[extension/bearertokenauth] Fix token file refresh for Kubernetes projected volumes

[grelland]

Description

Fixes a bug which caused token file refresh to break completely for files backed by Kubernetes projected volumes (ConfigMaps, Secrets, serviceAccountTokens).
The bug is a regression introduced in #44104, which removed a crucial and very specifically documented workaround for this particular case. This has resulted in token files backed by projected volumes ("double symlinks") not refreshing at all.

I have encountered this issue in production (v0.144.0), and am also able to reproduce it consistently. The last well-behaving version seems to be v0.138.0. Applying this PR fixes the issue for my reproduction.

The fix is mostly a revert to the previous code, but with a couple of notable changes:

• The event handler now uses bit masking to decode the fs events (this was also done in the buggy changeset)
• The error indicating the double removal of the watcher is now ignored in the event handler

Note: as with the previous implementation, on some systems there is the potential for receiving two discrete events in quick succession. This causes the token to be refreshed twice.
Even if this is not-so-nice, it's really just a tiny read and store operation and should have negligible impact. One could perhaps introduce a simple debounce mechanism (with, say, 1s delay) to smooth it over, but I consider that out-of-scope for this PR.

Testing

Added TestBearerTokenFileTokenRotationWithSymlink which simulates the "atomic swap" behaviour of Kubernetes projected volumes on Linux. The test failed before, and passes after the fix is applied. Notably this test is only really applicable on Linux, and will pass in both cases on MacOS (don't know about Windows) due to difference in behaviours between kqueue and inotify.

The bug itself was easily reproducible by running the latest version of otelcollector-contrib in a local kind cluster, configured with reading the token from a ConfigMap-backed volume. On the pre-fix collector the changes to the ConfigMap are not picked up and the token is thus never updated, whilst it works as expected with the fix applied.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: grelland / name: Halvdan Hoem Grelland (69ca2fa, 9733cdb, ba3d883, d65e8f9, e7950c4)

[github-actions]

Welcome, contributor! Thank you for your contribution to opentelemetry-collector-contrib.

Important reminders:

• Please review our Contributing Guidelines.
• Don't forget to sign the Contributor License Agreement (CLA) if you haven't already.

A maintainer will review your pull request soon. Thank you for helping make OpenTelemetry better!

[dmitryax]

@grelland thanks for fixing it. Please take a look at the failing tests.

@pavolloffay can you please review this?

[grelland]

@grelland thanks for fixing it. Please take a look at the failing tests.

Fixed by skipping the test on Windows. The atomic symlink swap scenario is not possible on Windows (and the kubelet falls back to a non-atomic remove+create strategy).

[grelland]

@dmitryax 👋 Can someone approve running the test suite and also have a look at this?
We're currently blocked from upgrading past v0.138.0 due to this bug, so would be great to get it moving. Thanks!

[Aneurysm9]

I believe #46470 should render this PR obsolete as the fix it provides was included in the common helper shipped in #46227. Thanks again @grelland!

[grelland]

@Aneurysm9 I guess so. @MovieStoreGuy Should I close this one?

[MovieStoreGuy]

@Aneurysm9 I guess so. @MovieStoreGuy Should I close this one?

Yeah, looking at the PR @Aneurysm9 raised, this change would not be needed and be consistent experience across all usages.