Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

periodically reload tokens read from TokenFile in kubeconfig #70606

Merged
merged 1 commit into from Nov 6, 2018
Merged

periodically reload tokens read from TokenFile in kubeconfig #70606

merged 1 commit into from Nov 6, 2018

Conversation

mikedanese
Copy link
Member

Like we do with InClusterConfig.

/kind cleanup
/sig auth

Go clients created from a kubeconfig that specifies a TokenFile now periodically reload the token from the specified file.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 3, 2018
@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 3, 2018
@mikedanese mikedanese added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Nov 3, 2018
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Nov 3, 2018
awly
awly reviewed Nov 5, 2018
View reviewed changes
Copy link
Contributor

@awly awly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one nit

staging/src/k8s.io/client-go/tools/clientcmd/client_config.go Outdated Show resolved Hide resolved
@mikedanese
Copy link
Member Author

@awly Fixed, PTAL.

@awly
Copy link
Contributor

awly commented Nov 5, 2018

/lgtm
/retest

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 5, 2018
@mikedanese
Copy link
Member Author

/assign @liggitt

@liggitt
Copy link
Member

liggitt commented Nov 5, 2018

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mikedanese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 5, 2018
@mikedanese
Copy link
Member Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit 710bfb4 into kubernetes:master Nov 6, 2018
@mikedanese mikedanese deleted the tfreload branch November 6, 2018 05:15
@roycaihw
Copy link
Member

roycaihw commented Nov 8, 2018

cc @roycaihw @mbohlool @yliaog

smarterclayton
smarterclayton reviewed Dec 4, 2018
View reviewed changes
staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -229,11 +229,11 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
if len(configAuthInfo.Token) > 0 {
mergedConfig.BearerToken = configAuthInfo.Token
} else if len(configAuthInfo.TokenFile) > 0 {
tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
if err != nil {
ts := restclient.NewCachedFileTokenSource(configAuthInfo.TokenFile)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This broke clients that depend on these methods. We shouldn't have broken this without providing an alternate path.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Clayton here, BearerToken was never deprecated and we don't provide alternative, yet suddenly it's empty. We should deprecate this field and provide users with explanation what they should be using instead.

Copy link
Member

@liggitt liggitt Dec 4, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the BearerToken field is not deprecated, setting a BearerToken in the config struct is still valid (if kubeconfig contains a bearer token, the resulting config also contains a bearer token)

The transformation of TokenFile -> bearer token (and what InClusterConfig returns) is what is in question.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The transformation of TokenFile -> bearer token (and what InClusterConfig returns) is what is in question.

Yes, sorry for my short-circuited answer :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm looking into plumbing both BearerToken and TokenFile out to the config and moving the refresh behavior into the round tripper constructed from the config

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opened #71713

@rfranzke rfranzke mentioned this pull request Sep 14, 2021
Closed
35 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soltysh soltysh soltysh left review comments

@liggitt liggitt liggitt left review comments

@awly awly awly left review comments

@smarterclayton smarterclayton smarterclayton left review comments

@deads2k deads2k Awaiting requested review from deads2k

@sttts sttts Awaiting requested review from sttts

Assignees

@liggitt liggitt

@awly awly

@cjcullen cjcullen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@mikedanese @awly @liggitt @k8s-ci-robot @roycaihw @soltysh @smarterclayton @cjcullen