Skip to content

Commit

Permalink
[receiver/kubeletstats] fix client to refresh service account tokens (#…
Browse files Browse the repository at this point in the history
…26316)

Support refreshing service account tokens in the client used to communicate with kubelet

**Link to tracking Issue:** #26120
  • Loading branch information
jinja2 authored Sep 5, 2023
1 parent 13475cd commit fa5b2a0
Show file tree
Hide file tree
Showing 5 changed files with 149 additions and 51 deletions.
27 changes: 27 additions & 0 deletions .chloggen/kubelet-client-refresh-token.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Use this changelog template to create an entry for release notes.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: bug_fix

# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
component: receiver/kubeletstats

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: "Fixes client to refresh service account token when authenticating with kubelet"

# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
issues: [26120]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:

# If your change doesn't affect end users or the exported elements of any package,
# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
# Optional: The change log or logs in which this entry should be included.
# e.g. '[user]' or '[user, api]'
# Include 'user' if the change is relevant to end users.
# Include 'api' if there is a change to a library API.
# Default: '[user]'
change_logs: [user]
22 changes: 20 additions & 2 deletions internal/kubelet/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (

"go.uber.org/zap"
"k8s.io/client-go/rest"
"k8s.io/client-go/transport"

"github.com/open-telemetry/opentelemetry-collector-contrib/internal/common/sanitize"
"github.com/open-telemetry/opentelemetry-collector-contrib/internal/k8sconfig"
Expand Down Expand Up @@ -165,9 +166,26 @@ func (p *saClientProvider) BuildClient() (Client, error) {
}
tr := defaultTransport()
tr.TLSClientConfig = &tls.Config{
RootCAs: rootCAs,
RootCAs: rootCAs,
InsecureSkipVerify: true,
}
endpoint, err := buildEndpoint(p.endpoint, true, p.logger)
if err != nil {
return nil, err
}
rt, err := transport.NewBearerAuthWithRefreshRoundTripper(string(tok), p.tokenPath, tr)
if err != nil {
return nil, err
}
return defaultTLSClient(p.endpoint, true, rootCAs, nil, tok, p.logger)

return &clientImpl{
baseURL: endpoint,
httpClient: http.Client{
Transport: rt,
},
tok: nil,
logger: p.logger,
}, nil
}

func defaultTLSClient(
Expand Down
24 changes: 19 additions & 5 deletions internal/kubelet/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
package kubelet

import (
"crypto/tls"
"crypto/x509"
"errors"
"io"
Expand Down Expand Up @@ -102,15 +103,29 @@ func TestDefaultTLSClient(t *testing.T) {
}

func TestSvcAcctClient(t *testing.T) {
server := httptest.NewUnstartedServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
// Check if call is authenticated using token from test file
require.Equal(t, req.Header.Get("Authorization"), "Bearer s3cr3t")
_, err := rw.Write([]byte(`OK`))
require.NoError(t, err)
}))
cert, err := tls.LoadX509KeyPair("./testdata/testcert.crt", "./testdata/testkey.key")
require.NoError(t, err)
server.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
server.StartTLS()
defer server.Close()

p := &saClientProvider{
endpoint: "localhost:9876",
caCertPath: certPath,
endpoint: server.Listener.Addr().String(),
caCertPath: "./testdata/testcert.crt",
tokenPath: "./testdata/token",
logger: zap.NewNop(),
}
cl, err := p.BuildClient()
client, err := p.BuildClient()
require.NoError(t, err)
require.Equal(t, "s3cr3t", string(cl.(*clientImpl).tok))
resp, err := client.Get("/")
require.NoError(t, err)
require.Equal(t, []byte(`OK`), resp)
}

func TestNewKubeConfigClient(t *testing.T) {
Expand Down Expand Up @@ -268,7 +283,6 @@ func TestBuildReq(t *testing.T) {
req, err := cl.(*clientImpl).buildReq("/foo")
require.NoError(t, err)
require.NotNil(t, req)
require.Equal(t, req.Header["Authorization"][0], "bearer s3cr3t")
}

