From 0eb796cda3efccb0134245c744447f3be0efbe88 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Fri, 7 Nov 2025 17:59:56 +0100 Subject: [PATCH 1/3] Fix race condition in bearertokenauth extension, the dobule removal of watcher Signed-off-by: Pavol Loffay --- .../bearertokenauth.go | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/extension/bearertokenauthextension/bearertokenauth.go b/extension/bearertokenauthextension/bearertokenauth.go index 4a3455d3c567..edbdc51edf8c 100644 --- a/extension/bearertokenauthextension/bearertokenauth.go +++ b/extension/bearertokenauthextension/bearertokenauth.go @@ -10,6 +10,7 @@ import ( "fmt" "net/http" "os" + "path/filepath" "strings" "sync/atomic" @@ -106,7 +107,10 @@ func (b *bearerTokenAuth) Start(ctx context.Context, _ component.Host) error { // start file watcher go b.startWatcher(ctx, watcher) - return watcher.Add(b.filename) + // Watch the parent directory instead of the file directly to handle atomic replacements + // This eliminates race conditions with fsnotify when files are atomically replaced + watchDir := filepath.Dir(b.filename) + return watcher.Add(watchDir) } func (b *bearerTokenAuth) startWatcher(ctx context.Context, watcher *fsnotify.Watcher) { @@ -122,22 +126,20 @@ func (b *bearerTokenAuth) startWatcher(ctx context.Context, watcher *fsnotify.Wa if !ok { continue } - // NOTE: k8s configmaps uses symlinks, we need this workaround. - // original configmap file is removed. - // SEE: https://martensson.io/go-fsnotify-and-kubernetes-configmaps/ - if event.Op == fsnotify.Remove || event.Op == fsnotify.Chmod { - // remove the watcher since the file is removed - if err := watcher.Remove(event.Name); err != nil { - b.logger.Error(err.Error()) - } - // add a new watcher pointing to the new symlink/file - if err := watcher.Add(b.filename); err != nil { - b.logger.Error(err.Error()) - } - b.refreshToken() + + // Only process events for our target file by filtering events + // Since we're watching the parent directory, we get events for all files in it + if event.Name != b.filename { + continue } - // also allow normal files to be modified and reloaded. - if event.Op == fsnotify.Write { + + // Handle file events for our target file + // Since we're watching the directory, we don't need to manage watch add/remove + // The directory watch persists even when files are atomically replaced + if event.Op&fsnotify.Write == fsnotify.Write || + event.Op&fsnotify.Create == fsnotify.Create || + event.Op&fsnotify.Remove == fsnotify.Remove || + event.Op&fsnotify.Chmod == fsnotify.Chmod { b.refreshToken() } } From 4e122033815f3d98190b9ec474b35b09d6cae207 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Fri, 7 Nov 2025 18:05:10 +0100 Subject: [PATCH 2/3] Fix race condition in bearertokenauth extension, the dobule removal of watcher Signed-off-by: Pavol Loffay --- .chloggen/bearertoken-fix-race-condition.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .chloggen/bearertoken-fix-race-condition.yaml diff --git a/.chloggen/bearertoken-fix-race-condition.yaml b/.chloggen/bearertoken-fix-race-condition.yaml new file mode 100644 index 000000000000..3f5090169f13 --- /dev/null +++ b/.chloggen/bearertoken-fix-race-condition.yaml @@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog) +component: extension/bearertokenauth + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Remove error messages `fsnotify: can't remove non-existent watch` when watching kubernetes SA tokens. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [44104] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [user] From 7eedca5db9d980a2dd5790451b4e69c87f5636f6 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Mon, 10 Nov 2025 10:49:18 +0100 Subject: [PATCH 3/3] Fix changelog Signed-off-by: Pavol Loffay --- .chloggen/bearertoken-fix-race-condition.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chloggen/bearertoken-fix-race-condition.yaml b/.chloggen/bearertoken-fix-race-condition.yaml index 3f5090169f13..c01327c4bf30 100644 --- a/.chloggen/bearertoken-fix-race-condition.yaml +++ b/.chloggen/bearertoken-fix-race-condition.yaml @@ -7,7 +7,7 @@ change_type: bug_fix component: extension/bearertokenauth # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: Remove error messages `fsnotify: can't remove non-existent watch` when watching kubernetes SA tokens. +note: "Remove error messages `fsnotify: can't remove non-existent watch` when watching kubernetes SA tokens." # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. issues: [44104]