fix: refresh auth tokens 3m45s before expiration (#1505)

- Migrate from the legacy golang.org/x/oauth2 to the new
  cloud.google.com/go/auth for GCP & federated auth.
- Remove the 5m auth token cache in the askpass sidecar.
  Use the 3m45s EarlyTokenRefresh default provided by
  auth.DefaultCredentials instead.
- Make asskpass, helm-sync, oci-sync, and reconciler-manager all use
  the same credential and token provider code for consistency.
- Add unit tests to confirm that IsCredentialsNotFoundError works.
  It's fragile because it depends on an error string instead of a
  sentinel error.
  googleapis/google-cloud-go#11258
  Unfortunately, the not found error is not reproducable or testable
  on GKE/GCE, so if the error text changes, the test may still pass
  in CI but fail when run locally.
  googleapis/google-cloud-go#4920

cmd/gcenode-askpass-sidecar/main.go

@@ -14,13 +14,15 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"net/http"
 
 	"cloud.google.com/go/compute/metadata"
 	"k8s.io/klog/v2/textlogger"
 	"kpt.dev/configsync/pkg/askpass"
+	"kpt.dev/configsync/pkg/auth"
 	"kpt.dev/configsync/pkg/util"
 	utillog "kpt.dev/configsync/pkg/util/log"
 )
@@ -73,6 +75,7 @@ func main() {
 		utillog.HandleError(log, true, "root cannot be empty")
 	}
 
+	// TODO: Add support for BYOID, which does not use a GCP service account
 	var gsaEmail string
 	var err error
 	// for getting the GSA email we have several scenarios
@@ -82,7 +85,7 @@ func main() {
 	if *flGsaEmail != "" {
 		gsaEmail = *flGsaEmail
 	} else if metadata.OnGCE() {
-		gsaEmail, err = metadata.Email("")
+		gsaEmail, err = metadata.EmailWithContext(context.TODO(), "")
 		if err != nil {
 			utillog.HandleError(log, false, "error in http.ListenAndServe: %v", err)
 		}
@@ -93,6 +96,9 @@ func main() {
 
 	aps := &askpass.Server{
 		Email: gsaEmail,
+		CredentialProvider: &auth.CachingCredentialProvider{
+			Scopes: auth.GitSourceScopes(),
+		},
 	}
 	http.HandleFunc("/git_askpass", aps.GitAskPassHandler)
 

cmd/helm-sync/main.go

@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2/textlogger"
 	"kpt.dev/configsync/pkg/api/configsync"
+	"kpt.dev/configsync/pkg/auth"
 	"kpt.dev/configsync/pkg/helm"
 	"kpt.dev/configsync/pkg/reconcilermanager"
 	"kpt.dev/configsync/pkg/util"
@@ -141,6 +142,9 @@ func main() {
 			UserName:        *flUsername,
 			Password:        *flPassword,
 			CACertFilePath:  *flCACert,
+			CredentialProvider: &auth.CachingCredentialProvider{
+				Scopes: auth.OCISourceScopes(),
+			},
 		}
 
 		if err := hydrator.HelmTemplate(ctx); err != nil {

cmd/oci-sync/main.go

@@ -24,9 +24,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/go-containerregistry/pkg/authn"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2/textlogger"
 	"kpt.dev/configsync/pkg/api/configsync"
+	"kpt.dev/configsync/pkg/auth"
 	"kpt.dev/configsync/pkg/oci"
 	"kpt.dev/configsync/pkg/reconcilermanager"
 	"kpt.dev/configsync/pkg/util"
@@ -93,9 +95,34 @@ func main() {
 	failCount := 0
 	backoff := errorBackoff()
 
+	var authenticator authn.Authenticator
+	switch configsync.AuthType(*flAuth) {
+	case configsync.AuthNone:
+		authenticator = authn.Anonymous
+	case configsync.AuthGCPServiceAccount, configsync.AuthK8sServiceAccount, configsync.AuthGCENode:
+		authenticator = &oci.CredentialAuthenticator{
+			CredentialProvider: &auth.CachingCredentialProvider{
+				Scopes: auth.OCISourceScopes(),
+			},
+		}
+	default:
+		utillog.HandleError(log, true, "ERROR: --auth type must be one of %#v, but found %q",
+			[]configsync.AuthType{
+				configsync.AuthNone,
+				configsync.AuthGCPServiceAccount,
+				configsync.AuthK8sServiceAccount,
+				configsync.AuthGCENode,
+			},
+			*flAuth)
+	}
+
+	fetcher := &oci.Fetcher{
+		Authenticator: authenticator,
+	}
+
 	for {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(*flSyncTimeout))
-		if err := oci.FetchPackage(ctx, log, *flAuth, *flImage, *flRoot, *flDest); err != nil {
+		if err := fetcher.FetchPackage(ctx, *flImage, *flRoot, *flDest); err != nil {
 			if *flMaxSyncFailures != -1 && failCount >= *flMaxSyncFailures {
 				// Exit after too many retries, maybe the error is not recoverable.
 				log.Error(err, "too many failures, aborting", "failCount", failCount)

cmd/reconciler-manager/main.go

@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"os"
 
