Fix bug with InClusterConfig requiring bearer token. #69272
Conversation
This caused the e2es to fail when run in cluster. Signed-off-by: Timothy St. Clair <timothysc@gmail.com>
timothysc
added
the
priority/critical-urgent
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
sig/cluster-lifecycle
k8s-ci-robot
added
needs-kind
k8s-ci-robot
removed
the
needs-kind
|
@timothysc based on discussion in #69270 @liggitt and @darxkies would like us to try this #69273 instead of trying to go back to initializing the bearertoken during initialization. |
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
@dims @liggitt @mikedanese - there is still a weird problem now in that function is no longer self-contained, and anyone who was previously using it is now going to have an issue. |
the returned config works correctly with transport/client construction... there have always been unserializable fields in the client config struct, so it cannot be assumed to be able to be serialized. extracting a statically read token and persisting it elsewhere is not going to work well as we gradually move to a world in which expiration/rotation occurs. an alternative approach could be to set the tokenfile attribute on the returned InClusterConfig, and adjust transport construction to set up the refreshing token source at point of construction. |
That's a pretty non-intuitive UX from a client library. It's what @dims did to patch the tests, but for general consumers of the library, that are not core k8s developers, it's going to be non-intuitive. |
|
I really don't like this. |
k8s-ci-robot
added
the
needs-rebase
|
@timothysc: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: timothysc If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
We broke our ecosystem on a fairly critical token ithout a way to preserve compatibility. That's not what we do. |
That is an argument that people have to do work in that future, which they already had to do. This seems like we pulled this bandaid prematurely. |
|
@timothysc: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
I don't know that I would fix it this way - I might say we should fix the token transport to handle this, remove the need for wrap transport, and fix the token. |
opened #71713 |
|
Follow up with Jordan in #71713 - I think this preserves the desired legacy behavior and is even slightly cleaner. |
What this PR does / why we need it:
In cluster configs were failing b/c of changes made by #67359
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #69234
Special notes for your reviewer:
I've verified this PR fixes the issue, and is critical priority.
Release note:
/sig testing
/sig auth
/sig apimachinery
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @dims
/assign @liggitt @mikedanese @smarterclayton