Address issue #4 (lock concurrent instances) and #5 (verify token and retry) (#7)

* Add token verification and retries

* verifyToken

* VERIFY_TOKEN env

* Fix YAML

* Remove binary; .gitignore

* Simplify obtaining verifyToken from the environment

* switch to false

* Change Env

* string

* Removed

* Tested working

* Closes #4

* Update run-locally example

* Move defer to right after resource allocation

* Add config method for using token validation setting

* accept StatusOK as valid

* Add test to image URL parsing

---------

Co-authored-by: gotsysdba <[email protected]>

Author: jdortiz

.gitignore

@@ -1,6 +1,9 @@
 # Created by https://www.toptal.com/developers/gitignore/api/macos,go,visualstudiocode
 # Edit at https://www.toptal.com/developers/gitignore?templates=macos,go,visualstudiocode
 
+### Binary ###
+oke-credential-provider-for-ocir-linux-amd64
+
 ### Go ###
 # If you prefer the allow list template instead of the deny list, see community template:
 # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore

cmd/provider.go

@@ -7,15 +7,35 @@ package main
 
 import (
 	"flag"
+	"os"
+	"time"
 
 	"github.com/devrocks/credential-provider-oke/internal/helpers"
 	"github.com/devrocks/credential-provider-oke/internal/provider"
+	"github.com/gofrs/flock"
 )
 
 func main() {
 	var configType string
-	flag.StringVar(&configType, "config", "", "Type the absolute path to yaml file with provider configuration. If it's ommited, program reads from environment variables (REGISTRY_TOKEN_PATH, DEFAULT_USER, REGISTRY_PROTOCOL, OCIR_AUTH_METHOD).")
+	flag.StringVar(&configType, "config", "", "Path to config YAML or environment config")
 	flag.Parse()
+
+	lockFilePath := "/var/lib/kubelet/credential-provider.lock"
+	fileLock := flock.New(lockFilePath)
+
+	locked, err := fileLock.TryLock()
+	if err != nil {
+		os.Exit(1)
+	}
+	defer fileLock.Unlock()
+
+	if !locked {
+		// Lock is held by another process, sleep then exit
+		// that process will then be able to use the cache and reduce requests
+		time.Sleep(1 * time.Second)
+		os.Exit(0)
+	}
+
 	config := helpers.ReadConfig(configType)
 	provider.GetCredentialProviderResponse(config)
 }

examples/README.md

@@ -0,0 +1,11 @@
+# Provider Configuration
+
+## TOKEN_VALIDATION
+
+To utilize token validation, set to `enabled`.
+
+When the first image is pulled, the CredentialProvider will obtain a token from OCI which will be cached for subsequent image pulls up to the `cacheDuration` (normally equal to the tokens lifetime: 1hr).  When the cached token expires by reaching the `cacheDuration`, the next image pull will request a new one.
+
+If IAM policies are not in place at the time the token is cached then the token is essentially unauthorized for the entire duration of the `cacheDuration`.  The `TOKEN_VALIDATION` configuration setting will set an initial short lived `cacheDuration` until it is determined that the cached token is authorized to pull images.  Once it is determined that the token is authorized, it will set the `cacheDuration` to the tokens lifetime.
+
+It is important to note that a new token is _not_ requested when the cached token expires.  It is only requested when the cached token expires **and** an image pull occurs.

examples/run-locally-yaml/config.yaml

@@ -2,3 +2,4 @@ registryTokenPath: /20180419/docker/token
 defaultUser: BEARER_TOKEN
 registryProtocol: https
 ocirAuthMethod: USER_PRINCIPAL
+tokenValidation: enabled

examples/run-on-worker-instance-principal/credential-provider-config.yaml

@@ -1,18 +1,19 @@
 apiVersion: kubelet.config.k8s.io/v1
 kind: CredentialProviderConfig
 providers:
-- name: credential-provider-oke
-  apiVersion: credentialprovider.kubelet.k8s.io/v1
-  matchImages:
-  - "*.ocir.io"
-  defaultCacheDuration: 55m
-  env:
-  - name: REGISTRY_TOKEN_PATH
-    value: /20180419/docker/token
-  - name: DEFAULT_USER
-    value: BEARER_TOKEN
-  - name: REGISTRY_PROTOCOL
-    value: https
-  - name: OCIR_AUTH_METHOD
-    value: INSTANCE_PRINCIPAL
-    
+  - name: credential-provider-oke
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    matchImages:
+      - "*.ocir.io"
+    defaultCacheDuration: 55m
+    env:
+      - name: REGISTRY_TOKEN_PATH
+        value: /20180419/docker/token
+      - name: DEFAULT_USER
+        value: BEARER_TOKEN
+      - name: REGISTRY_PROTOCOL
+        value: https
+      - name: OCIR_AUTH_METHOD
+        value: INSTANCE_PRINCIPAL
+      - name: TOKEN_VALIDATION
+        value: enabled

