Fix httpclient setup for gcp credential provider to have timeout #28539
Conversation
derekwaynecarr
changed the title
derekwaynecarr
force-pushed
the
credential_provider_timeout
branch
from
b905a34 to
5366bfe
Compare
derekwaynecarr
added
the
release-note-none
k8s-github-robot
added
the
size/S
|
LGTM |
|
@cjcullen you know about metadata server availability issues. This is added a timeout when talking to metadata server. Thoughts? |
|
I think this is fine. All of the GCE metadata server flakiness I've seen manifests as a connection refused error. In what case do we use the GCP credentialprovider in a non GCP environment? Or is this just preventing a possible error case from hanging indefinitely and leaking goroutines/fds? |
|
@cjcullen at least in the image pulling keyring code we have, it tries to use the GCP credentialprovider even if you're not on GCP |
|
Hmmm. I'm hoping that's either in parallel or a faster fail than this 10s timeout? Either way, I think adding a timeout is probably a good thing. |
|
In the environments where we've seen this happen, it seems to hang for a long time |
|
#28871 improves the situation, but does not absolve it completely. Either way, from a code hygiene standpoint we should never allow the use of |
|
To elaborate, the credential provider is still used to make other remote calls that are not being protected with any timeout, or use the default transport requirements consistent with rest of project. |
ncdc
added
the
lgtm
|
GCE e2e build/test passed for commit 5366bfe. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 5366bfe. |
|
Automatic merge from submit-queue |
The default http client has no timeout.
This could cause problems when not on GCP environments.
This PR changes to use a 10s timeout, and ensures the transport has our normal defaults applied.
/cc @ncdc @liggitt