fix: standardize token ttl

rivet-gg · Apr 12, 2024 · 7f04fb7 · 7f04fb7
1 parent f6d5c2a
commit 7f04fb7
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 5 deletions.
diff --git a/svc/pkg/cluster/util/src/lib.rs b/svc/pkg/cluster/util/src/lib.rs
@@ -16,6 +16,9 @@ const RESERVE_MEMORY: u64 = RESERVE_SYSTEM_MEMORY + RESERVE_LB_MEMORY;
 
 const CPU_PER_CORE: u64 = 1999;
 
+// TTL of the token written to prebake images. Prebake images are renewed before the token would expire
+pub const SERVER_TOKEN_TTL: i64 = rivet_util::duration::days(30 * 6);
+
 /// Provider agnostic hardware specs.
 #[derive(Debug)]
 pub struct JobNodeConfig {

diff --git a/svc/pkg/cluster/worker/src/workers/server_install/mod.rs b/svc/pkg/cluster/worker/src/workers/server_install/mod.rs
@@ -10,9 +10,6 @@ use ssh2::Session;
 
 mod install_scripts;
 
-// 6 months
-pub const TOKEN_TTL: i64 = util::duration::days(30 * 6);
-
 #[worker(name = "cluster-server-install", timeout = 200)]
 async fn worker(ctx: &OperationContext<cluster::msg::server_install::Message>) -> GlobalResult<()> {
 	// Check for stale message
@@ -51,7 +48,7 @@ async fn worker(ctx: &OperationContext<cluster::msg::server_install::Message>) -
 	// Create server token for authenticating API calls from the server
 	let token_res = op!([ctx] token_create {
 		token_config: Some(token::create::request::TokenConfig {
-			ttl: TOKEN_TTL,
+			ttl: util_cluster::SERVER_TOKEN_TTL,
 		}),
 		refresh_token_config: None,
 		issuer: "cluster-worker-server-install".to_owned(),

diff --git a/svc/pkg/linode/standalone/gc/Cargo.toml b/svc/pkg/linode/standalone/gc/Cargo.toml
@@ -19,6 +19,7 @@ serde_json = "1.0"
 tokio = { version = "1.29", features = ["full"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", default-features = false, features = ["fmt", "json", "ansi"] }
+util-cluster = { package = "rivet-util-cluster", path = "../../../cluster/util" }
 util-linode = { package = "rivet-util-linode", path = "../../util" }
 
 [dependencies.sqlx]

diff --git a/svc/pkg/linode/standalone/gc/src/lib.rs b/svc/pkg/linode/standalone/gc/src/lib.rs
@@ -203,7 +203,11 @@ async fn delete_expired_images(
 	client: &util_linode::Client,
 	complete_images: &[api::CustomImage],
 ) -> GlobalResult<()> {
-	let expiration = chrono::Utc::now() - chrono::Duration::days(6 * 30);
+	// Prebake images have an expiration because of their server token. We add 2 days of padding here for
+	// safety
+	let expiration = chrono::Utc::now()
+		- chrono::Duration::milliseconds(util_cluster::SERVER_TOKEN_TTL)
+		+ chrono::Duration::days(2);
 
 	let expired_images = complete_images
 		.iter()