handling of expired kubeconfig

[kaedwen]

Hi,

we do have many operators, one of it is using the cluster struct for having a connection to an additional remote cluster. The rest.Config we do load out of a mounted secret during startup. Now I wonder if there is a mechanism to renew the config in use once the secret mount path changes. Sure we can watch that mountpoint (we do that in many other places), but is there a way to change the config of a running client?

I also do wonder how the InClusterConfig is renewed. The coding here just reads the serviceaccount token and never does a reload. But the tokens do have an expiry, so how this is considered to work? Sure the default expiry is 1 year, but it could not be the assumption that the controller will anyway restart at some time.

Regards

[ppodevlabs]

we upgraded our clusters to 1.30.3 and we are facing the issue that some controllers stop working after 1h due to the bound token being refreshed. Any idea on how to solve this?

[sbueringer]

The coding here just reads the serviceaccount token and never does a reload.

Can you point to where the SA token is only read once?

InClusterConfig reads the token from tokenFile, but it also sets the BearerTokenFile field:
https://github.com/kubernetes/client-go/blob/master/rest/config.go#L544-L545

	// Path to a file containing a BearerToken.
	// If set, the contents are periodically read.
	// The last successfully read value takes precedence over BearerToken.
	BearerTokenFile string

I'm not sure but I think this TokenSource is used eventually: https://github.com/kubernetes/client-go/blob/master/transport/token_source.go#L75-L79