oidc client auth provider: cache OpenID Connect clients to prevent reinitialization

[ericchiang]

Prior to this change, the OIDC client auth provider synced the OIDC provider metadata with every transport initialization. When used with kubectl, the provider can be reinitialize dozens of times, each triggering a round trip to the OIDC auth server. The overhead makes this feature largely unusable, adding several seconds to every kubectl invocation, and we observe many users simply abandoning it for other workarounds.

This fix prevents the excessive round trips by keeping a global cache of clients similarly to the TLS transport logic in client-go at the result of a significant speedup. The caching also fixes data races when a token is refreshed.

closes #37876

cc @kubernetes/sig-auth @liggitt @jsloyer @mlbiam @philips

Caching added to the OIDC client auth plugin to fix races and reduce the time kubectl commands using this plugin take by several seconds.

[k8s-reviewable]

This change is 

[philips]

Manually tested and I can happily confirm it reduces the number of GET requests to the openid-configuration URL from 60+ to 1:

$ kubectl get pods  -v=9 2>&1 | grep well-known
I1205 20:14:38.118650    7143 round_trippers.go:393] curl -k -v -XGET  https://tec.a.ifup.org:32000/identity/.well-known/openid-configuration
I1205 20:14:38.311009    7143 round_trippers.go:412] GET https://tec.a.ifup.org:32000/identity/.well-known/openid-configuration 200 OK in 192 milliseconds

[jsloyer]

@philips. I have seen some requests taking 15 seconds with an OIDC provider, what did you observe an API call through kubectl taking with this change?

[philips]

@jsloyer kubectl get pods returns in 0.5s. Cluster: AWS us-west-1 accessed from residential Comcast running Tectonic and Dex v2 on cluster backed by TPRs.

$ time kubectl get pods
NAME                            READY     STATUS    RESTARTS   AGE
etcd-operator-217127005-1pi7l   1/1       Running   0          2d

real	0m0.503s
user	0m0.091s
sys	0m0.020s

[jsloyer]

This is amazing, this is a huge speed up. I built and tested a kubectl client with this change

[liggitt]

cache = &clientCache{cache: make(map[cacheKey]*oidc.Client)}

[liggitt]

return early and unnest?

if ok {
  return client, nil
}

[ericchiang]

There's just enough logic after the if statement to make that annoying. Let me see if I can split it out to a helper or something.

[liggitt]

still have the potential to construct this multiple times if newOIDCAuthProvider is called from multiple threads... are we ok with that?

[ericchiang]

I actually don't think we are. restclient.AuthProviderConfigPersister is kinda a harry abstraction for multiple calls to the underlying transport writing to kubeconfig. I think multiple clients running around might make it worse. We might even consider syncing around using that interface, e.g. put a mutex on the client itself. gah

[liggitt]

a few nits, LGTM otherwise. tests would be good.

[ericchiang]

Quick update on this PR. I've been diving a bit more into the implementation and it seems like there are some bigger issues here. For example the client doesn't sync around requesting refresh tokens and updating the kubeconfig. If it's used concurrently there's a very basic race there. Also the returned transport seems to be doing retries[0], which makes some bold assumptions about the server not consuming POST body data, and means we're not closing response bodies.

Trying to clean this stuff up along with this change.

cc @liggitt

[0]

kubernetes/plugin/pkg/client/auth/oidc/oidc.go

Line 176 in 407d8b7

wait.ExponentialBackoff(backoff, func() (bool, error) {

[ericchiang]

@liggitt updated though this became a bit bigger of a PR.

Highlights:

• Cache OpenID Connect clients to prevent reinitialization
• Don't retry requests in the http.RoundTripper.
  • Don't rely on the server not reading POST bodies.
  • Don't leak response body FDs.
  • Formerly ignored any throttling requests by the server.
• Determine if the id token's expired by inspecting it.
  • Similar to logic in golang.org/x/oauth2
• Synchronize around refreshing tokens and persisting the new config.

Since we already checked the id token's expiry these changes actually don't enforce anything we haven't already. It's completely backward compatible but uses more sane methods for determining token validity and persisting the config.

For what it's worth I manually e2e tested this using dex.

[ericchiang]

@k8s-bot bazel test this

[k8s-ci-robot]

Jenkins GCI GKE smoke e2e failed for commit 380c5e8ed062707fa97896e4bdada124a126b24b. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[ericchiang]

@k8s-bot verify test this

[ericchiang]

cc @yifan-gu

[k8s-ci-robot]

Jenkins verification failed for commit c3edd4a. Full PR test history.

The magic incantation to run this job again is @k8s-bot verify test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[yifan-gu]

@ericchiang Just some nits, LGTM

[yifan-gu]

@ericchiang why we need to deepcopy header here?
https://play.golang.org/p/rxM2ogR1GS

[ericchiang]

To comply with the RoundTripper interface

RoundTrip should not modify the request...

https://golang.org/pkg/net/http/#RoundTripper

If we don't copy deepcopy the header then we're adding a bearer toke to the original header, modifying the original request.

[ericchiang]

Same logic as the oauth2 package https://github.com/golang/oauth2/blob/314dd2c0bf3ebd592ec0d20847d27e79d0dbe8dd/transport.go#L94-L106

[yifan-gu]

@ericchiang Gotcha.

[yifan-gu]

why we want to return the old client?
if we want to use the old client when it's there we can always do getClient() first.

In fact, the newOIDCAuthProvider() function below, the setClient() is always returning the latest client.

[ericchiang]

If both routine A and B try to initialize at the same time, and A success and puts it in the cache, we want B to use A's client rather than the one it managed to create. We have the cache to always return the same client for each provider so it can guard the kubeconfig with the same mutex.

[ericchiang]

Let me add a comment.

[yifan-gu]

@ericchiang I see, it's a testAndSet operation, maybe rename the func, or leave it as is with some comments, ok with either. Thanks 👍

[ericchiang]

cc @kubernetes/sig-auth-misc anyone else interested in reviewing this? Without this kubectl is relatively unusable with this auth plugin if you're not sitting next to your cluster :)

[liggitt]

persisting

[liggitt]

should this just be newCfg[cfgIDToken] = tokens.IDToken?

[liggitt]

just a couple small things, LGTM

[k8s-ci-robot]

Jenkins GCE etcd3 e2e failed for commit 13e6318. Full PR test history.

The magic incantation to run this job again is @k8s-bot gce etcd3 e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[ericchiang]

@k8s-bot bazel test this

[ericchiang]

@k8s-bot bazel test this

[k8s-ci-robot]

Jenkins Bazel Build failed for commit 13e6318. Full PR test history.

The magic incantation to run this job again is @k8s-bot bazel test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[philips]

@k8s-bot bazel test this

Filed an issue about the empty result kubernetes/test-infra#1465

[philips]

@k8s-bot etcd3 test this

[philips]

OK, tests finally went green. LGTM at this point but I am not an owner.

[liggitt]

LGTM

[ericchiang]

Anyone know how to retrigger the kops build?

[ericchiang]

@k8s-bot kops test this

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 39648, 38167, 39591, 39415, 39612)

[k8s-cherrypick-bot]

Commit found in the "release-1.5" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.