Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(follower): do not cache authentication tokens #326

Merged
merged 2 commits into from
Sep 21, 2023
Merged

fix(follower): do not cache authentication tokens #326

merged 2 commits into from
Sep 21, 2023

Conversation

alacuku
Copy link
Member

@alacuku alacuku commented Sep 21, 2023
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind flaky-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area library

/area cli

/area tests

/area examples

What this PR does / why we need it:

Token caching in the client

Avoid caching authentication tokens in the client since they can expire. In those cases the client cannot invalidate the expired token, hence it will not have permission to access the resources.
Each time the client will acquire a new token based on it's configuration. Remember that this change does not affect the underlying credential helper's cache.

CredentialFuncs caching for repositories

When we create the http client for a given repository the code checks if it is somehow configured. It caches a function called credentialFunction. This function knows how to retrieve the credentials for a given repository. For unconfigured repositories, or repositories that fail to get valid credentials using their credentialFunction, we cache an emptyCredential function. This causes trouble in case of transient errors causing the client to not recover. This commit avoids caching the emptyCredential function in such cases or for unconfigured repositories.

Remember that the caching of credentialFunctions prevents falcoctl in follow mode to pick up new configurations for repositories that at startup time had a working configuration.

Which issue(s) this PR fixes:

Fixes #325

Special notes for your reviewer:

@alacuku
fix(follower): do not cache authentication tokens
5742a7a 
Avoid caching authentication tokens in the client since they can expire.
In those cases the client cannot invalidate the expired token,
hence it will not have permission to access the resources.

Each time the client will acquire a new token based on it's configuration.
Remember that this change does not affect the underlying credential helper's cache.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
@alacuku alacuku mentioned this pull request Sep 21, 2023
Closed
@alacuku
Copy link
Member Author

alacuku commented Sep 21, 2023

/hold

@alacuku alacuku force-pushed the kcl/disable-client-cache-in-follow-mode branch 2 times, most recently from 1025bfc to 7af0093 Compare September 21, 2023 10:11
@alacuku
fix(client): do not cache credentialFuncs for unconfigured repositories
97c73ef 
When we create the http client for a given repository the code checks if it is somehow configured.
It caches a function called `credentialFunction`. This function knows how to retrieve the
credentials for a given repository. For unconfigured repositories, or repositories that fail to
get valid credentials using their `credentialFunction,` we cache an `emptyCredential function`.
This causes trouble in case of transient errors causing the client to not recover.
This commit avoids caching the `emptyCredential function` in such cases or for unconfigured repositories.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
@alacuku alacuku force-pushed the kcl/disable-client-cache-in-follow-mode branch from 7af0093 to 97c73ef Compare September 21, 2023 10:16
@alacuku
Copy link
Member Author

alacuku commented Sep 21, 2023

/unhold

@FedeDP ready for review.

FedeDP
FedeDP approved these changes Sep 21, 2023
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Sep 21, 2023
@poiana
Copy link
Contributor

poiana commented Sep 21, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alacuku, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana
Copy link
Contributor

poiana commented Sep 21, 2023

LGTM label has been added.

Git tree hash: 5a2a22bc70296bbbdbc2dab7cfbe6a7d57a02d63

@poiana poiana merged commit 9fa598a into falcosecurity:main Sep 21, 2023
14 checks passed
@alacuku alacuku deleted the kcl/disable-client-cache-in-follow-mode branch November 3, 2023 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FedeDP FedeDP FedeDP approved these changes

@loresuso loresuso Awaiting requested review from loresuso

Assignees

@FedeDP FedeDP

Labels
approved area/cli dco-signoff: yes kind/bug lgtm size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[falcoctl artifact follow]: can't handle or refresh ECR token after initial artifact pull
3 participants
@alacuku @poiana @FedeDP