Skip to content

Commit

Permalink
reevaluate clusters every 30s, no matter when they expire
Browse files Browse the repository at this point in the history
  • Loading branch information
ewilken committed Jan 8, 2024
1 parent 4e3a777 commit a0ab61d
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 12 deletions.
9 changes: 0 additions & 9 deletions Nautik Helper/AppState.swift
Original file line number Diff line number Diff line change
Expand Up @@ -106,15 +106,6 @@ class AppState {
}

for cluster in clusters {
// If the cluster has an evaluation expiration, re-evaluate it 7 minutes before the expiration.
if let credentialsExpireAt = cluster.credentialsExpireAt, credentialsExpireAt > (Date.now + 60 * 7) {
continue
}
// If it doesn't, re-evaluate it every 15 minutes.
if cluster.credentialsExpireAt == nil && Date.now < (cluster.lastEvaluation + 60 * 15) {
continue
}

// Refresh cluster info, auth info & namespace from the file and re-evaluate auth.
if case let .ok(watchResult) = await self.kubeConfigs.first(where: { $0.path == cluster.kubeConfigPath }),
let watchedCluster = watchResult.clusters.first(where: { $0.context.name == cluster.kubeConfigContextName }) {
Expand Down
4 changes: 1 addition & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,12 @@ The helper app allows you to add kubeconfig files to keep track of via a file pi

<img width="385" alt="The Nautik Helper app's main window, showing two Kubernetes clusters under management." src="https://github.com/nautik-io/helper/assets/19625431/550627e2-e380-4789-af89-a56f1f09e2cc">

Clusters on the keychain are continuously evaluated by the helper app. For clusters with exec plugins, the re-evaluation is done 7 minutes before the temporary credentials generated by the exec plugin expire. Other clusters are re-evaluated every 15 minutes. If a cluster's corresponding kubeconfig entry includes `client-certificate`, `client-key` or `token-file` keys, the file contents of the corresponding files are copied into the `client-certificate-data`, `client-key-data` and `token` fields of the stored cluster to have them be consumed by the main app on macOS, iOS or iPadOS. If a cluster's corresponding kubeconfig entry includes an `exec` value, the helper app spawns a process as the user running the helper app, executing the corresponding exec-based authentication plugin and copying its output into the `client-certificate-data`, `client-key-data` and `token` fields of the stored cluster to have them be consumed by the main app.
Clusters on the keychain are reevaluated by the helper app every 30 seconds. If a cluster's corresponding kubeconfig entry includes `client-certificate`, `client-key` or `token-file` keys, the file contents of the corresponding files are copied into the `client-certificate-data`, `client-key-data` and `token` fields of the stored cluster to have them be consumed by the main app on macOS, iOS or iPadOS. If a cluster's corresponding kubeconfig entry includes an `exec` value, the helper app spawns a process as the user running the helper app, executing the corresponding exec-based authentication plugin and copying its output into the `client-certificate-data`, `client-key-data` and `token` fields of the stored cluster to have them be consumed by the main app.

<img width="472" alt="The Nautik Helper app's cluster settings window, showing two kubeconfig files with one Kubernetes cluster inside of each." src="https://github.com/nautik-io/helper/assets/19625431/698b8691-5eb1-4b4c-b86b-8bc36da28e43">

Support for the `auth-provider` field on the kubeconfig is currently unimplemented. But support for the `oidc` auth provider is planned to be included on the main app at a later point. Contributions to the helper app extending the range of supported auth methods are very welcome.

The helper app evaluates the refresh timestamps on stored clusters every 30 seconds, refreshes the properties of static cluster credentials every 15 minutes and re-evaluates dynamic `exec` plugin outputs 7 minutes before they expire.

To allow to be run on multiple Macs and user accounts in parallel without interference, the helper app stores the device UUID and user of the system it was added on with the cluster.

## Installation
Expand Down

0 comments on commit a0ab61d

Please sign in to comment.