Merge pull request #70606 from mikedanese/tfreload

periodically reload tokens read from TokenFile in kubeconfig
2025-07-22 19:31:44 +00:00 · 2018-11-05 20:59:38 -08:00 · 2018-11-05 20:59:38 -08:00 · 710bfb440e
commit 710bfb440e
parent 5960971e27 718adb7473
4 changed files with 22 additions and 6 deletions
--- a/staging/src/k8s.io/client-go/rest/config.go
+++ b/staging/src/k8s.io/client-go/rest/config.go
@ -322,7 +322,7 @@ func InClusterConfig() (*Config, error) {
 		return nil, ErrNotInCluster
 	}

-	ts := newCachedPathTokenSource(tokenFile)
+	ts := NewCachedFileTokenSource(tokenFile)

 	if _, err := ts.Token(); err != nil {
 		return nil, err
--- a/staging/src/k8s.io/client-go/rest/token_source.go
+++ b/staging/src/k8s.io/client-go/rest/token_source.go
@ -42,7 +42,9 @@ func TokenSourceWrapTransport(ts oauth2.TokenSource) func(http.RoundTripper) htt
 	}
 }

-func newCachedPathTokenSource(path string) oauth2.TokenSource {
+// NewCachedFileTokenSource returns a oauth2.TokenSource reads a token from a
+// file at a specified path and periodically reloads it.
+func NewCachedFileTokenSource(path string) oauth2.TokenSource {
 	return &cachingTokenSource{
 		now:    time.Now,
 		leeway: 1 * time.Minute,
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@ -229,11 +229,11 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
 	if len(configAuthInfo.Token) > 0 {
 		mergedConfig.BearerToken = configAuthInfo.Token
 	} else if len(configAuthInfo.TokenFile) > 0 {
-		tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
-		if err != nil {
+		ts := restclient.NewCachedFileTokenSource(configAuthInfo.TokenFile)
+		if _, err := ts.Token(); err != nil {
 			return nil, err
 		}
-		mergedConfig.BearerToken = string(tokenBytes)
+		mergedConfig.WrapTransport = restclient.TokenSourceWrapTransport(ts)
 	}
 	if len(configAuthInfo.Impersonate) > 0 {
 		mergedConfig.Impersonate = restclient.ImpersonationConfig{
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
@ -18,12 +18,14 @@ package clientcmd

 import (
 	"io/ioutil"
+	"net/http"
 	"os"
 	"reflect"
 	"strings"
 	"testing"

 	"github.com/imdario/mergo"
+
 	restclient "k8s.io/client-go/rest"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@ -332,7 +334,19 @@ func TestBasicTokenFile(t *testing.T) {
 		t.Fatalf("Unexpected error: %v", err)
 	}

-	matchStringArg(token, clientConfig.BearerToken, t)
+	var out *http.Request
+	clientConfig.WrapTransport(fakeTransport(func(req *http.Request) (*http.Response, error) {
+		out = req
+		return &http.Response{}, nil
+	})).RoundTrip(&http.Request{})
+
+	matchStringArg(token, strings.TrimPrefix(out.Header.Get("Authorization"), "Bearer "), t)
+}
+
+type fakeTransport func(*http.Request) (*http.Response, error)
+
+func (ft fakeTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return ft(req)
 }

 func TestPrecedenceTokenFile(t *testing.T) {