-
-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kube ignores expirationTimestamp
when exec returns a client certificate
#1675
Comments
related #1088 |
This might be terrible solution, but I'll just mention it anyway :) Add a |
Yeah, I don't think recreating the stack inside the client builder is at all practical here. We've already thrown away the Is garden actually setting cert expiry that low that this is a problem? I expected auth refresh stuff like this (which happens in the oob client created specifically in the auth modules via the |
It might be possible to do something with
Hah. Yeah, a variant of this would work. Not ideal, but people that truly need this (local development against garden / tooling or GUIs with wide support) could grab the property out of ..long term though, it would be nice if there were ways to bubble up information like this to connectors, but that's a lot of layers and libraries to go through, particularly when the end result people work with is an amorphous |
It's 15min by default, which in my case is an issue as it's a GUI app which usually has very long sessions. RefreshableToken works fine as it's done via the AuthLayer + Header
I thought about getting it from the Config, but the I have a working version of this solution, I can send a PR and let you decide if this is something you want to add or not. Is that OK? |
Ah, ok. That makes sense.
Please! Sounds completely fine to expose a timestamp if it can help solve it on the user side (even if it's a bit ugly there). |
Current and expected behavior
gardenlogin returns a client certificate with expirationTimestamp, but kube does not use it, which means it's not able to refresh the certs.
Here's an example of the response:
Possible solution
I'd like to contribute but I'm struggling to find the solution for it. The credentials are used to build a
rustls::ClientConfig
and added as a connector to the tower Stack, which means that if the credentials change, we should probably rebuild the stack?Is that even possible?
Any suggestions on how to approach this one?
Additional context
No response
Environment
macOS on a Gardener cluster
Configuration and features
No response
Affected crates
kube-client
Would you like to work on fixing this bug?
maybe
The text was updated successfully, but these errors were encountered: