feat(etcd): periodic auth token refresh to prevent expiry#763
Open
okaybase wants to merge 1 commit into
Open
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (11)
📝 WalkthroughWalkthroughThe change adds configurable etcd authentication-token refresh, updates provider and application wiring, upgrades Changesetcd authentication refresh
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Server
participant EtcdConfigProvider
participant EtcdClient
participant AdminStore
Server->>EtcdConfigProvider: connect with refresh interval
EtcdConfigProvider->>EtcdClient: authenticate and start refresh task
EtcdConfigProvider->>AdminStore: provide connected client
AdminStore->>EtcdClient: write admin configuration
EtcdConfigProvider->>EtcdClient: refresh token periodically
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The etcd auth token acquired at connect time was never refreshed. Once it expired (default 300s
--auth-token-ttl), every subsequent Admin API write and etcd watch operation failed withetcdserver: invalid auth token.Changes
aisix-etcd: addstart_token_refresh_task— a background Tokio task that callsClient::refresh_tokenon a configurable interval (default 240s, leaving a 60s margin below etcd's default 300s TTL). No-ops when no credentials are configured, or when called outside a Tokio runtime.aisix-core: addEtcdConfig.auth_token_refresh_secsfield (default 240). Documented inconfig.example.yamlandconfig.managed.yaml.aisix-server: threadauth_token_refresh_secsfrom config throughEtcdConfigProvider::connectandEtcdConfigStore::new.aisix-admin:EtcdConfigStore::newnow spawns the refresh task for the admin write-path client, preventing Admin API writes from failing after token expiry.etcd-clientfrom 0.14 to 0.19 to pick upClient::refresh_tokenand the mergedWatchStream(no longer requires a separateWatcherhandle).admin_write_survives_token_expiryandtoken_refresh_prevents_auth_expiryregression tests against an auth-enabled etcd with a 5s TTL, exercising the refresh loop.etcd-authservice container (short TTL) and "Enable auth on etcd-auth" step to run the token-refresh tests.Verification
cargo test --workspacepassescargo clippy --workspace -- -D warningscleanrust-unitjob runs the new token-refresh tests against the auth-enabled etcd containeretcd.user+password_env, verify Admin API writes still succeed after 5+ minutesSummary by CodeRabbit
New Features
Bug Fixes
Tests