You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running OpenVSX on Kubernetes with IRSA and AWS S3 storage (without CDN), the getLocation() method fails after approximately 60 minutes with credential refresh errors, causing all extension downloads to return 500.
This is a regression from the IRSA support added in #1327 — the S3Client is correctly cached as a singleton, but the S3Presigner is created and destroyed on every call via try-with-resources, which kills the HTTP connection pool needed for credential refresh.
Publish an extension and verify it downloads successfully
Wait 63+ minutes
Request any extension asset — returns 500
Environment
OpenShift (ROSA) with IRSA
OpenVSX v0.32.3
AWS SDK for Java v2
S3 storage enabled, CDN disabled
Root Cause
// Current code - creates and destroys presigner on every callprivateURIgetLocation(StringobjectKey) {
...
try (varpresigner = getS3Presigner()) { // new presigner each timevarpresignedRequest = presigner.presignGetObject(presignRequest);
returnpresignedRequest.httpRequest().getUri();
} // closes presigner → kills HTTP pool → credential refresh breaks
}
Closing the S3Presigner shuts down the DefaultCredentialsProvider's internal HTTP client used for STS AssumeRoleWithWebIdentity calls. After ~60 minutes when cached IRSA credentials expire, the SDK cannot refresh them because the HTTP connection pool is dead.
Note: S3Client does not have this issue because it is already cached as a singleton field in the same class.
Fix
Cache the S3Presigner as a singleton field (same pattern already used for S3Client). Will submit a PR shortly.
When running OpenVSX on Kubernetes with IRSA and AWS S3 storage (without CDN), the
getLocation()method fails after approximately 60 minutes with credential refresh errors, causing all extension downloads to return 500.This is a regression from the IRSA support added in #1327 — the
S3Clientis correctly cached as a singleton, but theS3Presigneris created and destroyed on every call via try-with-resources, which kills the HTTP connection pool needed for credential refresh.Steps to Reproduce
Environment
Root Cause
Closing the
S3Presignershuts down theDefaultCredentialsProvider's internal HTTP client used for STSAssumeRoleWithWebIdentitycalls. After ~60 minutes when cached IRSA credentials expire, the SDK cannot refresh them because the HTTP connection pool is dead.Note:
S3Clientdoes not have this issue because it is already cached as a singleton field in the same class.Fix
Cache the
S3Presigneras a singleton field (same pattern already used forS3Client). Will submit a PR shortly.