputs. |
| backend/src/v2/cmd/driver/main_test.go | Adds regression test validating DAG driver writes a "nil" condition file. |
| backend/src/v2/cmd/driver/main.go | Writes "nil" condition for DAG driver type (in addition to ROOT_DAG/CONTAINER). |
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
13a7f65 to
b9b36a0
Compare
2 tasks
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
b9b36a0 to
22bfa6d
Compare
5 tasks
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
22bfa6d to
3d1c0b6
Compare
Contributor
|
/retest |
1 similar comment
Contributor
|
/retest |
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
3d1c0b6 to
4ecbec2
Compare
mprahl
reviewed
Mar 26, 2026
mprahl
reviewed
Mar 26, 2026
mprahl
reviewed
Mar 26, 2026
mprahl
reviewed
Mar 26, 2026
mprahl
reviewed
Mar 26, 2026
mprahl
reviewed
Mar 26, 2026
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
4ecbec2 to
4994530
Compare
Collaborator
|
@nsingla could you fix the CI failure? |
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
4994530 to
224ffcf
Compare
Collaborator
|
@nsingla could you fix the CI failure? |
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
3 times, most recently
from
ad183dc to
f8abf9b
Compare
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
11 times, most recently
from
de30159 to
06692de
Compare
jeffspahr
suggested changes
Apr 3, 2026
Contributor
jeffspahr
left a comment
jeffspahr
left a comment
There was a problem hiding this comment.
Two deterministic regressions remain after the parallel_and_nested/ fixture split.
I left the exact follow-up edits inline on the nearest changed hunks. GitHub does not expose the stale SDK golden paths or the stale Sanity fixture entry as diff lines in this PR, so those two spots cannot be attached as one-click suggestions even though the replacements are fully mechanical.
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
4 times, most recently
from
1a0b44d to
cfcb447
Compare
incresing the pipeline run wait time to 12min splitting parallel and nested pipelines fixing argo versions in api tests Signed-off-by: Nelesh Singla <117123879+nsingla@users.noreply.github.com>
nsingla
force-pushed
the
merge/13118-13122-best-of-both
branch
from
cfcb447 to
cde4d91
Compare
Contributor
|
/lgtm |
Contributor
|
/retest |
Collaborator
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix use_secret_as_env() (and related platform-config inputs) failing to resolve across sub-DAG boundaries (e.g., dsl.ParallelFor) by combining the broader fix from #13118 with API hardening from #13122.
What Changed
Compiler/platform-config rewrite
Kubernetes config channel propagation
Ensure platform-config-only channels are tracked so they propagate through sub-DAG boundaries.
Update:
Add PipelineTask.register_pipeline_channels(...) in sdk/python/kfp/dsl/pipeline_task.py.
Backend driver fix
Regression tests and goldens
Diff Size
19 files changed
+3161 / -19
Test Plan
Checklist: