-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh GKE OAuth2 tokens #32673
Refresh GKE OAuth2 tokens #32673
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I attempted a similar solution previously, but without using refresh_api_key_hook
. However, I believe that yours should work and resolve the issue. LGTM.
Just a small nit comment
creds = self.get_credentials() | ||
if not GKEPodHook._is_credentials_valid(creds): | ||
GKEPodHook._refresh_token(creds) | ||
configuration.api_key = {"authorization": creds.token} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could always set the api_key and use the _get_token
method, which return the old api_key if it is still valid and a new one if not.
creds = self.get_credentials() | |
if not GKEPodHook._is_credentials_valid(creds): | |
GKEPodHook._refresh_token(creds) | |
configuration.api_key = {"authorization": creds.token} | |
configuration.api_key = {"authorization": self._get_token(self.get_credentials())} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the review! Fixed
You should fix the failed tests before merging, for static checks, here is the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@potiuk @hussein-awala If it is approved, can we merge this PR? |
Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions. |
closes: #31648
When GKEStartPodOperator is taking more than one hour to complete, it is failing with "unauthorised" error messages because the OAuth2 token that was used wasn't being refreshed before API calls.
In this PR we are making sure to refresh expired tokens before API calls to kubernetes.