+	traceapi "cloud.google.com/go/trace/apiv2"
 	"github.com/go-logr/logr"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -30,6 +31,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2/textlogger"
 	"kpt.dev/configsync/pkg/api/configsync"
+	"kpt.dev/configsync/pkg/auth"
 	"kpt.dev/configsync/pkg/core"
 	"kpt.dev/configsync/pkg/kinds"
 	"kpt.dev/configsync/pkg/metrics"
@@ -157,9 +159,13 @@ func main() {
 	})
 	setupLog.Info("RootSync controller registration scheduled")
 
+	otelCredentialProvider := &auth.CachingCredentialProvider{
+		Scopes: traceapi.DefaultAuthScopes(),
+	}
+
 	otel := controllers.NewOtelReconciler(mgr.GetClient(),
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName("Otel"),
-		mgr.GetScheme())
+		mgr.GetScheme(), otelCredentialProvider)
 	if err := otel.Register(mgr); err != nil {
 		setupLog.Error(err, "failed to register controller", "controller", "Otel")
 		os.Exit(1)

go.mod

@@ -3,9 +3,9 @@ module kpt.dev/configsync
 go 1.22.0
 
 require (
-	cloud.google.com/go/compute/metadata v0.3.0
-	cloud.google.com/go/monitoring v1.16.3
-	cloud.google.com/go/trace v1.10.4
+	cloud.google.com/go/compute/metadata v0.5.1
+	cloud.google.com/go/monitoring v1.21.0
+	cloud.google.com/go/trace v1.11.0
 	contrib.go.opencensus.io/exporter/ocagent v0.7.0
 	github.com/GoogleContainerTools/kpt v1.0.0-beta.46
 	github.com/GoogleContainerTools/kpt-functions-catalog/functions/go/set-namespace v0.4.1-0.20220713210718-d955e7d3a800
@@ -16,12 +16,13 @@ require (
 	github.com/elliotchance/orderedmap/v2 v2.2.0
 	github.com/ettle/strcase v0.2.0
 	github.com/evanphx/json-patch v5.6.0+incompatible
-	github.com/go-logr/logr v1.4.1
+	github.com/go-logr/logr v1.4.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/addlicense v1.1.1
 	github.com/google/gnostic-models v0.6.8
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.16.1
+	github.com/google/go-licenses/v2 v2.0.0-alpha.1
 	github.com/google/uuid v1.6.0
 	github.com/jstemmer/go-junit-report/v2 v2.0.0
 	github.com/kylelemons/godebug v1.1.0
@@ -36,16 +37,17 @@ require (
 	go.uber.org/zap v1.26.0
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mod v0.18.0
-	golang.org/x/net v0.26.0
-	golang.org/x/oauth2 v0.24.0
-	google.golang.org/api v0.152.0
+	golang.org/x/net v0.29.0
+	golang.org/x/oauth2 v0.24.0 // indirect
+	google.golang.org/api v0.197.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.30.3
 	k8s.io/apiextensions-apiserver v0.30.3
 	k8s.io/apimachinery v0.30.3
 	k8s.io/cli-runtime v0.30.3
 	k8s.io/client-go v0.30.3
 	k8s.io/cluster-registry v0.0.6
+	k8s.io/code-generator v0.30.3
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/kube-aggregator v0.30.3
 	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f
@@ -55,20 +57,19 @@ require (
 	sigs.k8s.io/cli-utils v0.37.2
 	sigs.k8s.io/controller-runtime v0.18.4
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20231023142458-b9f29826ee83
+	sigs.k8s.io/controller-tools v0.15.0
 	sigs.k8s.io/kind v0.23.0 // When upgrading, update the node image versions at e2e/nomostest/clusters/kind.go
 	sigs.k8s.io/kustomize/api v0.15.0
 	sigs.k8s.io/kustomize/kyaml v0.17.1
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
 	sigs.k8s.io/yaml v1.4.0
 )
 
-require (
-	github.com/google/go-licenses/v2 v2.0.0-alpha.1
-	k8s.io/code-generator v0.30.3
-	sigs.k8s.io/controller-tools v0.15.0
-)
+// When updating cloud.google.com/go/auth, ensure the auth.IsCredentialsNotFoundError still works.
+require cloud.google.com/go/auth v0.12.0
 
 require (
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -90,9 +91,11 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.17.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
@@ -103,11 +106,12 @@ require (
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/licenseclassifier/v2 v2.0.0 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/martian/v3 v3.3.3 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
@@ -148,21 +152,26 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
-	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/grpc v1.66.2 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/evanphx/json-patch.v5 v5.6.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect