Skip to content

Authentikos: support using real token expiration time instead of hard… #3375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
istio-testing merged 1 commit into from
Jun 7, 2021
Merged

Authentikos: support using real token expiration time instead of hard… #3375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions authentikos/authentikos.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ const (
var timeNow = time.Now

// tokenCreator is a function that creates an oauth token.
type tokenCreator func(forceRefresh bool, tries int) ([]byte, error)
type tokenCreator func(forceRefresh bool, tries int) ([]byte, *time.Time, error)

// secretCreator is a function that creates a kubernetes secret.
type secretCreator func() ([]*corev1.Secret, namespacedErrors)
Expand Down Expand Up @@ -109,7 +109,8 @@ func (errs namespacedErrors) Errors() string {

// tokenTemplate is the template data structure.
type tokenTemplate struct {
Token string
Token string
Expire int64
}

// options are the available command-line flags.
Expand Down Expand Up @@ -240,15 +241,18 @@ func withBackoff(factor float64, retry int, f interface{}) interface{} {
return f
}

func generateTokenData(o options, data []byte) ([]byte, error) {
func generateTokenData(o options, data []byte, expiration *time.Time) ([]byte, error) {
var b bytes.Buffer

tmpl, err := template.New("TokenData").Funcs(sprig.FuncMap()).Parse(o.template)
if err != nil {
return nil, err
}

err = tmpl.Execute(&b, &tokenTemplate{Token: string(data)})
err = tmpl.Execute(&b, &tokenTemplate{
Token: string(data),
Expire: expiration.Unix(),
})
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -299,9 +303,9 @@ func getOauthTokenCreator(o options) (tokenCreator, error) {
return client, err
}

create = func(forceRefresh bool, tries int) ([]byte, error) {
create = func(forceRefresh bool, tries int) ([]byte, *time.Time, error) {
if tries <= 0 {
return nil, fmt.Errorf("maximum tries: %d exceeded to force refresh token", maxTries)
return nil, nil, fmt.Errorf("maximum tries: %d exceeded to force refresh token", maxTries)
}

client, err := clientCreator(forceRefresh)
Expand All @@ -322,15 +326,15 @@ func getOauthTokenCreator(o options) (tokenCreator, error) {
return withBackoff(1, maxTries-tries, create).(tokenCreator)(true, tries-1)
}

return []byte(token.AccessToken), nil
return []byte(token.AccessToken), &token.Expiry, nil
}

return create, nil
}

// createOrUpdateSecret creates or updates a kubernetes secrets.
func createOrUpdateSecret(o options, client v1.SecretsGetter, ns string, secretData []byte) (*corev1.Secret, error) {
data, err := generateTokenData(o, secretData)
func createOrUpdateSecret(o options, client v1.SecretsGetter, ns string, secretData []byte, expiration *time.Time) (*corev1.Secret, error) {
data, err := generateTokenData(o, secretData, expiration)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -375,9 +379,9 @@ func getSecretCreator(o options, create tokenCreator) (secretCreator, error) {
)

for _, ns := range o.namespace {
if secretData, err := create(o.forceRefresh, maxTries); err != nil {
if secretData, expiration, err := create(o.forceRefresh, maxTries); err != nil {
errs = append(errs, &namespacedError{ns, err.Error()})
} else if secret, err := createOrUpdateSecret(o, client, ns, secretData); err != nil {
} else if secret, err := createOrUpdateSecret(o, client, ns, secretData, expiration); err != nil {
errs = append(errs, &namespacedError{ns, err.Error()})
} else {
secrets = append(secrets, secret)
Expand Down
2 changes: 1 addition & 1 deletion authentikos/examples/authentikos-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ spec:
- --creds=/etc/creds/service-account.json
- --namespace=default,test-pods
- --scopes=https://www.googleapis.com/auth/devstorage.full_control
- --template='I acquired a {{.Token}} at {{now | date "3:04PM"}}'
- --template='I acquired a {{.Token}} at {{now | date "3:04PM"}} expire at {{.Expire}}'
volumeMounts:
- name: creds
mountPath: /etc/creds
Expand Down
4 changes: 2 additions & 2 deletions authentikos/examples/authentikos-grandmatriarch-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ spec:
- --namespace=test-pods
- --scopes=https://www.googleapis.com/auth/gerritcodereview
- |
--template=.googlesource.com TRUE / TRUE {{now | unixEpoch | add 3600}} o {{.Token}}
source.developers.google.com FALSE / TRUE {{now | unixEpoch | add 3600}} o {{.Token}}
--template=.googlesource.com TRUE / TRUE {{.Expire}} o {{.Token}}
source.developers.google.com FALSE / TRUE {{.Expire}} o {{.Token}}
volumeMounts:
- name: creds
mountPath: /etc/creds
Expand Down