Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication renewal #393

Open
1 task
cben opened this issue Feb 16, 2019 · 4 comments
Open
1 task

Authentication renewal #393

cben opened this issue Feb 16, 2019 · 4 comments
Labels
enhancement

Comments

@cben
Copy link
Collaborator

cben commented Feb 16, 2019
edited
Loading

Some credentials have short shelf life. GCP auth is good for about a hour, I think(?). exec results may return expiration time, or may simply return error at some point.

Since one might have passed around a Kubeclient::Client object to many places,
it would be desirable to be able to renew auth - manually or automatically - without creating a new Client.

  • TODO: study other libraries, notably the Go client.
This was referenced Feb 24, 2019
Merged
Closed
Closed
Merged
@cben
Copy link
Collaborator Author

cben commented Feb 27, 2019
edited
Loading

1. Mutable Client or external mutable object holding credentials?

Would a first step of making Client mutable, at least for auth_options, be helpful?
No. Presently you need separate Client object per API group, but you want to renew credentials only once. Having to keep track of each Client and patching them all would negate the gains.

Additionally, at least with some OIDC servers, refresh tokens are single-use (#409 (comment)), which is inherently messy across processes, but at least in one process, it's important to centralize renewal.

  • Conclusion: we want a new object responsible for auth (not giving it a name yet).
    Many Client objects will be able to point to a single auth object.
  • Conclusion: we want Client to ask the auth object for credentials before every API request.

@cben
Copy link
Collaborator Author

cben commented Feb 27, 2019
edited
Loading

2. Will the current way users construct Client by passing in auth_options: config.context.auth_options etc. need to change?

Probably. We might be able to smuggle an auth object instead of passive data under a new key in auth_options, but not sure I want that.

Anyway, this will be a huge enough win to warrant an API change, I'm not worried about this for now 🙈

  • BTW, credentials are not all in auth_options! Client certs currently go in ssl_options.client_cert, ssl_options.client_key. Not a big problem, just a point to keep in mind.

cben added a commit to cben/kubeclient that referenced this issue Mar 1, 2019
@cben
Don't promise that Config#context is what acts on exec:/auth-provider:
a1a8366 
Retracts promise made in 0cbf5db

Motivation:
I want to let Config and Config::Context expose the underlying data,
because why not.  Ideally for that, Config#context would become a
passive function, moving the work to Config::Context#auth_options (?)

There are open questions about this, and probably should figure out a
plan around auth renewal (ManageIQ#393) first.   Anyway, don't want my hands tied.
@cben cben mentioned this issue Mar 1, 2019
Merged
@cben cben mentioned this issue Apr 2, 2019
Merged
@jeremywadsack jeremywadsack mentioned this issue Apr 9, 2019
Closed
This was referenced Apr 22, 2019
Open
Closed
@cben cben mentioned this issue Jul 9, 2019
Closed
@cben
Copy link
Collaborator Author

cben commented Aug 7, 2019

Kubernetes plans to change service account tokens to short-lived: kubernetes/kubernetes#70679
This even simple in-cluster config will require on-the fly auth updates.

This was referenced Aug 7, 2019
Open
Open
@cben cben mentioned this issue Jul 31, 2020
Closed
@cben cben mentioned this issue Feb 28, 2021
Merged
@cben cben mentioned this issue Dec 14, 2021
Closed
@cben
Copy link
Collaborator Author

cben commented Feb 13, 2022

For BoundServiceAccountTokenVolume, reloading from file implemented in #532 (currently on every request! feedback wanted whether that needs optimizing).

@hmcguire-shopify hmcguire-shopify mentioned this issue Feb 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cben