go.mod

@@ -1,8 +1,18 @@
 module github.com/devrocks/credential-provider-oke
 
-go 1.21.7
+go 1.23.0
+
+toolchain go1.24.4
+
+require (
+	github.com/gofrs/flock v0.12.1
+	github.com/oracle/oci-go-sdk v24.3.0+incompatible
+	gopkg.in/yaml.v3 v3.0.1
+)
 
 require (
-	github.com/oracle/oci-go-sdk v24.3.0+incompatible // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 )

go.sum

@@ -1,4 +1,26 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible h1:x4mcfb4agelf1O4/1/auGlZ1lr97jXRSSN5MxTgG/zU=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/helpers/config.go

@@ -6,23 +6,33 @@
 package helpers
 
 import (
+	"bytes"
+	"fmt"
 	"os"
 
 	"gopkg.in/yaml.v3"
 )
 
 type Config struct {
+	// ConfigMaps always use strings, even for YAML; so everything MUST be string
 	RegistryTokenPath string `yaml:"registryTokenPath"`
 	DefaultUser       string `yaml:"defaultUser"`
 	RegistryProtocol  string `yaml:"registryProtocol"`
 	OCIRAuthMethod    string `yaml:"ocirAuthMethod"`
+	TokenValidation   string `yaml:"tokenValidation"`
+}
+
+func (config Config) IsTokenValidationEnabled() bool {
+	return bytes.EqualFold([]byte("enabled"), []byte(config.TokenValidation))
 }
 
 func ReadConfig(configPath string) Config {
 	var config Config
 	if len(configPath) > 0 {
+		Log("Loading config from YAML file: " + configPath)
 		config = readConfigFromYaml(configPath)
 	} else {
+		Log("Loading config from environment variables.")
 		config = readConfigFromEnv()
 	}
 
@@ -33,22 +43,22 @@ func ReadConfig(configPath string) Config {
 	if config.OCIRAuthMethod == "" {
 		config.OCIRAuthMethod = "INSTANCE_PRINCIPAL"
 	}
+	Log(fmt.Sprintf("Configuration Loaded: %+v", config))
 
 	return config
 }
 
 func readConfigFromEnv() Config {
-	defer Log("Configuration loaded from environment variables.")
 	return Config{
 		RegistryTokenPath: os.Getenv("REGISTRY_TOKEN_PATH"),
 		DefaultUser:       os.Getenv("DEFAULT_USER"),
 		RegistryProtocol:  os.Getenv("REGISTRY_PROTOCOL"),
 		OCIRAuthMethod:    os.Getenv("OCIR_AUTH_METHOD"),
+		TokenValidation:   os.Getenv("TOKEN_VALIDATION"),
 	}
 }
 
 func readConfigFromYaml(configPath string) Config {
-	defer Log("Configuration loaded from YAML file: " + configPath)
 	configYaml, err := os.ReadFile(configPath)
 	FatalIfErrorDescription(err, "Program couldn't locate config.yaml file. Make sure to place it in the folder with the binary")
 

internal/helpers/logger.go

@@ -23,5 +23,6 @@ func init() {
 }
 
 func Log(message string) {
-	Logger.Println(message)
-}
+	pid := os.Getpid()
+	Logger.Printf("[PID %d] %s", pid, message)
+}

internal/helpers/regex.go

@@ -5,15 +5,25 @@
 
 package helpers
 
-import "regexp"
+import (
+	"fmt"
+	"regexp"
+)
 
-func ExtractHostname(imageName string) string {
-	regexPattern := `^(?:https?://)?(?:[^@/\n]+@)?(?:www\.)?([^:/\n]+)`
-	regex := regexp.MustCompile(regexPattern)
-	match := regex.FindStringSubmatch(imageName)
-	var hostname string
-	if len(match) > 1 {
-		hostname = match[1]
+func ParseImage(image string) (hostname, repository, tag string, err error) {
+	regexPattern := `^([a-zA-Z0-9.-]+(?::[0-9]+)?)/([^:]+)(?::(.+))?$`
+	re := regexp.MustCompile(regexPattern)
+	matches := re.FindStringSubmatch(image)
+	if len(matches) == 0 {
+		err = fmt.Errorf("invalid image format")
+		return
 	}
-	return hostname
+
+	hostname = matches[1]
+	repository = matches[2]
+	tag = matches[3]
+	if tag == "" {
+		tag = "latest"
+	}
+	return
 }