Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Requests from inside the cluster misuse the API to refresh tokens #1948

New issue
New issue
Closed
#1949
Closed
Requests from inside the cluster misuse the API to refresh tokens#1948
#1949
Assignees
AlexisZam
@AlexisZam

Description

@AlexisZam
AlexisZam
opened on Nov 10, 2022

Problem statement

The OpenAPITools/openapi-generator/pull/3594 PR added the refresh_api_key_hook() hook to Configuration() objects to refresh expired (or expiring) tokens. This hook is undefined by default. If defined, the get_api_key_with_prefix() method will call it to refresh the token before returning it.

Out-of-cluster

The kubernetes-client/python-base/pull/250 PR defined the __refresh_api_key() function and used it to override the refresh_api_key_hook() hook to refresh tokens from outside the cluster.

This is the proper usage of the API.

In-cluster

The kubernetes-client/python-base/pull/191 and kubernetes-client/python-base/pull/193 PRs defined the load_token_from_file() function and used it to override the get_api_key_with_prefix() method to refresh tokens from inside the cluster.

That is, a well-defined higher-level function is overridden, instead of the undefined lower-level hook, which is designed to be overridden. Put simply, the API is misused.

A side-effect of this is that the token of the client is never updated. I.e., the client always has the (possibly stale) token that was loaded by the last call to load_config() at the time it was created. This works just because the token of the client is not used for the requests to Kubernetes (even though it should be).

Note that by 'client' we refer to an XXXApi object (e.g. CoreV1Api), which we use to make requests to Kubernetes.

Proposed fix

To use the API properly, update the tokens of clients making requests to Kubernetes, and use these tokens for requests, we can mirror the way tokens are refreshed from outside the cluster, i.e.,

  • define a _refresh_api_key function (instead of load_token_from_file), which
  • updates the token of the client (instead of simply returning a token), and
  • override the refresh_api_key_hook hook (instead of get_api_key_with_prefix).

The diff is

diff --git a/kubernetes/base/config/incluster_config.py b/kubernetes/base/config/incluster_config.py
index 5dabd4b7c..86070df43 100644
--- a/kubernetes/base/config/incluster_config.py
+++ b/kubernetes/base/config/incluster_config.py
@@ -92,12 +92,12 @@ class InClusterConfigLoader(object):
         if not self._try_refresh_token:
             return
 
-        def load_token_from_file(*args):
+        def _refresh_api_key(client_configuration):
             if self.token_expires_at <= datetime.datetime.now():
                 self._read_token_file()
-            return self.token
+            self._set_config(client_configuration)
 
-        client_configuration.get_api_key_with_prefix = load_token_from_file
+        client_configuration.refresh_api_key_hook = _refresh_api_key
 
     def _read_token_file(self):
         with open(self._token_filename) as f:

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions