Merge pull request #14 from kiwicom/token-cache-duration

feat(cache): configurable vault token duration
kiwicom · Sep 15, 2023 · 656cdf4 · 656cdf4
2 parents fb4ac8c + 771f1a7
commit 656cdf4
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 22 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -34,11 +34,11 @@ jobs:
 
     strategy:
       matrix:
-        vaultVer: [ "latest", "1.12.6" ]
+        vaultVer: [ "latest", "1.14", "1.13", "1.12" ]
 
     services:
       vault:
-        image: vault:${{ matrix.vaultVer }}
+        image: docker.io/hashicorp/vault:${{ matrix.vaultVer }}
         ports:
           - 8200:8200
         options: >-

diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go
@@ -225,7 +225,8 @@ func (r *VaultSecretReconciler) getAuthServiceAccount(vaultSecret k8skiwicomv1.V
 	if err := vaultClient.SetAddress(vaultSecret.Spec.Addr); err != nil {
 		return nil, fmt.Errorf("vault set address: %w", err)
 	}
-	saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, saRef.AuthPath, false)
+	saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role,
+		saRef.AuthPath, false, r.VaultConfig.RefreshTokenBefore)
 	r.saCacheMx.Lock()
 	defer r.saCacheMx.Unlock()
 	r.authSACache[id] = saAccount

diff --git a/pkg/vault/auth.go b/pkg/vault/auth.go
@@ -30,28 +30,30 @@ func (a AuthToken) Token() (string, error) {
 }
 
 type AuthServiceAccount struct {
-	name             string
-	namespace        string
-	role             string
-	path             string
-	vaultClient      *vaultApi.Client
-	autoMount        bool
-	k8ClientSet      *kubernetes.Clientset
-	cacheMx          sync.RWMutex
-	cachedVaultToken string
-	vaultTokenExpire time.Time
+	name               string
+	namespace          string
+	role               string
+	refreshTokenBefore time.Duration
+	path               string
+	vaultClient        *vaultApi.Client
+	autoMount          bool
+	k8ClientSet        *kubernetes.Clientset
+	cacheMx            sync.RWMutex
+	cachedVaultToken   string
+	vaultTokenExpire   time.Time
 }
 
 func NewAuthServiceAccount(vaultClient *vaultApi.Client, k8ClientSet *kubernetes.Clientset,
-	name, namespace, role, path string, automount bool) *AuthServiceAccount {
+	name, namespace, role, path string, automount bool, refreshTokenBefore time.Duration) *AuthServiceAccount {
 	return &AuthServiceAccount{
-		name:        name,
-		namespace:   namespace,
-		role:        role,
-		path:        path,
-		vaultClient: vaultClient,
-		autoMount:   automount,
-		k8ClientSet: k8ClientSet,
+		name:               name,
+		namespace:          namespace,
+		role:               role,
+		path:               path,
+		vaultClient:        vaultClient,
+		autoMount:          automount,
+		k8ClientSet:        k8ClientSet,
+		refreshTokenBefore: refreshTokenBefore,
 	}
 }
 func (a *AuthServiceAccount) cachedToken() string {
@@ -62,7 +64,7 @@ func (a *AuthServiceAccount) cachedToken() string {
 
 func (a *AuthServiceAccount) Token() (string, error) {
 	vaultToken := a.cachedToken()
-	if vaultToken != "" && time.Now().Add(30*time.Second).Before(a.vaultTokenExpire) {
+	if vaultToken != "" && time.Now().Add(a.refreshTokenBefore).Before(a.vaultTokenExpire) {
 		return vaultToken, nil
 	}
 

diff --git a/pkg/vault/config.go b/pkg/vault/config.go
@@ -25,6 +25,7 @@ type AppConfig struct {
 	Role                    string        `koanf:"role"`
 	DefaultVaultAddr        string        `koanf:"vault_addr"`
 	MaxConcurrentReconciles int           `koanf:"max_concurrent_reconciles"`
+	RefreshTokenBefore      time.Duration `koanf:"refresh_token_before"`
 }
 
 func NewAppConfig() (AppConfig, error) {
@@ -37,6 +38,7 @@ func NewAppConfig() (AppConfig, error) {
 		"operator_role":             "vault-operator",
 		"vault_addr":                "http://127.0.0.1:8200",
 		"max_concurrent_reconciles": 5,
+		"refresh_token_before":      time.Minute * 2,
 	}, "."), nil)
 	if err != nil {
 		return cfg, fmt.Errorf("default setting load: %w", err)