Giters

fabric8io / kubernetes-client

Java client for Kubernetes & OpenShift

Home Page:http://fabric8.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

OpenId token not refreshed if the config is in-memory

ttbadr opened this issue · comments

commented

As title, If we use a in-memory config, the token not refreshed.
I found the method below, it only save the new token when the config is file

kubernetes-client/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/utils/OpenIDConnectionUtils.java

Line 107 in a741e4b

persistKubeConfigWithUpdatedToken(currentConfig, map);

commented

@ttbadr : Could you please provide more details? How are OpenID parameters being provided to KubernetesClient (like refresh_token, OpenID identity provider URL, etc)?

commented

@rohanKanojia I think the root cause is here
this method persistKubeConfigWithUpdatedAuthInfo will be called when the refresh token request success, and persist the new token to the config.
but you can see that if the config is not a file then return, if the config is a file then save the new token to the kubeconfig.
so if the config is in-memory, the new token will be ignore, the next client request will use the old token and fail

commented

@ttbadr : May I know which cluster you're using? It might be difficult for us to reproduce this. Is it possible for you to create a pull request to fix this?

commented

@rohanKanojia I use the k8s, I create a pull request to fix it #5888, can you help to review it. thx

commented

@ttbadr : Thanks a lot! Could you please add a test case to validate your fix? Also, could you please provide more details about your setup? I'm wondering from which source KubernetesClient is fetchin refresh token for performing refresh, it will help us out in doing review.

commented

@rohanKanojia ok, I can add some test cases. Sorry I can't provide the source, It's a internal k8s cluster

commented

@ttbadr : I'm not asking for your cluster details. I'm requesting you to elaborate more on your problem. How is Config loaded by KubernetesClient? Is it via some local .kubeconfig file or via ConfigBuilder?

commented

@rohanKanojia I build the Kubeclient via ConfigBuilder, the code like below:

Config config = new ConfigBuilder().withAutoConfigure(false)
        .withNameSpace(namespace)
        .withMasterUrl(url)
        .withAutoOAuthToken(token)
        .withCaCertData(base64CaData)
        .withAuthProvider(new AuthProviderConfigBuilder()
                .withName(providerName)
                .withConfig(configMap)
                .build()).build();
new KubernetesClientBuilder().withConfig(config).build();

btw, I can't find the ConfigBuilder class in the source, is it genarated by some maven task?

commented

After working on the refactor of the OpenIDConnectionUtils, I'm noticing that these changes might actually create a regression for #4802 which was fixed by #4951

Please, @Vlatombe, could you review #5888 and verify it won't cause a regression for your use cases.