Fix K8s token refresh by delegating getClient() to K8sConfig cache

adamrtalbot · adamrtalbot · commit 43c62412e0be · 2026-03-13T14:14:41.000Z
K8sConfig.getClient() uses a Guava cache with a 50-minute expiry to refresh the service account token (added in PR #6742). However, K8sExecutor.register() called k8sConfig.getClient() once at startup and stored the result in a private field. K8sExecutor.getClient() returned that stored field directly, and K8sTaskHandler stored executor.client in its constructor — so the Guava cache was never consulted again after startup. This caused 401 Unauthorized errors after ~60 minutes on clusters with short-lived projected SA tokens (e.g. AKS, RKE2 with default ~1hr token lifetime). Fix: - Remove the private K8sClient field from K8sExecutor - Change getClient() to delegate to k8sConfig.getClient() on each invocation, letting the Guava cache handle token refresh - Fix K8sTaskHandler constructor to use executor.getClient() instead of accessing executor.client directly Fixes #6918 Generated by Claude Code Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
diff --git a/plugins/nf-k8s/src/main/nextflow/k8s/K8sExecutor.groovy b/plugins/nf-k8s/src/main/nextflow/k8s/K8sExecutor.groovy
@@ -40,15 +40,6 @@ import org.pf4j.ExtensionPoint
 @ServiceName('k8s')
 class K8sExecutor extends Executor implements ExtensionPoint {
 
-    /**
-     * The Kubernetes HTTP client
-     */
-    private K8sClient client
-
-    protected K8sClient getClient() {
-        client
-    }
-
     /**
      * @return The `k8s` configuration scope in the nextflow configuration object
      */
@@ -57,6 +48,15 @@ class K8sExecutor extends Executor implements ExtensionPoint {
         new K8sConfig( (Map<String,Object>)session.config.k8s )
     }
 
+    /**
+     * @return The Kubernetes HTTP client. Delegates to {@link K8sConfig#getClient()} on each
+     * invocation so that the underlying Guava cache can refresh the client configuration
+     * (including the service account token) when it expires.
+     */
+    protected K8sClient getClient() {
+        new K8sClient(k8sConfig.getClient())
+    }
+
     /**
      * Initialise the executor setting-up the kubernetes client configuration
      */
@@ -65,7 +65,6 @@ class K8sExecutor extends Executor implements ExtensionPoint {
         super.register()
         final k8sConfig = getK8sConfig()
         final clientConfig = k8sConfig.getClient()
-        this.client = new K8sClient(clientConfig)
         log.debug "[K8s] config=$k8sConfig; API client config=$clientConfig"
     }
 
diff --git a/plugins/nf-k8s/src/main/nextflow/k8s/K8sTaskHandler.groovy b/plugins/nf-k8s/src/main/nextflow/k8s/K8sTaskHandler.groovy
@@ -93,7 +93,7 @@ class K8sTaskHandler extends TaskHandler implements FusionAwareTask {
     K8sTaskHandler( TaskRun task, K8sExecutor executor ) {
         super(task)
         this.executor = executor
-        this.client = executor.client
+        this.client = executor.getClient()
         this.outputFile = task.workDir.resolve(TaskRun.CMD_OUTFILE)
         this.errorFile = task.workDir.resolve(TaskRun.CMD_ERRFILE)
         this.exitFile = task.workDir.resolve(TaskRun.CMD_EXIT)
