Retry fetching Kubernetes Secret token

Since Kubernetes is creating the Secret and token asynchronously it is necessary that we implement some delay or retrying logic to avoid a race condition where we fetch a Secret before the token is even set. There does not appear to be any way for us to force it to be set with any synchronous API call so retrying seems to be the only option.
author: Dylan Griffith <dyl.griffith@gmail.com> 2019-06-21 15:13:54 +1000
committer: Dylan Griffith <dyl.griffith@gmail.com> 2019-06-21 16:36:34 +1000
commit: 4855667dad5d1ff61725bebf0683f0491bffc87c (patch)
tree: 3b9b91f386c815ae6124480d52d756574abc2ca7 /app/services/clusters/gcp
parent: 148516ba36855095fa995c2d4e8077919cdb6db6 (diff)
download: gitlab-ce-4855667dad5d1ff61725bebf0683f0491bffc87c.tar.gz
1 files changed, 16 insertions, 3 deletions
diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
index 4ad04ab801e..5d9bdc52d37 100644
--- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
+++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
@@ -4,17 +4,30 @@ module Clusters
   module Gcp
     module Kubernetes
       class FetchKubernetesTokenService
+        DEFAULT_TOKEN_RETRY_DELAY = 5.seconds
+        TOKEN_RETRY_LIMIT = 5
+
         attr_reader :kubeclient, :service_account_token_name, :namespace
 
-        def initialize(kubeclient, service_account_token_name, namespace)
+        def initialize(kubeclient, service_account_token_name, namespace, token_retry_delay: DEFAULT_TOKEN_RETRY_DELAY)
           @kubeclient = kubeclient
           @service_account_token_name = service_account_token_name
           @namespace = namespace
+          @token_retry_delay = token_retry_delay
         end
 
         def execute
-          token_base64 = get_secret&.dig('data', 'token')
-          Base64.decode64(token_base64) if token_base64
+          # Kubernetes will create the Secret and set the token asynchronously
+          # so it is necessary to retry
+          # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller
+          TOKEN_RETRY_LIMIT.times do
+            token_base64 = get_secret&.dig('data', 'token')
+            return Base64.decode64(token_base64) if token_base64
+
+            sleep @token_retry_delay
+          end
+
+          nil
         end
 
         private
author	Dylan Griffith <dyl.griffith@gmail.com>	2019-06-21 15:13:54 +1000
committer	Dylan Griffith <dyl.griffith@gmail.com>	2019-06-21 16:36:34 +1000
commit	4855667dad5d1ff61725bebf0683f0491bffc87c (patch)
tree	3b9b91f386c815ae6124480d52d756574abc2ca7 /app/services/clusters/gcp
parent	148516ba36855095fa995c2d4e8077919cdb6db6 (diff)
download	gitlab-ce-4855667dad5d1ff61725bebf0683f0491bffc87c.tar.gz