[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication renewal #393

Open
1 task
cben opened this issue Feb 16, 2019 · 4 comments
Open
1 task

Authentication renewal #393

cben opened this issue Feb 16, 2019 · 4 comments

Comments

@cben
Copy link
Collaborator
cben commented Feb 16, 2019

Some credentials have short shelf life. GCP auth is good for about a hour, I think(?). exec results may return expiration time, or may simply return error at some point.

Since one might have passed around a Kubeclient::Client object to many places,
it would be desirable to be able to renew auth - manually or automatically - without creating a new Client.

  • TODO: study other libraries, notably the Go client.
@cben
Copy link
Collaborator Author
cben commented Feb 27, 2019

1. Mutable Client or external mutable object holding credentials?

Would a first step of making Client mutable, at least for auth_options, be helpful?
No. Presently you need separate Client object per API group, but you want to renew credentials only once. Having to keep track of each Client and patching them all would negate the gains.

Additionally, at least with some OIDC servers, refresh tokens are single-use (#409 (comment)), which is inherently messy across processes, but at least in one process, it's important to centralize renewal.

  • Conclusion: we want a new object responsible for auth (not giving it a name yet).
    Many Client objects will be able to point to a single auth object.
  • Conclusion: we want Client to ask the auth object for credentials before every API request.

@cben
Copy link
Collaborator Author
cben commented Feb 27, 2019

2. Will the current way users construct Client by passing in auth_options: config.context.auth_options etc. need to change?

Probably. We might be able to smuggle an auth object instead of passive data under a new key in auth_options, but not sure I want that.

Anyway, this will be a huge enough win to warrant an API change, I'm not worried about this for now 🙈

  • BTW, credentials are not all in auth_options! Client certs currently go in ssl_options.client_cert, ssl_options.client_key. Not a big problem, just a point to keep in mind.

cben added a commit to cben/kubeclient that referenced this issue Mar 1, 2019
Retracts promise made in 0cbf5db

Motivation:
I want to let Config and Config::Context expose the underlying data,
because why not.  Ideally for that, Config#context would become a
passive function, moving the work to Config::Context#auth_options (?)

There are open questions about this, and probably should figure out a
plan around auth renewal (ManageIQ#393) first.   Anyway, don't want my hands tied.
@cben
Copy link
Collaborator Author
cben commented Aug 7, 2019

Kubernetes plans to change service account tokens to short-lived: kubernetes/kubernetes#70679
This even simple in-cluster config will require on-the fly auth updates.

@cben
Copy link
Collaborator Author
cben commented Feb 13, 2022

For BoundServiceAccountTokenVolume, reloading from file implemented in #532 (currently on every request! feedback wanted whether that needs optimizing).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant