Refresh GKE OAuth2 tokens #32673

fdemiane · 2023-07-18T13:02:58Z

When GKEStartPodOperator is taking more than one hour to complete, it is failing with "unauthorised" error messages because the OAuth2 token that was used wasn't being refreshed before API calls.

In this PR we are making sure to refresh expired tokens before API calls to kubernetes.

hussein-awala

I attempted a similar solution previously, but without using refresh_api_key_hook. However, I believe that yours should work and resolve the issue. LGTM.

Just a small nit comment

hussein-awala · 2023-07-18T18:27:31Z

airflow/providers/google/cloud/hooks/kubernetes_engine.py

+        creds = self.get_credentials()
+        if not GKEPodHook._is_credentials_valid(creds):
+            GKEPodHook._refresh_token(creds)
+            configuration.api_key = {"authorization": creds.token}


You could always set the api_key and use the _get_token method, which return the old api_key if it is still valid and a new one if not.

Suggested change

creds = self.get_credentials()

if not GKEPodHook._is_credentials_valid(creds):

GKEPodHook._refresh_token(creds)

configuration.api_key = {"authorization": creds.token}

configuration.api_key = {"authorization": self._get_token(self.get_credentials())}

Thank you for the review! Fixed

hussein-awala · 2023-07-18T18:46:06Z

You should fix the failed tests before merging, for static checks, here is the doc.

kosteev

LGTM

kosteev · 2023-07-20T07:54:28Z

@potiuk @hussein-awala If it is approved, can we merge this PR?

boring-cyborg · 2023-07-20T14:16:40Z

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

boring-cyborg bot added provider:cncf-kubernetes Kubernetes provider related issues area:providers provider:google Google (including GCP) related issues labels Jul 18, 2023

eladkal requested a review from hussein-awala July 18, 2023 13:09

fdemiane mentioned this pull request Jul 18, 2023

Getting Unauthorized error messages with GKEStartPodOperator if pod execution is over 1 hour #31648

Closed

2 tasks

hussein-awala approved these changes Jul 18, 2023

View reviewed changes

fdemiane added 3 commits July 19, 2023 10:54

Refresh token for sync mode

d77efdf

Add unit test

1a5dce0

PR Comments

823ef13

fdemiane force-pushed the gkeoperatorfix branch from a80c6cf to 823ef13 Compare July 19, 2023 08:54

fdemiane marked this pull request as ready for review July 19, 2023 10:23

kosteev approved these changes Jul 20, 2023

View reviewed changes

potiuk approved these changes Jul 20, 2023

View reviewed changes

potiuk merged commit 848c69a into apache:main Jul 20, 2023
42 checks passed

eladkal mentioned this pull request Jul 29, 2023

Status of testing Providers that were prepared on July 29, 2023 #32936

Closed

69 tasks

This was referenced Feb 19, 2024

Implement token refresh on BigQuery dts run operator to handle the heavy migration jobs over 1 hour #37538

Closed

BigQueryDataTransferServiceStartTransferRunsOperator got Access Denied error on long-running migration jobs. #37557

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refresh GKE OAuth2 tokens #32673

Refresh GKE OAuth2 tokens #32673

fdemiane commented Jul 18, 2023

hussein-awala left a comment

hussein-awala Jul 18, 2023

fdemiane Jul 19, 2023

hussein-awala commented Jul 18, 2023

kosteev left a comment

kosteev commented Jul 20, 2023

boring-cyborg bot commented Jul 20, 2023

Refresh GKE OAuth2 tokens #32673

Refresh GKE OAuth2 tokens #32673

Conversation

fdemiane commented Jul 18, 2023

hussein-awala left a comment

Choose a reason for hiding this comment

hussein-awala Jul 18, 2023

Choose a reason for hiding this comment

fdemiane Jul 19, 2023

Choose a reason for hiding this comment

hussein-awala commented Jul 18, 2023

kosteev left a comment

Choose a reason for hiding this comment

kosteev commented Jul 20, 2023

boring-cyborg bot commented Jul 20, 2023