-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gcp client auth plugin: persist default cache on unauthorized #66314
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
But I'd like to defer the final call to @cjcullen
@@ -247,6 +253,18 @@ func (t *cachedTokenSource) update(tok *oauth2.Token) map[string]string { | |||
return ret | |||
} | |||
|
|||
func (t *cachedTokenSource) baseCache() map[string]string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment like:
// baseCache is the base configuration value for this TokenSource, without any cached ephemeral tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
14c8f1d
to
d2a8dbb
Compare
/lgtm |
The default cache for a cachedTokenSource is not always empty. In the case of commandTokenSource, it contains calling details for the external command that is used to generate refresh tokens. Persisting a completely empty cache will thus break ability for the plugin to obtain refresh tokens. This changes the roundtripper to persist the default cache instead of assuming an empty map.
da8a4c7
to
73e5e43
Compare
/lgtm rebase only |
@jlowdermilk: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, jlowdermilk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-kubemark-e2e-gce-big |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
What this PR does / why we need it:
This PR fixes an edge case error introduced by #46694. It changes the gcp auth client plugin's roundtripper to persist the default cache instead of an empty map. An empty cache is not correct for commandTokenSource, which uses the cache to store calling details for the external command it execs to generate refresh tokens. Persisting a completely empty cache breaks that behavior.
This bug caused an issue where running
kubectl
command against a GKE cluster with an expired refresh token would break token refresh permanently untilgcloud container clusters get-credentials
was re-run.Special notes for your reviewer:
Release note: