diff options
author | Dylan Griffith <dyl.griffith@gmail.com> | 2019-06-21 15:13:54 +1000 |
---|---|---|
committer | Dylan Griffith <dyl.griffith@gmail.com> | 2019-06-21 16:36:34 +1000 |
commit | 4855667dad5d1ff61725bebf0683f0491bffc87c (patch) | |
tree | 3b9b91f386c815ae6124480d52d756574abc2ca7 /app/services | |
parent | 148516ba36855095fa995c2d4e8077919cdb6db6 (diff) | |
download | gitlab-ce-4855667dad5d1ff61725bebf0683f0491bffc87c.tar.gz |
Retry fetching Kubernetes Secret token
Since Kubernetes is creating the Secret and token asynchronously it is
necessary that we implement some delay or retrying logic to avoid a race
condition where we fetch a Secret before the token is even set. There
does not appear to be any way for us to force it to be set with any
synchronous API call so retrying seems to be the only option.
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb index 4ad04ab801e..5d9bdc52d37 100644 --- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb +++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb @@ -4,17 +4,30 @@ module Clusters module Gcp module Kubernetes class FetchKubernetesTokenService + DEFAULT_TOKEN_RETRY_DELAY = 5.seconds + TOKEN_RETRY_LIMIT = 5 + attr_reader :kubeclient, :service_account_token_name, :namespace - def initialize(kubeclient, service_account_token_name, namespace) + def initialize(kubeclient, service_account_token_name, namespace, token_retry_delay: DEFAULT_TOKEN_RETRY_DELAY) @kubeclient = kubeclient @service_account_token_name = service_account_token_name @namespace = namespace + @token_retry_delay = token_retry_delay end def execute - token_base64 = get_secret&.dig('data', 'token') - Base64.decode64(token_base64) if token_base64 + # Kubernetes will create the Secret and set the token asynchronously + # so it is necessary to retry + # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller + TOKEN_RETRY_LIMIT.times do + token_base64 = get_secret&.dig('data', 'token') + return Base64.decode64(token_base64) if token_base64 + + sleep @token_retry_delay + end + + nil end private |