fix(k8s): miss imagebuilder log

Author: duanhongyi

pkg/controller/token/token.go

@@ -68,6 +68,12 @@ type tokenResponse struct {
 	ExpiresIn   int64  `json:"expires_in"`
 }
 
+// introspectResponse models the passport /oauth/introspect/ response.
+type introspectResponse struct {
+	Active bool   `json:"active"`
+	Scope  string `json:"scope"`
+}
+
 // Manager owns the Valkey client and the configuration needed to refresh
 // tokens. It is safe for concurrent use.
 type Manager struct {
@@ -237,6 +243,9 @@ func (m *Manager) readValid(ctx context.Context, buffer time.Duration) (*payload
 	if p.ExpiresAt <= cutoff {
 		return nil, nil
 	}
+	if !m.introspectToken(ctx, p.AccessToken) {
+		return nil, nil
+	}
 	return &p, nil
 }
 
@@ -269,6 +278,60 @@ func (m *Manager) fetchAndSave(ctx context.Context) (*payload, error) {
 	return &p, nil
 }
 
+func (m *Manager) introspectToken(ctx context.Context, token string) bool {
+	if m.passportScopes == "" {
+		return true
+	}
+
+	endpoint := strings.TrimRight(m.passportURL, "/") + "/oauth/introspect/"
+	form := url.Values{}
+	form.Set("token", token)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return false
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth(m.passportKey, m.passportSecret)
+
+	resp, err := m.httpClient.Do(req)
+	if err != nil {
+		return false
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return false
+	}
+
+	var ir introspectResponse
+	if err := json.NewDecoder(resp.Body).Decode(&ir); err != nil {
+		return false
+	}
+
+	if !ir.Active {
+		return false
+	}
+
+	requiredScopes := strings.Fields(m.passportScopes)
+	tokenScopes := strings.Fields(ir.Scope)
+
+	if len(requiredScopes) != len(tokenScopes) {
+		return false
+	}
+
+	reqMap := make(map[string]bool)
+	for _, s := range requiredScopes {
+		reqMap[s] = true
+	}
+	for _, s := range tokenScopes {
+		if !reqMap[s] {
+			return false
+		}
+	}
+	return true
+}
+
 func (m *Manager) requestToken(ctx context.Context) (*tokenResponse, error) {
 	endpoint := strings.TrimRight(m.passportURL, "/") + "/oauth/token/"
 	form := url.Values{}

pkg/controller/token/token_test.go

@@ -36,7 +36,7 @@ func newTestManager(t *testing.T, passportHandler http.HandlerFunc) (*Manager, *
 	t.Setenv("DRYCC_PASSPORT_URL", ts.URL)
 	t.Setenv("DRYCC_PASSPORT_KEY", "test-key")
 	t.Setenv("DRYCC_PASSPORT_SECRET", "test-secret")
-	t.Setenv("DRYCC_PASSPORT_SCOPES", "controller:hook")
+	t.Setenv("DRYCC_PASSPORT_SCOPES", "passport:message")
 
 	mgr, err := NewManager(client)
 	require.NoError(t, err)
@@ -57,7 +57,20 @@ func passportJSON(t *testing.T, accessToken string, expiresIn int64) http.Handle
 }
 
 func TestGet_FastPathReturnsCachedToken(t *testing.T) {
-	mgr, mr, _ := newTestManager(t, passportJSON(t, "should-not-be-fetched", 2592000))
+	// The introspect endpoint is required for the fast path validity check now.
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		if req.URL.Path == "/oauth/introspect/" {
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"active": true,
+				"scope":  "passport:message",
+			})
+			return
+		}
+		// Fallback for token requests
+		passportJSON(t, "should-not-be-fetched", 2592000)(w, req)
+	}
+	mgr, mr, _ := newTestManager(t, handler)
 
 	// Pre-populate Valkey with a still-valid token.
 	p := payload{AccessToken: "cached-token", ExpiresAt: time.Now().Add(24 * time.Hour).Unix()}
@@ -96,13 +109,30 @@ func TestGet_ColdStartFetchesFromPassport(t *testing.T) {
 }
 
 func TestGet_ConcurrentCallsHitPassportOnce(t *testing.T) {
-	var calls int32
-	handler := func(w http.ResponseWriter, _ *http.Request) {
-		atomic.AddInt32(&calls, 1)
+	var activeCalls int32
+	var tokenCalls int32
+	var mu sync.Mutex
+
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		mu.Lock()
+		if req.URL.Path == "/oauth/introspect/" {
+			activeCalls++
+			mu.Unlock()
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"active": true,
+				"scope":  "passport:message",
+			})
+			return
+		}
+
+		tokenCalls++
+		mu.Unlock()
+
 		// Slow handler to widen the race window.
 		time.Sleep(50 * time.Millisecond)
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(`{"access_token":"only-one","token_type":"Bearer","expires_in":2592000}`))
+		_, _ = w.Write([]byte(`{"access_token":"only-one","token_type":"Bearer","expires_in":2592000,"scope":"passport:message"}`))
 	}
 	mgr, _, _ := newTestManager(t, handler)
 
@@ -123,15 +153,24 @@ func TestGet_ConcurrentCallsHitPassportOnce(t *testing.T) {
 		require.NoErrorf(t, errs[i], "goroutine %d", i)
 		assert.Equal(t, "only-one", results[i])
 	}
-	assert.Equal(t, int32(1), atomic.LoadInt32(&calls), "passport should be called exactly once")
+	assert.Equal(t, int32(1), atomic.LoadInt32(&tokenCalls), "passport should be called exactly once")
 }
 
 func TestRefresh_SkipsWhenPlentyOfLifetimeRemains(t *testing.T) {
-	var calls int32
-	handler := func(w http.ResponseWriter, _ *http.Request) {
-		atomic.AddInt32(&calls, 1)
+	var tokenCalls int32
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		if req.URL.Path == "/oauth/introspect/" {
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"active": true,
+				"scope":  "passport:message",
+			})
+			return
+		}
+
+		atomic.AddInt32(&tokenCalls, 1)
 		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(`{"access_token":"new","expires_in":2592000}`))
+		_, _ = w.Write([]byte(`{"access_token":"new","expires_in":2592000,"scope":"passport:message"}`))
 	}
 	mgr, mr, _ := newTestManager(t, handler)
 
@@ -141,7 +180,7 @@ func TestRefresh_SkipsWhenPlentyOfLifetimeRemains(t *testing.T) {
 	require.NoError(t, mr.Set(TokenKey, string(raw)))
 
 	require.NoError(t, mgr.Refresh(context.Background(), false))
-	assert.Equal(t, int32(0), atomic.LoadInt32(&calls))
+	assert.Equal(t, int32(0), atomic.LoadInt32(&tokenCalls))
 
 	got, _ := mr.Get(TokenKey)
 	assert.Equal(t, string(raw), got, "token must be untouched")
@@ -386,6 +425,15 @@ func TestNewClientFromEnv_MissingURL(t *testing.T) {
 func TestRequestToken_SendsControllerHookScope(t *testing.T) {
 	var captured url.Values
 	handler := func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/oauth/introspect/" {
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"active": true,
+				"scope":  "passport:message",
+			})
+			return
+		}
+
 		body, _ := io.ReadAll(r.Body)
 		captured, _ = url.ParseQuery(string(body))
 		w.Header().Set("Content-Type", "application/json")
@@ -399,5 +447,5 @@ func TestRequestToken_SendsControllerHookScope(t *testing.T) {
 	assert.Equal(t, "client_credentials", captured.Get("grant_type"))
 	assert.Equal(t, "test-key", captured.Get("client_id"))
 	assert.Equal(t, "test-secret", captured.Get("client_secret"))
-	assert.Equal(t, "controller:hook", captured.Get("scope"))
+	assert.Equal(t, "passport:message", captured.Get("scope"))
 }

pkg/gitreceive/build.go

@@ -25,8 +25,10 @@ import (
 	"gopkg.in/yaml.v3"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/cache"
 )
 
 const (
@@ -186,24 +188,25 @@ func build(
 		return fmt.Errorf("creating builder pod (%s)", err)
 	}
 
-	pw := k8s.NewPodWatcher(*kubeClient, conf.PodNamespace)
+	pw := k8s.NewPodWatcher(*kubeClient, conf.PodNamespace, builderPodLabelSelector(newJob.Name))
 	stopCh := make(chan struct{})
 	defer close(stopCh)
 	go pw.Controller.Run(stopCh)
 
+	if !cache.WaitForCacheSync(stopCh, pw.Controller.HasSynced) {
+		return fmt.Errorf("pod watcher cache failed to sync for job %s", newJob.Name)
+	}
+
 	if err := waitForPod(pw, newJob.Name, conf.SessionIdleInterval(), conf.BuilderPodTickDuration(), conf.BuilderPodWaitDuration()); err != nil {
 		return fmt.Errorf("watching events for builder pod startup (%s)", err)
 	}
 
-	options := metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("job-name=%s", newJob.Name),
-	}
-	podList, err := kubeClient.CoreV1().Pods(newJob.Namespace).List(context.Background(), options)
+	builderPod, err := resolveBuilderPod(pw, newJob.Name)
 	if err != nil {
-		return fmt.Errorf("list pods %s fail: (%s)", newJob.Name, err)
+		return err
 	}
 
