credential-plugin: add Expiration to then token

pkg/ctl/credentialplugin/gettoken.go

@@ -44,6 +44,12 @@ var getTokenCmd = &cobra.Command{
 
 func newTokenExecCredential(token *ramauthenticator.Token) (*types.ExecCredential, error) {
 	version := getApiVersion(getCredentialOpts.apiVersion)
+	var exp *types.KubeTime
+	if !token.Expiration.IsZero() {
+		t := types.NewKubeTime(token.Expiration)
+		exp = &t
+	}
+
 	cred := &types.ExecCredential{
 		KubeTypeMeta: types.KubeTypeMeta{
 			Kind:       kindExecCredential,
@@ -53,7 +59,8 @@ func newTokenExecCredential(token *ramauthenticator.Token) (*types.ExecCredentia
 			Interactive: false,
 		},
 		Status: &types.ExecCredentialStatus{
-			Token: token.String(),
+			ExpirationTimestamp: exp,
+			Token:               token.String(),
 		},
 	}
 

pkg/ramauthenticator/token.go

@@ -11,12 +11,15 @@ import (
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/aliyun/credentials-go/credentials"
 	"strings"
+	"time"
 )
 
 const (
 	tokenPrefixV1 = "k8s-ack-v2." // #nosec G101
 )
 
+var tokenExpiration = time.Minute * 15 // #nosec G101
+
 var signParamsWhitelist = map[string]bool{
 	"x-acs-action":          true,
 	"x-acs-version":         true,
@@ -36,6 +39,8 @@ type Token struct {
 	Path    string            `json:"path"`
 	Query   map[string]string `json:"query"`
 	Headers map[string]string `json:"headers"`
+
+	Expiration time.Time `json:"-"`
 }
 
 func GenerateToken(clusterId string, cred credentials.Credential) (*Token, error) {
@@ -80,6 +85,8 @@ func GenerateToken(clusterId string, cred credentials.Credential) (*Token, error
 		t.Query[k] = tea.StringValue(v)
 	}
 
+	t.Expiration = time.Now().Add(tokenExpiration - 5*time.Minute).UTC()
+
 	return t, nil
 }
 

pkg/types/kube.go

@@ -115,6 +115,10 @@ type KubeTime struct {
 	time.Time
 }
 
+func NewKubeTime(t time.Time) KubeTime {
+	return KubeTime{t}
+}
+
 func (t KubeTime) MarshalJSON() ([]byte, error) {
 	if t.IsZero() {
 		// Encode unset/nil objects as JSON's "null".