ACM-15764: fix access token renewal from the metrics collector #1796
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thibaultmg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Thibault Mange <[email protected]>
Signed-off-by: Thibault Mange <[email protected]>
thibaultmg
force-pushed
the
ACM-15764_renew_access_token
branch
from
8d5be3b to
48ba97a
Compare
Signed-off-by: Thibault Mange <[email protected]>
|
/cherry-pick release-2.12 |
|
@thibaultmg: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| // It assumes that kubernetes renews the token when it reaches 80% of its lifetime. Most lifetimes are 1y or 1h. | ||
| // The strategy is to read the token file when we reach 85% of the remaining lifetime, and then every backoff interval | ||
| // when the remaining time is below 4 times the read backoff duration. |
There was a problem hiding this comment.
This feels a bit too complicated. How about renewing when you hit some constant margin like 5m instead?
I believe this is what we do for token-refresher https://github.com/observatorium/token-refresher/blob/master/main.go#L113
There was a problem hiding this comment.
By updating the token early, I assumed we are more robust to clock skews or potential zone aware time problems (even this this last one should not happen). Even if a bit more complicated, the described strategy is validated through unit tests.
But if you prefer the referenced strategy, it is fine for me. Let's wait and see if we have other opinions.
|
Introduces a new struct named TokenFile to automatically renew the token by re-reading the token file when it approaches the expiration date. The token is accessed by the RoundTripper injecting the bearer token calling the GetToken() method.