func TestBuildBadReq(t *testing.T) {
Expand Down
48 changes: 31 additions & 17 deletions internal/kubelet/testdata/testcert.crt
Original file line number Diff line number Diff line change
@@ -1,19 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIDLDCCAhSgAwIBAgIJAO8ClxUckM5xMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV
BAYTAk9UMRYwFAYDVQQIDA1PcGVuVGVsZW1ldHJ5MRAwDgYDVQQHDAdTZXJ2aWNl
MRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjAwNTA2MDAzMTQ0WhcNMjEwNTA2MDAz
MTQ0WjBLMQswCQYDVQQGEwJPVDEWMBQGA1UECAwNT3BlblRlbGVtZXRyeTEQMA4G
A1UEBwwHU2VydmljZTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAyVL12RmIXJP/K1wkGDW2k9OKvmP/kX0w2iPEZ7f0
3kUvDpAUjGHr3FnnOYYmxQU+gXK0g/pRupNh5n4GuzFGbQNEAl1V+dmAB5w/yX3p
SSZVZmsIRRgTVRd1501mDNqRS6aOy8+PhFUF7rI6V5KBaizLch6ojOtDSouUTnRI
9o47WSeyVALHFllm1BYlCBoiSZ/ZX2BJOteJ/9fawPQzVMSmNOQcymRiHqeBlhlI
gIPFEOh68oJScGNRVin0tnxfUr7eO+cR3iC20aCUXsL3Yq1KKXrxD3/0T8ICK5DM
qWj4gKC4CVlIF68zvVWD/jKSR9u9Gs+aRxA2ZHF+scsHgQIDAQABoxMwETAPBgNV
HREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQA2DT7VxpFLCqc0FHW16yZ9
/9fQChEN5IBe6mjbysjeYhef8w7xP03wl6SwFXFpTQDFqz6KdolH+Zl4gm6MsrsX
nQNP8fkHfNtHr+28JPDPWC5aWx5xfdQ4ybfeEV+xdNmrKeKGOcQ+Nmjcx06ysy0J
OSjOBwyTvlCIOF5AnafFuCk81EnbMLQeIvsfudXTAi0aw6HMmS2UgmGUcwGsFDRt
Xx1n1nLclK73f2a9mrzrh1s3lMom1FLaZ8fRecB9cVZJAHdw7RDtkG0qFf+v9Hk0
y8JKVfSmRIveHz62a/61T36VSKIO0qksdR4wEPCjADsdpagVMrwjyu8qShLFXRkn
MIIFuDCCA6CgAwIBAgIUX6gHrM+cXSsdSQTFUTl7ISB8xoYwDQYJKoZIhvcNAQEL
BQAwYzELMAkGA1UEBhMCT1QxFjAUBgNVBAgMDU9wZW50ZWxlbWV0cnkxEDAOBgNV
BAcMB1NlcnZpY2UxFjAUBgNVBAoMDU9wZW50ZWxlbWV0cnkxEjAQBgNVBAMMCTEy
Ny4wLjAuMTAeFw0yMzA4MzAxNTQ5MTJaFw0zMzA4MjcxNTQ5MTJaMGMxCzAJBgNV
BAYTAk9UMRYwFAYDVQQIDA1PcGVudGVsZW1ldHJ5MRAwDgYDVQQHDAdTZXJ2aWNl
MRYwFAYDVQQKDA1PcGVudGVsZW1ldHJ5MRIwEAYDVQQDDAkxMjcuMC4wLjEwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD1bq9pqg6CYsAYfB1OIK1sj8kc
Ia1wCVEJ+fr7Mw+DmDR3nEto6W+2+JU5n2FZWGrV8mPztJVd9WdMXEsJTVC/gNX1
92X8YmiJOWzfglalYzWO9LJn9hrdgS56j0F++MXRNDgouZNlRXfU7dYErn3x6NIe
DaIoAGep6ekO5JyW0AjeuVw+Th9kT0CThzCRwB3CpPmKD0Zwt3mAgsDDTlN6PopR
fmeeDQ9tiiA33uVOfXQfmXcXfoUYr1E4JmuO+OrjR4xoFRfvvSJW8cqCm6TZi5k0
lfKC23lso3r6qojIMGHTOhjxuPuY5kMSq8RrtnjIB8l2ulcDZWSnKTqiOmkwThBe
uHuOCsGbjt9YEeF/7LRU+R02G5Ybt3PWnHiUlNzuZkbeCqrQ2/LJLhiGPQ/+D2LT
i9D0Vc2TsswhCz+5UpyvJe4/CDuR5oeniVoyVpN9wxyUDG80c7H0tOYAp/BTptjy
ASGjr7Iq2RMpsP12dyjbIxalYBQdlyoSjfnNnf4knHFtum7DzyDc6e0/tY5vzetA
7ij+k8+S19PLOrEw/BVSlC34xa/epcsLgxWh4wSCBs6h5Eg0Rgvh6riPdoAHOUb1
U33WAIUmSk2JqUqrVCtoV/4B6WMzbuwH0tFJkVTcXs6jDsR77wrhIsv8zXRzt+ar
XT+b61pFf9EJVeizSQIDAQABo2QwYjAdBgNVHQ4EFgQUep0QJqlnV6W2WHfHu6sM
fIPQWdswHwYDVR0jBBgwFoAUep0QJqlnV6W2WHfHu6sMfIPQWdswDwYDVR0TAQH/
BAUwAwEB/zAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQDTTYkH
+L7LZDAbFQ9XaWs12NtvR+BzWNAWtY06KEy/Bxd/me2fi1UjdQDjSMQCQjeRyVXZ
Xj6hJmZ+CFsdKpl1v7i9CxmHPyUUGrm2C+pYxeG9gg7e682FfKnSH9pTmD1SowSR
6vX30PWJcgizhXrnrvNjZCZFie6lbDmsmkIu2ZCtJonaNUWuSA3uX2ZYQhGCgimJ
+T6G5wKlJUcpT2QgI7I3qqijc8a76wvQbqW3hdsquygiugcI0d9riyuH/GuwtHUy
JTTef5BSGkt+oVqXHsfsRmM+BHQQh46dDaRcECKDi2kHLIF1SfonrWf7Z1hIVbec
i58GNs4oXP1HDG97Uz8hw6prn1tWJFjjhev990WWWPSW3NFuPkoZ3Q1CGU15IRI7
ezcIIDkcOyqsCGgHjQYFMdSiBgXXBf7xxN6e1byvTJQLppz51rShd1yFuWZ7Ca5X
5D4TfI6F/KSYSt07F6YhfjOkUsItwaYNLEO0CA4dP01mbh+Nu2VgRLxsgKKQoHhY
Ru55HmjEkE8Bq+jOQ52f2eFPmuDyxt4fm+RrqNr6GblVypmUSZneJclkcVSa5uIT
Dnze9zEN9yorfK+75tzVN2/B4tA4UtQ2/Osqcw/fLgYQOacK24EYeeCJmOAI+4Ym
+aF1tP4s2ptfLFm0lDgVlGr1j6UDIV3RClraVA==
-----END CERTIFICATE-----
79 changes: 52 additions & 27 deletions internal/kubelet/testdata/testkey.key
Original file line number Diff line number Diff line change
@@ -1,27 +1,52 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyVL12RmIXJP/K1wkGDW2k9OKvmP/kX0w2iPEZ7f03kUvDpAU
jGHr3FnnOYYmxQU+gXK0g/pRupNh5n4GuzFGbQNEAl1V+dmAB5w/yX3pSSZVZmsI
RRgTVRd1501mDNqRS6aOy8+PhFUF7rI6V5KBaizLch6ojOtDSouUTnRI9o47WSey
VALHFllm1BYlCBoiSZ/ZX2BJOteJ/9fawPQzVMSmNOQcymRiHqeBlhlIgIPFEOh6
8oJScGNRVin0tnxfUr7eO+cR3iC20aCUXsL3Yq1KKXrxD3/0T8ICK5DMqWj4gKC4
CVlIF68zvVWD/jKSR9u9Gs+aRxA2ZHF+scsHgQIDAQABAoIBAG/6OMw8K2By4ObZ
JSpiFd87NlyXejsOCvIKGuAlrYlDqdzLvuImRO4XA0k3mLDVLeMKTeVqgbLo7vco
+c18ptNTkaxPBdcmZtPU0JXd9re9HpsMxVjI/1fA6M9yeWSE3XPafGpYVFcig140
u8ahsmG/8JjU/KME6DS6Vg8dFsgrb0aJypv1VxA2n4xeWkbwVdniTlny4LFhwvvk
P4dgnGNhUHkeet+re9YZEkXJbNp9hXP/wdEwLJ5tUNI/exngxQaAJ6fP2e1htFoJ
a8TGTwjEwRIAocjI8ieHnUO4lARF8uhEzhSadtZNZvKgbNpE5xJNl9OH9pkQTjo2
4CLOxpECgYEA8ZbV2o1EcdCKvIWAYhYbBHYe2gadcnO04gtA1bbGk/+YtzaiS20W
zq2qKDhrQJ6sCFe17CN9hM0gdkpsyS1nLtR3F3MVacYe8STh7BD61E5ens+wDWJU
zva3bS1CRMPthZ+i0xc4AOgXDZewD1rxb8rvT5SeXYRZGkvyh9TAzocCgYEA1VVC
lLy3EG/geiMAWd+FnTwWnMViGb8rDY03vJDSKEes9b8HqwEPsX0I3TVeyyYBM3Te
sPYqJxBFh5afU8DYhNue9UbJKSN4j1jg43pK58i99LT+lGRAVaJZLVbsWiEF3MwX
8muCtELAT7j9648oEUX4sF/nnz422Q0VPRS5s7cCgYAqrDHqALnuQJ/A3PPoX282
QocAi9qTtMxmgQZauYYp7iPTeNsB56r3psU/hXesWlqYvqVrqHkrU/A/9LVyc4qe
QvkmMzW9ETm17oXZZMZpac5czuKR+qRwSjPsHOpvqwvxZlkkYB2MS3KG/BwlGjM7
Q+UxcVbnvdDfTDrysym7UQKBgQDFeVPVjM7EZ1tak7XKe68aOjoQSmIhxSTcOYGD
imcPJDIFlRxK/gOB32TqJ3IlCHwKHr/Y/TVNzbEe7p1zkMqcSRPepfSloREDWFls
GJLn9ZlowHX79MTcwBhecNz+HR1pIn90RnLJ3BRad7qMZ4rGWof28//bF2L8DjE/
xkSUBwKBgQCAki3+tscHa1ZQ+VZmvTeQ9gwNZt+cm0FzavhjnvWZAKCrKwg+MvAN
BifZjKsPK7u9u1QGuPP0Zn/Zw3VoMlrC/Paa/OZzwTtb2yN824wbMo0Qvm5WciS7
DXyNy887h1NLGEyMh6rGUutmI6OPf8WaLqcxrz16dhtr9+N6YDZ/tQ==
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQD1bq9pqg6CYsAY
fB1OIK1sj8kcIa1wCVEJ+fr7Mw+DmDR3nEto6W+2+JU5n2FZWGrV8mPztJVd9WdM
XEsJTVC/gNX192X8YmiJOWzfglalYzWO9LJn9hrdgS56j0F++MXRNDgouZNlRXfU
7dYErn3x6NIeDaIoAGep6ekO5JyW0AjeuVw+Th9kT0CThzCRwB3CpPmKD0Zwt3mA
gsDDTlN6PopRfmeeDQ9tiiA33uVOfXQfmXcXfoUYr1E4JmuO+OrjR4xoFRfvvSJW
8cqCm6TZi5k0lfKC23lso3r6qojIMGHTOhjxuPuY5kMSq8RrtnjIB8l2ulcDZWSn
KTqiOmkwThBeuHuOCsGbjt9YEeF/7LRU+R02G5Ybt3PWnHiUlNzuZkbeCqrQ2/LJ
LhiGPQ/+D2LTi9D0Vc2TsswhCz+5UpyvJe4/CDuR5oeniVoyVpN9wxyUDG80c7H0
tOYAp/BTptjyASGjr7Iq2RMpsP12dyjbIxalYBQdlyoSjfnNnf4knHFtum7DzyDc
6e0/tY5vzetA7ij+k8+S19PLOrEw/BVSlC34xa/epcsLgxWh4wSCBs6h5Eg0Rgvh
6riPdoAHOUb1U33WAIUmSk2JqUqrVCtoV/4B6WMzbuwH0tFJkVTcXs6jDsR77wrh
Isv8zXRzt+arXT+b61pFf9EJVeizSQIDAQABAoICAAyJJZ++ojzV5SSjAz6sM9tv
iSi9Dh4ita9OI7v8nspchfKFisL+KFj2v614pujgt507oxANrVLmH8tyS9la5/jO
EG+eniiK0LbQlm9gmYMbSv8lH68obnUZnel/42skMvtlYMhwuRbzOkSHjNbCoFdw
qjnDfcCwC5ttwXwDoH1h/Q/+NPhQNnGBzEU0wp3xK3v3f/DlqJYFgwjVtNmM6L3d
z6QLsihsF5mDVHOyGHF+viWGicMLEOqCuuHksXn1HA81hnYC/Mzfks9QzISJBV2g
sBez4HX/Vod+Xp/Kwc+CzB5VMXS4O26S9UJRAGh1gpwJ7Mf6Cst3PHG+zPpABEMM
H5VFI7xmFViN9tfWmw6AsGH/VNPZwJnB9YRW224gbEMMshmAU7KZoYWezV7Z4BGD
/ikNCpZUw1fTiQYi1N4lZBY6ncPYY5z1JOV6O7muynexbuAyvIOVPpZGgJgb9je1
iGkjcX+dQkSE/sy2oujxB51y15607iubW6hwUogutSmcEQmI4vx+2kBf8MPBJyeI
31MnLAaqSMCZKgG86FunFo6O7radWbNlQQ2CZkHDMkef5s0p1jB8LlxJ0xLnb59V
RKKmeZ9V5BbIuksyVpgGHvi1kI/6z2Svh8hQ0avcUoc0uQ/9urK4VnqUdTnjMbvG
kGna2NriKVvlYojxWy0BAoIBAQD/EIO3gKHllAdjpTo9dn3mkxNS2gB6g2MYnTD1
VrK8gOvfZHdKTvqAM8sYhwrl7Z9FIznGGB0Nbi4KfVGtd8M1XI31etBHmrFQz0HO
+5QCT8fj3q/9AelDwgI5CCa4lywtZfjlzL8f80CGrZ0+/SplpaCcWzQlumKYx/bZ
jl1Luhj/SJwpe7hvtku3/pA0fTBkJc6VQDiWYDJ+8Z/m4fniBMXPOEAd9V/iI1ux
11DjnX+nbpYvbQncC3rV2wabm63NyiMGEVd4KPk8LNUgaoCfTyK2jMnrKchLA+e5
V9XYr/LVDsijWpdIQLKXBL4Jbs8sMpSXq0k+uT0NtIj1r18BAoIBAQD2VSB5+ioO
7GPW/pf4AeF+FafiSrqIMWDi4fsxggkDVsOAud9GyqPi9YfaeIJ2ctLg8usyPjph
eQUYKJijbGZm9RObxNYvvo2HhCJ0sT11jK5bKzhgyHqJM94Yfl6ocBgS2r/9Ledh
jXhg4kmA4FBbFHijndAdLI7Q5Zu4eanLlMDFurE9s5/nrk8kSh54YnF5tWJm5BoB
fqSGJnsjd9Wux2WuMkw23H/bh5WNBiGL9yU7ipnFycB+G6GQNy2FSFe1Hnkj0+M+
Tn4AeuXB1se32l0MmHolhkT+Q1FfRWBCFVeSC7231EcYSWsmZKEX92HG5HUzteXw
0bTsQHCrApxJAoIBAQDE1Guw2hUVYyxomwLcl2oE2w6Yax7fbDC2t+cmDKeVjC95
jr/3mgb5k/5wiRXB5aN46PwWgFk7GgFxms/C+56quSfbfdDo0NlwsN/p6H6JYiOx
FxHcPvNRlI++jynCXPZ8eiqeu2fqMf9jburfxuJG2o+c2UzeqHyZxgYaUSBx5cSQ
i+nmoVDs9FJuRIXn24vSXNKUnqCMeuO8zp1EwLHi1ygHBzODau15Ryvli3EilVID
VPWU16I6Kqm6CnGI95QiMJDih9NmKMhcxYQapdVoGtuA4BiZ3v5v1S2m+79MnkrY
W7Y9SRVhbnviyogUI2zAgK/mcwns22nf/6eJYLIBAoIBAAWPID+AdMiHby1f64AO
Us9sn7BMrW77ZktYfDm+zINFxv21tCM92Xr6vYkhpRgVOUsYUFR+8QRYHdRQvjkZ
7imuqDWguJC1RS5kvf5SLafkd97Y19nfTFyiTgXRfENi3Dg4tZJ6Ibmi3q+ZC72b
0lRr3tkaa6Ls6YAvXldIb5uHjN4pe2yADEDHP0P7ZDqlRhhQDptx1GBqQj5AyhCf
2LOsDlBjFDM8wKnsomRfWgx1lGKGmzfKeMyfxQKjLCTQ4CHXQTacxokWbmOGYn8A
YNt2UxlAq6kDIbV3QXPb9fMn1iUWnL50TPJwXbmtFbGbxJofd8Gl/j10Dhgy0Bgb
4/kCggEBAJthdPKPGudGm2wvxSKawNRwnzcg2I8CsVkiWOqbMxkATLRS+c9h0Tyw
fqsDjlTCSplBqbfHbH4n3MagyCFE4bMHl3cSM+xxP283g+xX+xlsKjrNY3hVAS0k
wu9spUaoX9Fy1L9icN2E9P6Fy8wGQ2w3zdKOj0zJTjP58mYEu2Y/RNiYZmjStPL2
0vlqkEkWCYd1qPOpDCENvUMrIyf0qIbcv4zZLuE+ORlAAHgJr7F/FNX4mdye17S+
CpRo1VtVBvxxX45J12ZijpNkVwRHXdsJ8sEb6wY1oK9GP5lMR6t3+rhcg8I8Udyc
xwQFnl9NoVd+jhwW8bP/WSAAL53OvgU=
-----END PRIVATE KEY-----

0 comments on commit fa5b2a0

Please sign in to comment.