Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workaround: set long JWT token expiration #1155

Merged
merged 3 commits into from
Jan 25, 2023
Merged

Workaround: set long JWT token expiration #1155

merged 3 commits into from
Jan 25, 2023

Conversation

michaljurecko
Copy link
Collaborator

Changes:

  • Temporary increase JWT token TTL.

michaljurecko
michaljurecko commented Jan 25, 2023
View reviewed changes
internal/pkg/service/common/etcdclient/etcdclient.go
@@ -168,6 +168,7 @@ func New(ctx context.Context, proc *servicectx.Process, tracer trace.Tracer, end
Username: conf.username, // optional
Password: conf.password, // optional
Logger: etcdLogger,
PermitWithoutStream: true, // always send keep-alive pings
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aby sa keep-alive requesty posielali stale, aj ked nie je este nastaveny ziaden watch.

provisioning/common/etcd/values.yaml
ttl: 10m
ttl: 10080m # temporary: https://github.com/etcd-io/etcd/pull/14995
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

V etcd-client - 3.5.6 sa pridavalo nejake watch retry, ked token expiroval, ... v 3.5.7 bol revert.
etcd-io/etcd#14995

My sme mali doteraz nastavene rotacie tokenu kazdych 10min.
Docasne to nastavujem na 7dni, kym sa mi to podari nastudovat, nasimulovat a vyriesit.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vyzera to tak, ze worker sa po rotacii JWT tokenu nevie z toho dostat.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vysledkom je zmena ENV:
image

@github-actions
Copy link

Templates API Kubernetes Diff [CI]

Between base 3ef7c90 ⬅️ head 3dbce31.

Expand 
--- /tmp/artifacts/test-k8s-state.old.json.processed.kv	2023-01-25 12:24:08.125034542 +0000
+++ /tmp/artifacts/test-k8s-state.new.json.processed.kv	2023-01-25 12:24:08.413036246 +0000
@@ -195 +195 @@
-<Deployment/templates-api>.spec.template.spec.containers[0].image = "docker.io/keboola/templates-api:3ef7c90";
+<Deployment/templates-api>.spec.template.spec.containers[0].image = "docker.io/keboola/templates-api:3dbce31";
@@ -707,3 +707,3 @@
-<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3ef7c90";
-<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3ef7c90";
-<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3ef7c90";
+<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3dbce31";
+<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3dbce31";
+<Pod/templates-api-<hash>>.spec.containers[0].image = "docker.io/keboola/templates-api:3dbce31";
@@ -1080 +1080 @@
-<Pod/templates-api-etcd-0>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10...
+<Pod/templates-api-etcd-0>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10...
@@ -1364 +1364 @@
-<ReplicaSet/templates-api-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/templates-api:3ef7c90";
+<ReplicaSet/templates-api-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/templates-api:3dbce31";
@@ -1437,0 +1438,12 @@
+<Secret/sh.helm.release.v1.templates-api-etcd.v2> = {};
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.apiVersion = "v1";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.data = {};
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.kind = "Secret";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata = {};
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.labels = {};
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.labels.name = "templates-api-etcd";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.labels.owner = "helm";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.labels.version = "2";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.name = "sh.helm.release.v1.templates-api-etcd.v2";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.metadata.namespace = "templates-api";
+<Secret/sh.helm.release.v1.templates-api-etcd.v2>.type = "helm.sh/release.v1";
@@ -1629 +1641 @@
-<StatefulSet/templates-api-etcd>.spec.template.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign...
+<StatefulSet/templates-api-etcd>.spec.template.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign...


(see artifacts in the Github Action for more information)

@github-actions
Copy link

Buffer Kubernetes Diff [CI]

Between base 3ef7c90 ⬅️ head 3dbce31.

Expand 
--- /tmp/artifacts/test-k8s-state.old.json.processed.kv	2023-01-25 12:29:06.871771363 +0000
+++ /tmp/artifacts/test-k8s-state.new.json.processed.kv	2023-01-25 12:29:07.151771150 +0000
@@ -210 +210 @@
-<Deployment/buffer-api>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-api:3ef7c90";
+<Deployment/buffer-api>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-api:3dbce31";
@@ -360 +360 @@
-<Deployment/buffer-worker>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-worker:3ef7c90";
+<Deployment/buffer-worker>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-worker:3dbce31";
@@ -423 +423 @@
-<Endpoints/buffer-etcd-headless>.subsets[0].addresses[0].hostname = "buffer-etcd-0";
+<Endpoints/buffer-etcd-headless>.subsets[0].addresses[0].hostname = "buffer-etcd-2";
@@ -427 +427 @@
-<Endpoints/buffer-etcd-headless>.subsets[0].addresses[0].targetRef.name = "buffer-etcd-0";
+<Endpoints/buffer-etcd-headless>.subsets[0].addresses[0].targetRef.name = "buffer-etcd-2";
@@ -437 +437 @@
-<Endpoints/buffer-etcd-headless>.subsets[0].addresses[2].hostname = "buffer-etcd-2";
+<Endpoints/buffer-etcd-headless>.subsets[0].addresses[2].hostname = "buffer-etcd-0";
@@ -441 +441 @@
-<Endpoints/buffer-etcd-headless>.subsets[0].addresses[2].targetRef.name = "buffer-etcd-2";
+<Endpoints/buffer-etcd-headless>.subsets[0].addresses[2].targetRef.name = "buffer-etcd-0";
@@ -472 +472 @@
-<Endpoints/buffer-etcd>.subsets[0].addresses[0].targetRef.name = "buffer-etcd-0";
+<Endpoints/buffer-etcd>.subsets[0].addresses[0].targetRef.name = "buffer-etcd-2";
@@ -484 +484 @@
-<Endpoints/buffer-etcd>.subsets[0].addresses[2].targetRef.name = "buffer-etcd-2";
+<Endpoints/buffer-etcd>.subsets[0].addresses[2].targetRef.name = "buffer-etcd-0";
@@ -811,2 +811,2 @@
-<Pod/buffer-api-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-api:3ef7c90";
-<Pod/buffer-api-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-api:3ef7c90";
+<Pod/buffer-api-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-api:3dbce31";
+<Pod/buffer-api-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-api:3dbce31";
@@ -1078 +1078 @@
-<Pod/buffer-etcd-0>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m";...
+<Pod/buffer-etcd-0>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10080m";�...
@@ -1108 +1108 @@
-<Pod/buffer-etcd-0>.spec.containers[0].env[21].value = "new";
+<Pod/buffer-etcd-0>.spec.containers[0].env[21].value = "existing";
@@ -1315 +1315 @@
-<Pod/buffer-etcd-1>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m";...
+<Pod/buffer-etcd-1>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10080m";�...
@@ -1345 +1345 @@
-<Pod/buffer-etcd-1>.spec.containers[0].env[21].value = "new";
+<Pod/buffer-etcd-1>.spec.containers[0].env[21].value = "existing";
@@ -1552 +1552 @@
-<Pod/buffer-etcd-2>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m";...
+<Pod/buffer-etcd-2>.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10080m";�...
@@ -1582 +1582 @@
-<Pod/buffer-etcd-2>.spec.containers[0].env[21].value = "new";
+<Pod/buffer-etcd-2>.spec.containers[0].env[21].value = "existing";
@@ -1894,2 +1894,2 @@
-<Pod/buffer-worker-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-worker:3ef7c90";
-<Pod/buffer-worker-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-worker:3ef7c90";
+<Pod/buffer-worker-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-worker:3dbce31";
+<Pod/buffer-worker-<hash>>.spec.containers[0].image = "docker.io/keboola/buffer-worker:3dbce31";
@@ -2163 +2163 @@
-<ReplicaSet/buffer-api-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-api:3ef7c90";
+<ReplicaSet/buffer-api-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-api:3dbce31";
@@ -2320 +2320 @@
-<ReplicaSet/buffer-worker-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-worker:3ef7c90";
+<ReplicaSet/buffer-worker-<hash>>.spec.template.spec.containers[0].image = "docker.io/keboola/buffer-worker:3dbce31";
@@ -2378,0 +2379,12 @@
+<Secret/sh.helm.release.v1.buffer-etcd.v2> = {};
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.apiVersion = "v1";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.data = {};
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.kind = "Secret";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata = {};
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.labels = {};
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.labels.name = "buffer-etcd";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.labels.owner = "helm";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.labels.version = "2";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.name = "sh.helm.release.v1.buffer-etcd.v2";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.metadata.namespace = "buffer";
+<Secret/sh.helm.release.v1.buffer-etcd.v2>.type = "helm.sh/release.v1";
@@ -2541 +2553 @@
-<StatefulSet/buffer-etcd>.spec.template.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method...
+<StatefulSet/buffer-etcd>.spec.template.spec.containers[0].env[13].value = "jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method...
@@ -2571 +2583 @@
-<StatefulSet/buffer-etcd>.spec.template.spec.containers[0].env[21].value = "new";
+<StatefulSet/buffer-etcd>.spec.template.spec.containers[0].env[21].value = "existing";


(see artifacts in the Github Action for more information)

@michaljurecko michaljurecko marked this pull request as ready for review January 25, 2023 12:30
@michaljurecko michaljurecko merged commit c0bb661 into main Jan 25, 2023
@michaljurecko michaljurecko deleted the michaljurecko-jwt-expiration branch January 25, 2023 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JakubMatejka JakubMatejka JakubMatejka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michaljurecko @JakubMatejka