Opportunistic token refresh (for BitBucket Server)

[geropl]

Description

This aims to introduce a new feature for token refreshes with SCMs dubbed "opportunistic refresh". If the feature flag is enabled, AND the SCM requires it (for now only BitBucket Server!), we ask for a fresh token whenever we "safely" can.

This "safely" is determined by us storing a new reservedUntilDate with each SCM token, with is set/updated whenever we re-use a token. This way, whenever we do a lookup on a SCM token, we know whether we can safely refresh it or not.

Operational controls:

• introduces the workspace_start_scm_access_token_lifetime feature flag which controls the requested lifetime of a SCM token
  • the default for SCM tokens is 5mins
  • the default for SCM tokens on workspace start is 10mins
  • we can override the later with this feature flag
• introduces the opportunistic_token_refresh feature flag which controls whether "opportunistic refresh" is enabled at all
• updates the gitpod_scm_token_refresh_requests_total metric with a new label opportunisticRefresh ("true" | "false" | "reserved")

Related Issue(s)

Fixes ENT-4

How to test

• check the unit tests here
• manual testing:
  • observe kubectl logs server-5d5cdb8db5-tj9bl -f | grep "Token refreshed" and noticed how values change
  • join my org, and open a repo from our BitBucket instance

Documentation

Preview status

gitpod:summary

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[geropl]

The default for "start workspace" was 30 minutes before. We are reducing to 10 here, but can adjust any time with the new feature flag.

[svenefftinge]

The code looks a bit complicated but AFAICT it would do what we want 👍

[svenefftinge]

Since we explicitly pass in the long value in workspace start situation, I think the default should be small. OTOH making this rather small would trigger refreshes more often, which doesn't seem good. Maybe worth writing a comment about these implications for our future selves?

[svenefftinge]

Alternatively we could make this rather small, but only start opportunistic refreshes when expiry is in e.g 30m

[geropl]

OTOH making this rather small would trigger refreshes more often, which doesn't seem good.

This is only true if we don't guess the estimated lifetime correctly, no? And only use SCM tokens transitively, except for the Workspaces case where we use a custom lifetime.

Alternatively we could make this rather small, but only start opportunistic refreshes when expiry is in e.g 30m

Not sure I understand: Wouldn't that remove all the benefits we are getting from this approach in the first place? 🤷
I get that we have the additional restriction, but I can't imagine this being worth it.

I'd say let's try this out in practice, and if we can tune the parameters to make it work for BBS.

[geropl]

We'll wait until Monday with merging.

[geropl]

/unhold