Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cache specialized for access tokens #870

Merged
merged 1 commit into from
Mar 1, 2025
Merged

Add cache specialized for access tokens #870

merged 1 commit into from
Mar 1, 2025

Conversation

matheuscscp
Copy link
Member

Introduce a cache that is specialized for access tokens. This is a thin abstraction on top of the LRU cache adding requirements that are important for managing the lifetime of tokens:

  • We consider tokens expired after 80% of their lifetime. This is what kubelet does for rotating ServiceAccount tokens inside pods (ref).
  • We need a pessimistic approach for considering tokens expired. With this in mind we store two time points: the usual time.Now().Add(duration), which has a monotonic clock, and also a Unix time point wihtout a monotonic clock. If either report t.Before(time.Now()) == true, the token is considered expired. This is important because Flux may be running in local machines, which are often put to sleep. When they come back up, the monotonic clock will resume from where it stopped, i.e. for the monotonic clock the machine sleep time is considered a "pause". This would cause tokens to be kept beyond their actual expiration, so we use both clocks to ensure we don't return expired tokens on TokenCache.Get().

@matheuscscp matheuscscp requested a review from a team as a code owner February 22, 2025 19:22
@matheuscscp matheuscscp mentioned this pull request Feb 23, 2025
Merged
@matheuscscp matheuscscp force-pushed the token-cache branch 8 times, most recently from a0e0679 to 43bd37c Compare February 27, 2025 01:30
stefanprodan
stefanprodan approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @matheuscscp 🏅

@matheuscscp
Add cache specialized for access tokens
a0eede9 
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
@matheuscscp matheuscscp merged commit 0c883c9 into main Mar 1, 2025
12 checks passed
@matheuscscp matheuscscp deleted the token-cache branch March 1, 2025 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matheuscscp @stefanprodan