fix: AuthenticationRefresher wrapper solution #3406
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: raykrueger The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @raykrueger! |
k8s-ci-robot
added
the
size/L
util/src/main/java/io/kubernetes/client/util/credentials/AuthenticationRefresher.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java
Outdated
Show resolved
Hide resolved
|
@raykrueger is there a way/need to be able to cancel the task running in the executor? |
Yep! I'm combining Brendan's concern with some WeakReference foo to shut the timerdown when the APIClient gets GC'd. Commit incoming! |
raykrueger
force-pushed
the
authentication_refresh
branch
from
254a190 to
4d97dea
Compare
|
I started the code review thing on accident and don't know what to do about that heh. |
|
(Sorry for spamming, wanted a new line in the previous message). Please have a look at the latest. I've added some safety around time timer and moved it to a field. The timer is now cancelled and nulled out if the APICilent is garbage collected. Additionally I removed the flaky Thread.sleep timing from the tests in favor of Countdown Latches. |
raykrueger
force-pushed
the
authentication_refresh
branch
from
4d97dea to
50d46fe
Compare
This commit introduces the AuthenticationRefresher as an implementation of Authentication. It's purpose is to warp another Authentication instance and refresh it very n seconds by calling `provide` on the wrapped Authentication object. This code is intedned to be used a solution to issue kubernetes-client#2438. Any Authentication object that provides credentials, that must be refreshed, to the ApiClient do not have a way to do so. There are two ways to use the AuthenticationRefresher with ClientBuilder. The first option is to use the ClientBuilder.setAuthentication(...) method. An Authentication instance can be wrapped in an AuthenticationRefresher and passed into the setAuthentication method. For example, ``` ClientBuilder.standard().setAuthentication( //wrap an auth and refresh it every 15 minutes (900s) new Authentication(someDelegateAuthenticationInstace, 900) ); ``` This is integrated up into the ClientBuilder.build() method by adding a new authenticationRefreshSeconds field and getter/setter pair. If a refresh interval is set, the Authentication object used by ClientBuilder will be wrapped with an AuthenticationRefresher.
raykrueger
force-pushed
the
authentication_refresh
branch
from
50d46fe to
f99d6df
Compare
util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java
Outdated
Show resolved
Hide resolved
| @Override | ||
| public void provide(ApiClient client) { | ||
|
|
||
| synchronized (this) { |
There was a problem hiding this comment.
Why do this lazily on the first call to provide vs. doing it in the contructor? Do you expect that the ApiClient will get garbage collected repeatedly but this authentication will stick around?
There was a problem hiding this comment.
Still wondering about this. Why not just create the executor once in the constructor and be done with it? This current logic seems convulted and I'm not sure I see the value of the lazy evaluation.
|
Few more comments. Thanks. |
raykrueger
force-pushed
the
authentication_refresh
branch
from
f99d6df to
7b3bede
Compare
The AuthenticationRefreher will now keep a instance-level reference to the current Executor. A singleton style synchronization ensures there is only ever one Executor active. Additionally, the APIClient passed into .provide is now heald as a WeakReference by the Executor. if the APIClient is ever garbage collected the Executor is cancelled and nulled.
raykrueger
force-pushed
the
authentication_refresh
branch
from
7b3bede to
29e1fe3
Compare
|
Ok, I've simplified things a bit. Let me know if this makes better sense. Thanks! |
util/src/main/java/io/kubernetes/client/util/credentials/AuthenticationRefresher.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java
Outdated
Show resolved
Hide resolved
|
I pushed some code a few days ago, but didn’t reach out here. Back to you sir! |
|
/ok-to-test |
k8s-ci-robot
added
the
ok-to-test
|
Sorry, I feel like I'm dragging this code review on and on, but I think this code could be simpler. Added a comment. |
|
any update on this - or is this comment still waiting to be resolved? |
|
@bryantbiggs still waiting afaik. |
|
btw, I dug into this deeper, this won't work correctly because when we construct the Making token refresh work will require changes in the upstream code generator, or a patch to ApiClient. Closing this for now since I think we will need to start with a fresh solution. |
This fixes/relates to #2438 and #290
This commit introduces the AuthenticationRefresher as an implementation of Authentication. It's purpose is to warp another Authentication instance and refresh it very n seconds by calling
provideon the wrapped Authentication object.This code is intedned to be used a solution to issue #2438.
Any Authentication object that provides credentials, that must be refreshed, to the ApiClient do not have a way to do so.
There are two ways to use the AuthenticationRefresher with ClientBuilder. The first option is to use the
ClientBuilder.setAuthentication(...) method. An Authentication instance can be wrapped in an AuthenticationRefresher and passed into the setAuthentication method. For example,
This is integrated up into the ClientBuilder.build() method by adding a new authenticationRefreshSeconds field and getter/setter pair. If a refresh interval is set, the Authentication object used by ClientBuilder will be wrapped with an AuthenticationRefresher.