bearer_token needs to be reloaded every 1h to avoid expired service account tokens
grosser opened this issue · 0 comments
grosser commented
as per https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md since 1.22 (or with BoundServiceAccountTokenVolume=true) tokens will expire every 1h and need to be re-loaded from disk
options:
- add a reload_bearer_auth_token method for users to call
- add an internal Thread the reloads it (... ideally on by default, but tricky)
- check age every time a request is made and reload as needed
- reload on every request (in
def rest_clientanddef http_options) since it's pretty cheap and usually an in-memory file