feat: cache auth tokens in GenServer per connection #302
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JTarasovic
reviewed
Jan 23, 2024
Summary: - Start `K8s.Conn.Auth.ProviderSupervisor` - Start `K8s.Conn.Auth.ExecWorker` for kube context with auth exec configured. This respects expiration and will not give out known expired tokens. - Start `K8s.Conn.Auth.ServiceAccountWorker` for connections started with `K8s.Conn.from_service_account/2`. This periodically refreshes the token. - Add refresh timers with jitter on for all of those - Start `K8s.Conn.Auth.CertificateWorker` for kube context where given a .pem file. Some cloud providers are giving very short duration certs. Test Plan: - Added test for exec parsing - Added test for exec worker - Added test for service account - Added integration-ish test for service account worker refresh - Changed test for certificate to ensure genserver - Added test for certificate worker `mix test`
Summary: This adds on a registry and a standard name for many of the auth providers. It allows for shared workers when the paths are the same and for genserver to crash, get re-started and not have errors due to stale pids. Test Plan: Tests were updated
|
Hey @elliottneilclark, is this PR ready for review? |
mruoss
reviewed
Feb 1, 2024
|
@mruoss All the review comments are addressed. This should be good to go. |
|
very nice, thanks @elliottneilclark |
|
@mruoss Any chance of a released version? I would love to not point at git :-) |
|
ouff absolutely! Sorry about that! |
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When connecting to the kube api there are often authentication data that's needed for each request. The lifecycle of that authentication token data is important to stability and performance. This pull request will add on running processes that cache and refresh tokens and certificates.
Tokens can be generated via a process. Shelling out will return a ExecCredentialStatus. The ExecWorker added in this PR will cache that value (meaning that subsequent requests will not need to fork out many times). Additionally this PR will implement a refresh on a timer. That has the added benefit of making distributed systems much more reliable as we are able to retry a few times befor expiary, and we can add jitter.
Certificates in cloud envioriments can be ephemeral. They are not created and then kept forever. Often they have lifespans in the minutes. This PR will add on a CertificateWorker that caches the value from disk, and refresh it before the timeout.
Requirements for all pull requests
Additional requirements for new features