fix(inputs.kubernetes): refresh token from file at each read (influxd…

…ata#11578)
cjd · Aug 3, 2022 · 388be51 · 388be51
1 parent d606899
commit 388be51
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 11 deletions.
diff --git a/plugins/inputs/kubernetes/README.md b/plugins/inputs/kubernetes/README.md
@@ -45,7 +45,11 @@ avoid cardinality issues:
   ## Use bearer token for authorization. ('bearer_token' takes priority)
   ## If both of these are empty, we'll use the default serviceaccount:
   ## at: /run/secrets/kubernetes.io/serviceaccount/token
-  # bearer_token = "/path/to/bearer/token"
+  ##
+  ## To re-read the token at each interval, please use a file with the
+  ## bearer_token option. If given a string, Telegraf will always use that
+  ## token.
+  # bearer_token = "/run/secrets/kubernetes.io/serviceaccount/token"
   ## OR
   # bearer_token_string = "abc_123"
 

diff --git a/plugins/inputs/kubernetes/kubernetes.go b/plugins/inputs/kubernetes/kubernetes.go
@@ -27,7 +27,7 @@ type Kubernetes struct {
 
 	// Bearer Token authorization file path
 	BearerToken       string `toml:"bearer_token"`
-	BearerTokenString string `toml:"bearer_token_string"`
+	BearerTokenString string `toml:"bearer_token_string" deprecated:"1.24.0;use 'BearerToken' with a file instead"`
 
 	LabelInclude []string `toml:"label_include"`
 	LabelExclude []string `toml:"label_exclude"`
@@ -65,14 +65,6 @@ func (k *Kubernetes) Init() error {
 		k.BearerToken = defaultServiceAccountPath
 	}
 
-	if k.BearerToken != "" {
-		token, err := os.ReadFile(k.BearerToken)
-		if err != nil {
-			return err
-		}
-		k.BearerTokenString = strings.TrimSpace(string(token))
-	}
-
 	labelFilter, err := filter.NewIncludeExcludeFilter(k.LabelInclude, k.LabelExclude)
 	if err != nil {
 		return err
@@ -186,6 +178,13 @@ func (k *Kubernetes) LoadJSON(url string, v interface{}) error {
 			ResponseHeaderTimeout: time.Duration(k.ResponseTimeout),
 		}
 	}
+	if k.BearerToken != "" {
+		token, err := os.ReadFile(k.BearerToken)
+		if err != nil {
+			return err
+		}
+		k.BearerTokenString = strings.TrimSpace(string(token))
+	}
 	req.Header.Set("Authorization", "Bearer "+k.BearerTokenString)
 	req.Header.Add("Accept", "application/json")
 	resp, err = k.RoundTripper.RoundTrip(req)

diff --git a/plugins/inputs/kubernetes/sample.conf b/plugins/inputs/kubernetes/sample.conf
@@ -6,7 +6,11 @@
   ## Use bearer token for authorization. ('bearer_token' takes priority)
   ## If both of these are empty, we'll use the default serviceaccount:
   ## at: /run/secrets/kubernetes.io/serviceaccount/token
-  # bearer_token = "/path/to/bearer/token"
+  ##
+  ## To re-read the token at each interval, please use a file with the
+  ## bearer_token option. If given a string, Telegraf will always use that
+  ## token.
+  # bearer_token = "/run/secrets/kubernetes.io/serviceaccount/token"
   ## OR
   # bearer_token_string = "abc_123"