Skip to content
This repository was archived by the owner on Aug 25, 2025. It is now read-only.
This repository was archived by the owner on Aug 25, 2025. It is now read-only.

Pinniped Proxy is caching TokenCredentialRequests across clusters #5912

Closed
#5913
Closed
Pinniped Proxy is caching TokenCredentialRequests across clusters#5912
#5913
Assignees
absoludity
Labels
component/pinniped-proxyIssue related to kubeapps integration with pinniped-proxykind/bugAn issue that reports a defect in an existing feature
@absoludity

Description

@absoludity
absoludity
opened on Jan 25, 2023

Describe the bug
While investigating #5755 I've found another issue which contributes to the problem, in that our pinniped-proxy service is caching a little too heavily:

I'd setup the cache to cache the TokenCredentialRequest resources - so when a request is received, we construct the TokenCredentialRequest ready to exchange for a cert with pinniped, and if an identical TokenCredentialRequest exists in the cache, that will be returned immediately instead.

What I had not noticed is that the TokenCredentialRequest does not mention or have any info about which cluster, so if the OIDC token is the same, the TCR will be the same for different clusters.

This leads to the user being logged out when attempting to switch clusters.

To Reproduce
Steps to reproduce the behavior:

Exactly what I had described for #5755. I'll update the steps for that separate issue once this fix is in.

Expected behavior
The cache should not be used when switching clusters so that a cert for that cluster is fetched.

Metadata

Metadata

Assignees

Labels

component/pinniped-proxyIssue related to kubeapps integration with pinniped-proxykind/bugAn issue that reports a defect in an existing feature

Type

No type

Projects

Kubeapps

Status

✅ Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions