Skip to content

fix: auto read kubernetes service discovery token #12057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Baoyuantop merged 16 commits into from
Mar 25, 2025
Merged

fix: auto read kubernetes service discovery token #12057

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
2180a35
feat: add kubernetes service discovery token refresh
Baoyuantop Mar 17, 2025
29cf505
fix: lint code
Baoyuantop Mar 17, 2025
8e306e8
fix: update function
Baoyuantop Mar 19, 2025
1f09891
fix: update title
Baoyuantop Mar 19, 2025
cf153b1
fix: test
Baoyuantop Mar 19, 2025
325588b
fix: update function use
Baoyuantop Mar 20, 2025
6c8625b
fix: test
Baoyuantop Mar 21, 2025
679365d
fix: code
Baoyuantop Mar 21, 2025
178731f
fix: add metatable
Baoyuantop Mar 24, 2025
f6f87f3
fix: format code
Baoyuantop Mar 24, 2025
ce18076
fix: format code
Baoyuantop Mar 24, 2025
ffca30d
fix: remove whitespace
Baoyuantop Mar 24, 2025
7d9466e
fix: update code
Baoyuantop Mar 24, 2025
0184ff4
fix: test case
Baoyuantop Mar 24, 2025
5a6a786
fix: add trim
Baoyuantop Mar 24, 2025
11218bb
fix: change return
Baoyuantop Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 50 additions & 8 deletions apisix/discovery/kubernetes/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ local core = require("apisix.core")
local util = require("apisix.cli.util")
local local_conf = require("apisix.core.config_local").local_conf()
local informer_factory = require("apisix.discovery.kubernetes.informer_factory")
local lfs = require("lfs")


local ctx
Expand Down Expand Up @@ -283,6 +284,45 @@ local function read_env(key)
return key
end

local function read_token(token_file)
local token, err = util.read_file(token_file)
if err then
return nil, err
end

-- remove possible extra whitespace
local trimmed_token = token:gsub("%s+", "")
Copy link
Member

@membphis membphis Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

waiting

return trimmed_token
end


local function update_token(handle)
if not handle.apiserver.token_file or handle.apiserver.token_file == "" then
return
Copy link
Member

@membphis membphis Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for succ or fail, we should return different value

end

local token_file_path = handle.apiserver.token_file
local attributes, err = lfs.attributes(token_file_path)
if not attributes then
core.log.error("failed to fetch ", token_file_path, " attributes: ", err)
return
end

local last_modification_time = attributes.modification
if handle.token_file_mtime == last_modification_time then
return
end

local token, err = read_token(token_file_path)
if err then
return nil, err
Copy link
Member

@membphis membphis Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we only can choose one of them:

if not attributes then
        core.log.error("failed to fetch ", token_file_path, " attributes: ", err)
        return
    end

if err then
        return nil, err
end

end

handle.apiserver.token = token
handle.token_file_mtime = last_modification_time
core.log.warn("kubernetes service account token has been updated")
Copy link
Member

@membphis membphis Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use log.infolog.notice is suitable

end


local function get_apiserver(conf)
local apiserver = {
Expand Down Expand Up @@ -324,23 +364,21 @@ local function get_apiserver(conf)
return nil, err
end
elseif conf.client.token_file and conf.client.token_file ~= "" then
local file
file, err = read_env(conf.client.token_file)
local token_file, err = read_env(conf.client.token_file)
if err then
return nil, err
end

apiserver.token, err = util.read_file(file)
apiserver.token, err = read_token(token_file)
if err then
return nil, err
end

apiserver.token_file = token_file
else
return nil, "one of [client.token,client.token_file] should be set but none"
end

-- remove possible extra whitespace
apiserver.token = apiserver.token:gsub("%s+", "")

if apiserver.schema == "https" and apiserver.token == "" then
return nil, "apiserver.token should set to non-empty string when service.schema is https"
end
Expand Down Expand Up @@ -379,6 +417,8 @@ local function start_fetch(handle)
return
end

update_token(handle)

local ok, status = pcall(handle.list_watch, handle, handle.apiserver)

local retry_interval = 0
Expand Down Expand Up @@ -459,7 +499,8 @@ local function single_mode_init(conf)
ctx = setmetatable({
endpoint_dict = endpoint_dict,
apiserver = apiserver,
default_weight = default_weight
default_weight = default_weight,
token_file_mtime = nil
}, { __index = endpoints_informer })

start_fetch(ctx)
Expand Down Expand Up @@ -565,7 +606,8 @@ local function multiple_mode_init(confs)
ctx[id] = setmetatable({
endpoint_dict = endpoint_dict,
apiserver = apiserver,
default_weight = default_weight
default_weight = default_weight,
token_file_mtime = nil
}, { __index = endpoints_informer })
end

Expand Down
37 changes: 37 additions & 0 deletions t/kubernetes/discovery/kubernetes.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ env MyPort=6443;
env KUBERNETES_SERVICE_HOST=127.0.0.1;
env KUBERNETES_SERVICE_PORT=6443;
env KUBERNETES_CLIENT_TOKEN=$::token_value;
env KUBERNETES_CLIENT_TOKEN_FILE=$::token_file;
_EOC_

$block->set_value("main_config", $main_config);
Expand Down Expand Up @@ -94,6 +95,20 @@ _EOC_
}
}

location /update_token {
content_by_lua_block {
local token_file = "$::token_file"
local file = io.open(token_file, "w")
file:write("invalid_token_value")
file:close()
ngx.sleep(3)
file = io.open(token_file, "w")
local token_value = [[$::token_value]]
file:write(token_value)
file:close()
}
}

_EOC_

$block->set_value("config", $config);
Expand Down Expand Up @@ -346,3 +361,25 @@ GET /compare
Content-type: application/json
--- response_body
true



=== TEST 7: auto update token when token file changed
--- yaml_config
apisix:
node_listen: 1984
config_center: yaml
deployment:
role: data_plane
role_data_plane:
config_provider: yaml
discovery:
kubernetes:
client:
token_file: "${KUBERNETES_CLIENT_TOKEN_FILE}"
--- request
GET /update_token
--- grep_error_log eval
qr/kubernetes service account token has been updated/
--- grep_error_log_out
kubernetes service account token has been updated
Loading