[Kubernetes] Refresh Service Account token before it expires
Closed this issue · 3 comments
Is your feature request related to a problem? Please describe.
We would like to transition to issuing ServiceAccount tokens that expire, aka BoundServiceAccountTokenVolumes.
Skipper's Kubernetes data client is currently not aware that ServiceAccount tokens can expire and therefore only reads the token once when the client is initialized. (e.g. here and here)
We would like for skipper to refresh the token from the mounted volume so that it always has a valid token.
Describe the solution you would like
The token should be re-read from the mounted volume while skipper is running. The path to the token within the container doesn't change. This can either be done in fixed intervals or by taking the expiry time within the token into account.
Looking at Kubernetes' TokenManager itself it refreshes tokens once they are past 80% of their lifetime or at least once per day. The default validity of ServiceAccount tokens is 1h so in practice they will be rotated once per hour.
Describe alternatives you've considered (optional)
We could use client-go for talking to the Kubernetes API (or a suitable subpackage). Token refresh is handled within the client automatically and it might have other benefits (or drawbacks).
Would you like to work on it?
Yes
Sounds good, but we don’t like client-go.
We have already a secrets module which you can use to read and update secrets.
I also work on providing an http client in a branch https://github.com/zalando/skipper/blob/feature/skipper-http-client/net/httpclient.go that should also use the secrets module and you can use this client to replace the current kubernetes dataclient http client.
Thanks, I'll take a look.