Re-read JWT file for every authentication #491
Conversation
| b, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value) | ||
| _, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value) |
There was a problem hiding this comment.
I kept this check to ensure that the file can be read during start-up for verification only.
|
How often is this expected to be called worst case? |
On every re-autentication to Vault, when the session token from Vault expires. Hence, not often. E.g. once an hour @klauspost |
|
@klauspost Authentication should be done only once and each time the token expires, which should be once every few minutes if you really have short TTLs. The only way this can go crazy if it can't authenticate. But calling the authentication endpoint would be much more expensive compared to reading the file. |
| hour, min, sec := info.CreatedAt.Clock() | ||
| hour, minute, sec := info.CreatedAt.Clock() |
There was a problem hiding this comment.
This change was needed to fix the lint complaint that min redefinitions the built-in function min.
ramondeklein
force-pushed
the
fix-k8s-service-account
branch
from
b59721d
to
e8370a2
Compare
|
@aead I "fixed" a unit test, but it doesn't really read the JWT from the file anymore. If we do want to do that, then we need to create a mocked Vault client. I could do that, but not sure if I should... |
|
@aead Feel free to merge (I can't do it). |
The JWT for authentication to Hashicorp Keyvault is only read during initialization or when
SIGHUPis received. This results in issues when the SA token expires and the Keyvault client token needs to be refreshed. This PR will re-read the JWT file for every authentication.Related to https://subnet.min.io/issues/12909.