refresh bearer token from file to avoid stale tokens when using mount…

…ed service account token
ManageIQ · Jan 21, 2022 · 276b11b · 276b11b
1 parent e0aac1e
commit 276b11b
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/lib/kubeclient.rb b/lib/kubeclient.rb
@@ -126,7 +126,6 @@ def initialize_client(
         bearer_token(@auth_options[:bearer_token])
       elsif auth_options[:bearer_token_file]
         validate_bearer_token_file
-        bearer_token(File.read(@auth_options[:bearer_token_file]))
       end
     end
 
@@ -358,6 +357,12 @@ def create_faraday_client(url = nil)
         if @auth_options[:username] && @auth_options[:password]
           connection.basic_auth(@auth_options[:username], @auth_options[:password])
         end
+
+        refresh_bearer_token_from_file
+        if (auth = @headers[:Authorization])
+          connection.headers['Authorization'] = auth
+        end
+
         # hook for adding custom faraday configuration
         yield(connection) if block_given?
         connection.use(FaradayMiddleware::FollowRedirects, limit: @http_max_redirects)
@@ -366,9 +371,7 @@ def create_faraday_client(url = nil)
     end
 
     def faraday_client
-      @faraday_client ||= begin
-        create_faraday_client
-      end
+      @faraday_client ||= create_faraday_client
     end
 
     # Accepts the following options:
@@ -695,11 +698,9 @@ def validate_auth_options(opts)
     end
 
     def validate_bearer_token_file
-      msg = "Token file #{@auth_options[:bearer_token_file]} does not exist"
-      raise ArgumentError, msg unless File.file?(@auth_options[:bearer_token_file])
-
-      msg = "Cannot read token file #{@auth_options[:bearer_token_file]}"
-      raise ArgumentError, msg unless File.readable?(@auth_options[:bearer_token_file])
+      file = @auth_options[:bearer_token_file]
+      raise ArgumentError, "Token file #{file} does not exist" unless File.file?(file)
+      raise ArgumentError, "Token file #{file} cannot be read" unless File.readable?(file)
     end
 
     def return_or_yield_to_watcher(watcher, &block)
@@ -713,6 +714,8 @@ def return_or_yield_to_watcher(watcher, &block)
     end
 
     def http_options(uri)
+      refresh_bearer_token_from_file
+
       options = {
         basic_auth_user: @auth_options[:username],
         basic_auth_password: @auth_options[:password],
@@ -736,6 +739,11 @@ def http_options(uri)
       options.merge(@socket_options)
     end
 
+    def refresh_bearer_token_from_file
+      return unless (file = @auth_options[:bearer_token_file])
+      bearer_token(File.read(file))
+    end
+
     def json_headers
       { 'Content-Type' => 'application/json' }.merge(@headers)
     end