Java Client doesn't refresh client auth exec-based credentials

[micahhausler]

Describe the bug

Kubernetes supports executing an external process to get API server credentials, and the Java K8s client does too.

For processes that run longer than a credential's lifetime, client-go consumes the .Status.ExpirationTimestamp, caches the credential and will refresh when the credential expires.

Today, the Java client ignores the .Status.ExpirationTimestamp and only gets the exec-based credential once at process start, and will not refresh.

Amazon EKS's tokens (using kubernetes-sigs/aws-iam-authenticator) use this exec-based format, and return an expiration timestamp 15 minutes in the future (same for the AWS CLI implementation). This causes long-running Java clients (such as a Spark job) to fail authentication after 15 minutes.

Client Version

All versions

Kubernetes Version

All versions

Java Version
N/A

To Reproduce
N/A

Expected behavior

The Java client should cache the returned exec-based credential, and refresh automatically

KubeConfig
N/A

Server (please complete the following information):

• OS: [e.g. Linux]
• Environment [e.g. container]
• Cloud [e.g. Azure]

Additional context
N/A

[brendandburns]

We'd be happy to take a PR to implement this, you will need to implement the Authenticator interface and register it for exec providers.

See:
https://github.com/kubernetes-client/java/blob/master/util/src/main/java/io/kubernetes/client/util/authenticators/AzureActiveDirectoryAuthenticator.java

For an example.

[brendandburns]

I looked into this more closely and it is more complicated, you can look at the comment here:

java/util/src/main/java/io/kubernetes/client/util/KubeConfig.java

Line 318 in bbd7b10

// TODO cache tokens between calls, up to .status.expirationTimestamp

For more details.

[brendandburns]

We will need a significant refactor to support this. Not impossible, but definitely not trivial.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[raykrueger]

I may have a solution for this to review this week if we're still interested. It will be possible to support a refresh interval on any Authentication instance created in the ClientBuilder. My solution does not read the expiration from the exec token for all of the reasons Brendan mentioned, and as mentioned in code comments. The authentication stack currently relies on holding Strings in memory which limits our ability to change all of the public APIs in use here.