fix sha generation and token exchange error handling

Author: floreks

modules/common/client/args/args.go

@@ -15,15 +15,17 @@ var (
 	argCacheRefreshDebounce  = pflag.Duration("cache-refresh-debounce", 5*time.Second, "minimal time between cache refreshes in the background")
 )
 
+func Ensure() {
+	if *argClusterContextEnabled && len(*argTokenExchangeEndpoint) == 0 {
+		panic("token-exchange-endpoint must be set when cluster-context-enabled is set to true")
+	}
+}
+
 func CacheEnabled() bool {
 	return *argCacheEnabled
 }
 
 func ClusterContextEnabled() bool {
-	if *argClusterContextEnabled && len(*argTokenExchangeEndpoint) == 0 {
-		panic("token-exchange-endpoint must be set when cluster-context-enabled is set to true")
-	}
-
 	return *argClusterContextEnabled
 }
 

modules/common/client/cache/client/common/resourcelister.go

@@ -4,12 +4,14 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/samber/lo"
 	authorizationapiv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
-	"k8s.io/dashboard/client/cache"
 	"k8s.io/klog/v2"
 
+	"k8s.io/dashboard/client/cache"
+
 	"k8s.io/dashboard/errors"
 	"k8s.io/dashboard/types"
 )
@@ -29,13 +31,13 @@ func (in CachedResourceLister[T]) List(ctx context.Context, lister ResourceListe
 	cacheKey := in.cacheKey(opts)
 	cachedList, found, err := cache.Get[*T](cacheKey)
 	if err != nil {
-		return nil, err
+		return new(T), err
 	}
 
 	if !found {
 		list, err := lister.List(ctx, opts)
 		if err != nil {
-			return list, err
+			return new(T), err
 		}
 
 		klog.V(3).InfoS("resource not found in cache, initializing")
@@ -44,7 +46,7 @@ func (in CachedResourceLister[T]) List(ctx context.Context, lister ResourceListe
 
 	review, err := in.authorizationV1.SelfSubjectAccessReviews().Create(ctx, in.selfSubjectAccessReview(), metav1.CreateOptions{})
 	if err != nil {
-		return nil, err
+		return new(T), err
 	}
 
 	if review.Status.Allowed {
@@ -55,7 +57,7 @@ func (in CachedResourceLister[T]) List(ctx context.Context, lister ResourceListe
 		return cachedList, nil
 	}
 
-	return nil, errors.NewForbidden(
+	return lo.Empty[*T](), errors.NewForbidden(
 		errors.MsgForbiddenError,
 		fmt.Errorf("%s: %s", review.Status.Reason, review.Status.EvaluationError),
 	)

modules/common/client/cache/key.go

@@ -1,6 +1,8 @@
 package cache
 
 import (
+	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 
@@ -9,6 +11,7 @@ import (
 	"k8s.io/klog/v2"
 
 	"k8s.io/dashboard/client/args"
+	"k8s.io/dashboard/errors"
 	"k8s.io/dashboard/helpers"
 	"k8s.io/dashboard/types"
 )
@@ -18,6 +21,13 @@ import (
 // multi-cluster resources.
 var contextCache *theine.Cache[string, string]
 
+func init() {
+	var err error
+	if contextCache, err = theine.NewBuilder[string, string](int64(args.CacheSize())).Build(); err != nil {
+		panic(err)
+	}
+}
+
 // key is an internal structure used for creating
 // a unique cache key SHA. It is used when
 // `cluster-context-enabled=false`.
@@ -34,10 +44,21 @@ type key struct {
 
 // SHA calculates sha based on the internal key fields.
 func (k key) SHA() (string, error) {
-	k.opts = metav1.ListOptions{LabelSelector: k.opts.LabelSelector, FieldSelector: k.opts.FieldSelector}
 	return helpers.HashObject(k)
 }
 
+func (k key) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Kind      types.ResourceKind
+		Namespace string
+		Opts      metav1.ListOptions
+	}{
+		Kind:      k.kind,
+		Namespace: k.namespace,
+		Opts:      metav1.ListOptions{LabelSelector: k.opts.LabelSelector, FieldSelector: k.opts.FieldSelector},
+	})
+}
+
 // Key embeds an internal key structure and extends it with the support
 // for the multi-cluster cache key creation. It is used when
 // `cluster-context-enabled=true`.
@@ -53,6 +74,16 @@ type Key struct {
 	context string
 }
 
+func (k Key) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		K       key
+		Context string
+	}{
+		K:       k.key,
+		Context: k.context,
+	})
+}
+
 // SHA calculates sha based on the internal struct fields.
 // It is also responsible for exchanging the [Key.Token] for
 // the context identifier with the external source of truth
@@ -72,8 +103,6 @@ func (k Key) SHA() (sha string, err error) {
 		contextCache.SetWithTTL(k.token, contextKey, 1, args.CacheTTL())
 	}
 
-	k.opts = metav1.ListOptions{LabelSelector: k.opts.LabelSelector, FieldSelector: k.opts.FieldSelector}
-	k.token = ""
 	k.context = contextKey
 	return helpers.HashObject(k)
 }
@@ -100,6 +129,15 @@ func exchangeToken(token string) (string, error) {
 		return "", err
 	}
 
+	if response.StatusCode == http.StatusUnauthorized || response.StatusCode == http.StatusForbidden {
+		return "", errors.NewUnauthorized(fmt.Sprintf("could not exchange token: %s", response.Status))
+	}
+
+	if response.StatusCode != http.StatusOK {
+		klog.ErrorS(errors.NewBadRequest(response.Status), "could not exchange token", "url", args.TokenExchangeEndpoint())
+		return "", errors.NewBadRequest(response.Status)
+	}
+
 	defer func(body io.ReadCloser) {
 		if err := body.Close(); err != nil {
 			klog.V(3).ErrorS(err, "could not close response body writer")

modules/common/client/init.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 
+	"k8s.io/dashboard/client/args"
 	"k8s.io/dashboard/errors"
 )
 
@@ -206,8 +207,9 @@ func handleImpersonation(authInfo *api.AuthInfo, request *http.Request) {
 }
 
 func Init(options ...Option) {
-	builder := newConfigBuilder(options...)
+	args.Ensure()
 
+	builder := newConfigBuilder(options...)
 	config, err := builder.buildBaseConfig()
 	if err != nil {
 		klog.Errorf("Could not init kubernetes client config: %s", err)