-	req := kubeClient.CoreV1().RESTClient().Get().Namespace(newJob.Namespace).Name(podList.Items[0].Name).Resource("pods").SubResource("log").VersionedParams(
+	req := kubeClient.CoreV1().RESTClient().Get().Namespace(newJob.Namespace).Name(builderPod.Name).Resource("pods").SubResource("log").VersionedParams(
 		&corev1.PodLogOptions{
 			Follow: true,
 		}, scheme.ParameterCodec)
@@ -234,7 +237,7 @@ func build(
 	}
 	log.Debug("Done")
 	log.Debug("Checking for builder pod exit code")
-	buildPod, err := kubeClient.CoreV1().Pods(newJob.Namespace).Get(context.TODO(), podList.Items[0].Name, metav1.GetOptions{})
+	buildPod, err := kubeClient.CoreV1().Pods(newJob.Namespace).Get(context.TODO(), builderPod.Name, metav1.GetOptions{})
 	if err != nil {
 		return fmt.Errorf("error getting builder pod status (%s)", err)
 	}
@@ -331,3 +334,22 @@ func getDockerfile(dirName string, stack map[string]string) (string, error) {
 	}
 	return "", nil
 }
+
+func builderPodLabelSelector(jobName string) string {
+	return fmt.Sprintf("job-name=%s,heritage=drycc", jobName)
+}
+
+func resolveBuilderPod(pw *k8s.PodWatcher, jobName string) (*corev1.Pod, error) {
+	selector := labels.Set{
+		"job-name": jobName,
+		"heritage": "drycc",
+	}.AsSelector()
+	pods, err := pw.Store.List(selector)
+	if err != nil {
+		return nil, fmt.Errorf("listing builder pods for job %s: %s", jobName, err)
+	}
+	if len(pods) == 0 {
+		return nil, fmt.Errorf("no builder pod found in cache for job %s", jobName)
+	}
+	return pods[0], nil
+}

pkg/k8s/watch.go

@@ -38,29 +38,38 @@ func (s *StoreToPodLister) List(selector labels.Selector) (pods []*v1.Pod, err e
 	return pods, nil
 }
 
-// NewPodWatcher creates a new BuildPodWatcher useful to list the pods using a cache which gets updated based on the watch func.
-func NewPodWatcher(c kubernetes.Clientset, ns string) *PodWatcher {
+// NewPodWatcher creates a new PodWatcher backed by a cache populated from a
+// label-scoped list/watch. A tight labelSelector keeps the WatchList initial
+// events stream small enough for the apiserver to deliver the terminating
+// bookmark within client-go's timeout; an empty string watches the namespace.
+func NewPodWatcher(c kubernetes.Clientset, ns, labelSelector string) *PodWatcher {
 	pw := &PodWatcher{}
 
 	pw.Store.Store, pw.Controller = cache.NewInformerWithOptions(cache.InformerOptions{
 		ListerWatcher: &cache.ListWatch{
-			ListFunc:  podListFunc(c, ns),
-			WatchFunc: podWatchFunc(c, ns),
+			ListFunc:  podListFunc(c, ns, labelSelector),
+			WatchFunc: podWatchFunc(c, ns, labelSelector),
 		},
 		ObjectType: &v1.Pod{},
 		Handler:    cache.ResourceEventHandlerFuncs{},
 	})
 	return pw
 }
 
-func podListFunc(c kubernetes.Clientset, ns string) func(options metav1.ListOptions) (runtime.Object, error) {
-	return func(metav1.ListOptions) (runtime.Object, error) {
-		return c.CoreV1().Pods(ns).List(context.TODO(), metav1.ListOptions{})
+// podListFunc and podWatchFunc preserve any options injected by the reflector
+// (ResourceVersion, AllowWatchBookmarks, SendInitialEvents, ...) and only
+// override LabelSelector. Overwriting options with a fresh metav1.ListOptions{}
+// here would break the WatchList path used by client-go >= v0.35.
+func podListFunc(c kubernetes.Clientset, ns, labelSelector string) func(options metav1.ListOptions) (runtime.Object, error) {
+	return func(options metav1.ListOptions) (runtime.Object, error) {
+		options.LabelSelector = labelSelector
+		return c.CoreV1().Pods(ns).List(context.TODO(), options)
 	}
 }
 
-func podWatchFunc(c kubernetes.Clientset, ns string) func(options metav1.ListOptions) (watch.Interface, error) {
-	return func(metav1.ListOptions) (watch.Interface, error) {
-		return c.CoreV1().Pods(ns).Watch(context.TODO(), metav1.ListOptions{})
+func podWatchFunc(c kubernetes.Clientset, ns, labelSelector string) func(options metav1.ListOptions) (watch.Interface, error) {
+	return func(options metav1.ListOptions) (watch.Interface, error) {
+		options.LabelSelector = labelSelector
+		return c.CoreV1().Pods(ns).Watch(context.TODO(), options)
 	}
 }