Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pinniped Proxy is caching TokenCredentialRequests across clusters #5912

Closed
absoludity opened this issue Jan 25, 2023 · 0 comments · Fixed by #5913
Closed

Pinniped Proxy is caching TokenCredentialRequests across clusters #5912

absoludity opened this issue Jan 25, 2023 · 0 comments · Fixed by #5913
Assignees
@absoludity
Labels
component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy kind/bug An issue that reports a defect in an existing feature

Comments

@absoludity
Copy link
Contributor

Describe the bug
While investigating #5755 I've found another issue which contributes to the problem, in that our pinniped-proxy service is caching a little too heavily:

I'd setup the cache to cache the TokenCredentialRequest resources - so when a request is received, we construct the TokenCredentialRequest ready to exchange for a cert with pinniped, and if an identical TokenCredentialRequest exists in the cache, that will be returned immediately instead.

What I had not noticed is that the TokenCredentialRequest does not mention or have any info about which cluster, so if the OIDC token is the same, the TCR will be the same for different clusters.

This leads to the user being logged out when attempting to switch clusters.

To Reproduce
Steps to reproduce the behavior:

Exactly what I had described for #5755. I'll update the steps for that separate issue once this fix is in.

Expected behavior
The cache should not be used when switching clusters so that a cert for that cluster is fetched.
@absoludity absoludity added the kind/bug An issue that reports a defect in an existing feature label Jan 25, 2023
@absoludity absoludity self-assigned this Jan 25, 2023
@absoludity absoludity added the component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy label Jan 25, 2023
@github-project-automation github-project-automation bot moved this to 🗂 Backlog in Kubeapps Jan 25, 2023
@absoludity absoludity moved this from 🗂 Backlog to 🏗 In Progress in Kubeapps Jan 25, 2023
@absoludity absoludity mentioned this issue Jan 25, 2023
Merged
absoludity added a commit that referenced this issue Jan 25, 2023
@absoludity
Update the cache used by pinniped proxy to include the k8s api server…
2269c74 
… url. (#5913)

Signed-off-by: Michael Nelson <[email protected]>

<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.

 Thank you for contributing!
 -->

### Description of the change

Fixes #5912 by including the k8s server url in the cache key.
<!-- Describe the scope of your change - i.e. what the change does. -->

### Benefits

<!-- What benefits will be realized by the code change? -->
Fixes an issue that was causing logouts when switching clusters.

### Possible drawbacks

<!-- Describe any known limitations with your change -->

### Applicable issues

<!-- Enter any applicable Issues here (You can reference an issue using
#) -->

- fixes #5912 

### Additional information

<!-- If there's anything else that's important and relevant to your pull
request, mention that information here.-->

Signed-off-by: Michael Nelson <[email protected]>
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Kubeapps Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@absoludity absoludity

Labels
component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy kind/bug An issue that reports a defect in an existing feature
Projects
Kubeapps
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update the cache used by pinniped proxy to include the k8s api server url. vmware-tanzu/kubeapps
1 participant
@absoludity