reload service account token within incluster config

zshihang · zshihang · commit aa77f9ba2761 · 2020-05-04T14:33:56.000-07:00
diff --git a/kubernetes/spec/config/incluster_config_spec.rb b/kubernetes/spec/config/incluster_config_spec.rb
@@ -18,7 +18,7 @@
 
 require 'kubernetes/config/incluster_config'
 
-# rubocop:disable BlockLength
+# rubocop:disable Metrics/BlockLength
 describe Kubernetes::InClusterConfig do
   context '#configure' do
     let(:incluster_config) do
@@ -36,6 +36,10 @@
           :@token_file,
           Kubernetes::Testing.file_fixture('tokens/token').to_s
         )
+        c.instance_variable_set(
+          :@token_refresh_period,
+          5
+        )
       end
     end
 
@@ -50,6 +54,18 @@
 
       incluster_config.configure(actual)
       expect(actual).to be_same_configuration_as(expected)
+
+      old_expired_at = incluster_config.token_expires_at
+      incluster_config.instance_variable_set(
+        :@token_file,
+        Kubernetes::Testing.file_fixture('tokens/token2').to_s
+      )
+      allow(Time).to receive(:now).and_return(Time.now+5)
+      actual.api_key_with_prefix('authorization')
+
+      expected.api_key['authorization'] = 'Bearer token2'
+      expect(actual).to be_same_configuration_as(expected)
+      expect(incluster_config.token_expires_at).to be > old_expired_at
     end
   end
 
@@ -141,4 +157,4 @@
     end
   end
 end
-# rubocop:enable BlockLength
+# rubocop:enable Metrics/BlockLength
diff --git a/kubernetes/spec/fixtures/files/tokens/token2 b/kubernetes/spec/fixtures/files/tokens/token2
@@ -0,0 +1 @@
+token2
diff --git a/kubernetes/src/kubernetes/config/incluster_config.rb b/kubernetes/src/kubernetes/config/incluster_config.rb
@@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+#
 
 require 'kubernetes/configuration'
 require 'kubernetes/config/error'
@@ -19,27 +20,29 @@ module Kubernetes
   # The InClusterConfig class represents configuration for authn/authz in a
   # Kubernetes cluster.
   class InClusterConfig
-    # rubocop:disable LineLength
+    # rubocop:disable Metrics/LineLength
     SERVICE_HOST_ENV_NAME = 'KUBERNETES_SERVICE_HOST'.freeze
     SERVICE_PORT_ENV_NAME = 'KUBERNETES_SERVICE_PORT'.freeze
     SERVICE_TOKEN_FILENAME = '/var/run/secrets/kubernetes.io/serviceaccount/token'.freeze
     SERVICE_CA_CERT_FILENAME = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'.freeze
-    # rubocop:enable LineLength
+    TOKEN_REFRESH_PERIOD = 60 # 1 minute
+    # rubocop:enable Metrics/LineLength
 
     attr_accessor :host
     attr_accessor :port
     attr_accessor :token
+    attr_accessor :token_expires_at
 
     def validate
       unless (self.host = env[SERVICE_HOST_ENV_NAME]) &&
              (self.port = env[SERVICE_PORT_ENV_NAME])
         raise ConfigError, 'Service host/port is not set'
       end
 
-      # rubocop:disable LineLength
+      # rubocop:disable Metrics/LineLength
       raise ConfigError, 'Service token file does not exists' unless File.file?(token_file)
       raise ConfigError, 'Service token file does not exists' unless File.file?(ca_cert)
-      # rubocop:enable LineLength
+      # rubocop:enable Metrics/LineLength
     end
 
     def self.in_cluster?
@@ -62,19 +65,42 @@ def token_file
       @token_file
     end
 
+    def token_refresh_period
+      @token_refresh_period ||= TOKEN_REFRESH_PERIOD
+      @token_refresh_period
+    end
+
     def load_token
       File.open(token_file) do |io|
         self.token = io.read.chomp
+        self.token_expires_at = Time.now + token_refresh_period
       end
     end
 
-    def configure(configuration)
+    # rubocop:disable Metrics/AbcSize
+    def configure(configuration, try_refresh_token: true)
       validate
       load_token
       configuration.api_key['authorization'] = "Bearer #{token}"
       configuration.scheme = 'https'
       configuration.host = "#{host}:#{port}"
       configuration.ssl_ca_cert = ca_cert
+      return unless try_refresh_token
+
+      Configuration.instance_variable_set(:@in_cluster_config, self)
+      Configuration.prepend(Module.new do
+        # rubocop:disable Metrics/LineLength
+        def api_key_with_prefix(identifier)
+          in_cluster_config = self.class.instance_variable_get(:@in_cluster_config)
+          if identifier == 'authorization' && @api_key.key?(identifier) && in_cluster_config.token_expires_at <= Time.now
+            in_cluster_config.load_token
+            @api_key[identifier] = 'Bearer ' + in_cluster_config.token
+          end
+          super identifier
+        end
+        # rubocop:enable Metrics/LineLength
+      end)
     end
+    # rubocop:enable Metrics/AbcSize
   end
 end
