fix(client): fix SPIFFE X509-SVID retry logic for timing issues #741
+547
−45
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Tibor Kircsi <[email protected]>
tkircsi
added
kind/feature
Contributor
|
The latest Buf updates on your PR. Results from workflow Buf CI / verify-proto (pull_request).
|
arpad-csepi
approved these changes
Nov 27, 2025
Signed-off-by: Tibor Kircsi <[email protected]>
Signed-off-by: Tibor Kircsi <[email protected]>
Signed-off-by: Tibor Kircsi <[email protected]>
Signed-off-by: Tibor Kircsi <[email protected]>
Signed-off-by: Tibor Kircsi <[email protected]>
…ckage Signed-off-by: Tibor Kircsi <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR fixes "certificate contains no URI SAN" errors in dirctl workloads by consolidating duplicate retry logic into a shared utils/spiffe package with configurable retry parameters.
Key changes:
- New shared retry implementation in utils/spiffe package with configurable backoff parameters
- Wrapper type X509SourceWithRetry that applies retry logic during TLS handshakes
- Comprehensive test coverage for retry scenarios including zero ID, nil SVID, and exponential backoff
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| utils/spiffe/retry.go | New shared retry implementation with X509SourceWithRetry wrapper and GetX509SVIDWithRetry function |
| utils/spiffe/retry_test.go | Comprehensive test coverage for all retry scenarios with fast test-specific parameters |
| client/options.go | Migrated to shared retry implementation and X509SourceWithRetry wrapper |
| server/authn/service.go | Migrated to shared retry implementation for both JWT and X509 modes |
| utils/go.mod | Added go-spiffe/v2 and testify dependencies to utils module |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ramizpolic
approved these changes
Dec 1, 2025
Signed-off-by: Tibor Kircsi <[email protected]>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes "certificate contains no URI SAN" errors in
dirctlworkloads (especially CronJobs) caused by SPIRE agent-server sync delays.Changes:
Move duplicate retry logic from client and server packages into a shared
utils/spiffe package. Make retry parameters configurable via constructor
to allow faster unit tests. Move retry tests to utils/spiffe/retry_test.go
for better code organization.
The retry logic handles cases where SPIRE entries haven't synced to the agent yet, which is common with short-lived workloads.