kerberos: improve ticket renewal #444
Description
Since #375, Kerberos tickets are renewed periodically during the execution of the jobs. This is done with a sidecar container.
It works well but it has few small issues:
- the job docker image needs to have
touch, as it's used to create a file in a directory shared with the sidecar container, so that the sidecar knows when to stop renewing the tickets - it might happen that for some reason the
touchcommand is not called (e.g. missing command, some other failure). in this case the sidecar will keep running, preventing the job from being cleaned up
Possible improvements:
- avoid using touch
- improve job monitor to detect this situation and clean up the job anyway
- switch to sidecar containers, but this is a very new feature of k8s (beta in 1.29) https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/