Closed izgeri closed 4 years ago
Here are the full logs from the example above - they were running for a few days, but for space reasons I cut it off after the first set of Invalid token
errors
Note - I was able to reproduce this by running the following:
oc delete deployment/conjur-follower
(I probably could've just disabled the authenticator to make this easier on myself)sh
-exec'd into the pet store container and ran java -jar app.jar
to force it to try to retrieve the DB creds from DAP again, and got errorsResulting behavior with the fixes in the linked PR:
Log with the fixes in the linked PR: secretless-retry.txt
Summary
The DAP authn-k8s client retrieves a cert from the DAP follower, authenticates with the cert to retrieve a time-limited DAP access token, and is expected to re-authenticate every six minutes (see the Secretless source and the authn-k8s client definition to find this setting). When the cert expires, Secretless should detect that it is no longer logged in and re-login to retrieve a new cert.
At present, it appears that if the
authenticate
request fails, Secretless does not retry to authenticate and does not fail gracefully. Instead it continues (and fails) to retrieve credentials with each new request. See the logs below for more info.Steps to Reproduce
Steps to reproduce the behavior:
Expected Results
On authentication failure, Secretless should retry with exponential backoff a limited number of times. If it does not manage to authenticate, the container should fail so that it can be redeployed.
Actual Results (including error logs, if applicable)
In practice the container does not continue trying to reauthenticate, and though there are Conjur provider errors the container does not fail and is not rescheduled: