Don't cache clients that are created (without auth) when app loads. #3338
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Michael Nelson <minelson@vmware.com>
antgamdia
approved these changes
Sep 1, 2021
26 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
One of the most difficult (yet satisfying to find the solution) bugs I've debugged in a long time :P
Our CI for the release was failing only for tests on GKE, but it turned out to be just because the GKE tests are the only ones which use token authentication.
Reproducing the issue locally was tricky at first, because it seemed to go away if you refresh the page (which explained some of the screenshots taken on CI which had errors at first, but passed on refresh).
The issue turned out to be that we were initializing the grpc clients when the app loads. Since there is no auth token present in local storage when the app loads and you're unauthenticated, the clients do not have any authentication metadata. If you re-load after authenticating, no issue. If you're configured with OIDC, this issue is not present since the metadata is added by auth-proxy for requests in-flight.
Benefits
Tests pass when using token auth. Bug fixed when using token auth. Note that it would also mean that if you authed with one token with high privs, refreshed to have things working, logged out and logged in with a low-priv token, you'd still have a client initialized with the high prived token.
Possible drawbacks
microseconds slower? Not sure.
Applicable issues
Additional information