I'm trying to find an (elegant) solution to the following problem: I have a Deployment that I want to be able to scale from 2 - 4 pods.
I have a pool of 4 unique tokens to access a resource, external to the cluster. Is there a way to (automatically) assign one of the 4 tokens to the each of the running pods from the available pool? When a pod goes down, its token needs to be returned to the pool so a new pod starting up can get it assigned.
Initially, the token we use here is not a secret, but I'm looking for a solution in case secrets are involved as well.
Thanks for any help!
I could set up an additional 'DHCP' pod to do this assignment, but does Kubernetes have any built-in solution for this?
Kubernetes has a built in solution that provides tokens for authentication, namely service account tokens, which also have built in expiry and renewal.
The solution you want is a token for authorization which you would need to build on top of Kubernetes. To do so, one option is to build a token service utility API:
This is an established pattern in cloud native OAuth deployments. You can read more about it in the WIMSE documents - this early draft is quite short and best summarizes the pattern.
POD IDS
Each service account token has a pod ID but pod IDs are randomly generated in a Deployment. You could consider using a StatefulSet so that pods have known pod suffixes like -0 and -1. Pod IDs are also included in service account tokens.
A simpler option than imposing extra pod requirements might be for the token service to issue authorization tokens on demand and keep them short lived, rather than deploying longer lived fixed tokens. That is the pattern from the WIMSE docs.