Skip to content

Fix PoP cache isolation bug causing repeated login prompts #719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix PoP cache isolation bug causing repeated login prompts #719

Copilot wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 27, 2025
edited
Loading

PoP token caches on Linux and macOS shared encryption keys across different cache directories, causing cache corruption and repeated authentication prompts when switching between clusters or contexts.

Root Cause

Cache encryption keys were identified by filename alone (pop_tokens.cache) instead of full path:

# Two clusters with different cache directories
~/.kube/cache/cluster-a/pop_tokens.cache  # Uses keyring key "pop_tokens.cache"
~/.kube/cache/cluster-b/pop_tokens.cache  # Uses SAME keyring key "pop_tokens.cache"

# Switching contexts overwrites the encryption key → decrypt fails → re-auth required

Changes

Linux (pkg/internal/pop/cache/linux.go)

  • Keyring description: filepath.Base(path) → full path

macOS (pkg/internal/pop/cache/darwin.go)

  • Keychain account: hardcoded "MSALCache"sha256(cachePath)[:16]
  • Hash used due to Keychain account name length limits

Test (pkg/internal/pop/cache/linux_test.go)

  • Updated assertion to verify full path usage

Impact

Fixes #654 for users experiencing repeated login with:

  • Multiple clusters using different --cache-dir settings
  • Context switching in multi-cluster environments
  • Azure Arc and Hybrid AKS deployments

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • invalid-url
    • Triggering command: /tmp/go-build4145022418/b676/token.test -test.testlogfile=/tmp/go-build4145022418/b676/testlog.txt -test.paniconexit0 -test.timeout=5m0s (dns block)
    • Triggering command: /tmp/go-build2879192260/b676/token.test -test.testlogfile=/tmp/go-build2879192260/b676/testlog.txt -test.paniconexit0 -test.timeout=5m0s (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

fix bug #654

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits October 27, 2025 17:52
@daxakp
Fix macOS PoP cache isolation bug
5a77934 
Previously, all PoP caches on macOS shared the same Keychain entry (service: "kubelogin-pop", account: "MSALCache"), which caused:
1. Test storage and actual cache to conflict
2. Test deletion could clear actual cache data
3. Multiple cache instances couldn't be isolated

Now using cache filename as the account identifier to differentiate between different caches.

Co-authored-by: daxakp <32614003+daxakp@users.noreply.github.com>
@daxakp
Fix PoP cache isolation bug on Linux and macOS
4dd5120 
The bug affected both Linux and macOS platforms where different cache directories
would share the same encryption key, causing cache conflicts and repeated login prompts.

Linux: Changed keyring description from filename to full path
macOS: Changed Keychain account from fixed "MSALCache" to hash of full path

This ensures each cache directory (e.g., different clusters with --cache-dir)
has its own isolated encryption key, preventing cache corruption and auth failures.

Co-authored-by: daxakp <32614003+daxakp@users.noreply.github.com>
@daxakp
Final validation complete - all checks passing
2c2256d 
Co-authored-by: daxakp <32614003+daxakp@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix bug #654 Fix PoP cache isolation bug causing repeated login prompts Oct 27, 2025
Copilot AI requested a review from daxakp October 27, 2025 18:07
@daxakp daxakp marked this pull request as ready for review October 27, 2025 19:26
@vineeth-thumma
Copy link
Contributor

vineeth-thumma commented Oct 28, 2025

@daxakp Is this change tested end-end?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@daxakp daxakp daxakp approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@daxakp daxakp

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Interactive PoP requiring repeated login for version kubelogin >= 0.2.0

3 participants

@vineeth-thumma @daxakp