Hello! My ops team is reaching out to me with a question about SpiceDB, rather than paraphrasing I'll just copy-paste it here:
> I’m looking at what we’re missing to upgrade our Kubernetes clusters to 1.21. The only change that could affect us (at least from my research) is that Service Account tokens now expire and are rotated.
> As a refresher, Service Accounts are Kubernetes’s equivalent to an AWS IAM Role, it’s an identity for a machine. Service Accounts are linked to Pods, and Kubernetes generates a token to authenticate the SA, and injects this token into the pods in a well-known path.
> Starting with 1.21, these tokens expire and are rotated on disk automatically. Official SDKs already support reading the token from disk when it expires.
> However we have an issue for SpiceDB: it uses the Kubernetes API to discover sibling instances of SpiceDB (for dispatch IIRC), based on kuberesolver . However kuberesolver doesn’t use the official Go Kubernetes SDK, it implements its own lightweight client, initialized here https://github.com/sercand/kuberesolver/blob/master/kubernetes.go#L59-L86
. I couldn’t find it its source code any reference to refreshing that token.
> The default expiration period for these tokens is 90d in 1.21, but it will be reduced to minutes our hours in following updates.
> This means that if a SpiceDB pod is alive for more than 90d (and much less later), it won’t be able to refresh its list of siblings for dispatch.
Is this something you're aware of, is it correct, is there plans to address it?