Clear auth config when gcp app default credentials fail #46694
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @matt-tyler. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-github-robot
added
size/L
k8s-github-robot
added
the
needs-rebase
| handler := func(res *http.Response) { | ||
| switch res.StatusCode { | ||
| case 401: | ||
| if g.useDefaultTokenSource { |
There was a problem hiding this comment.
I think it also makes sense to purge the cache if we are using a cmd token source, since those are cached in the exact same way.
| switch res.StatusCode { | ||
| case 401: | ||
| if g.useDefaultTokenSource { | ||
| glog.V(4).Infof("The application default credentials that were supplied are invalid for the target cluster") |
There was a problem hiding this comment.
I suggest removing the special casing for default token source and change this log to "The credentials that were supplied..."
|
@k8s-bot ok-to-test |
|
Also @matt-tyler, thanks for the pr and sorry for the long delay reviewing. |
|
@jlowdermilk No worries, I'll find some time and apply the changes necessary to purge the cache for the cmd token source as well. |
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account. This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
matt-tyler
force-pushed
the
bug-gcpauthdefaultcred
branch
from
044079b
to
b920167
Compare
k8s-github-robot
added
size/M
|
@jlowdermilk I've rebased and updated the pull request based on your comments. Let me know if there is any more you would like me to do. |
j3ffml
removed
the
needs-ok-to-test
|
/retest |
j3ffml
added
the
lgtm
|
/retest |
|
@jlowdermilk Is there a reason you're not approving this PR? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlowdermilk, matt-tyler Associated issue: 38075 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792) |
What this PR does / why we need it:
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account.
This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
Which issue this PR fixes : fixes #38075
Special notes for your reviewer:
Release note: