-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(input.prometheus): read bearer token from file every time #14191
Conversation
Thanks so much for the pull request! |
@ganga1980 thanks for the PR, can you sign the CLA and let me know when you do? Thanks again |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip. 📦 Click here to get additional PR build artifactsArtifact URLs |
@powersj - Thanks for approving this. I have validated and change works. can you please help on merging this PR? do you know when will be next telegraf release will be? |
@powersj , thank you. can you please help on merging this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix @ganga1980!
(cherry picked from commit 920a49c)
The current implementation uses the config.BearerToken which is being read from the service account token file as part of the initialization. This service account token becomes invalid, if the service account configured with time bound token after the specified expiry interval or service account signing key being rotated by either Kubernetes platform providers (such as AKS ) or the customer initiated signing key rotation in case of the Workload identity enabled clusters.
Fix is to read the bearer token from service account token file every time and instead of reading once at the initialization.
Fixes #14188