Update tokenProvider GetJWT to return token expiry too

knative · Nov 15, 2023 · 1f87397 · 1f87397
1 parent b059503
commit 1f87397
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/pkg/auth/token_provider.go b/pkg/auth/token_provider.go
@@ -52,9 +52,10 @@ func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider {
 }
 
 // GetJWT returns a JWT from the given service account for the given audience.
-func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error) {
+func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, time.Time, error) {
 	if val, ok := c.tokenCache.Get(cacheKey(serviceAccount, audience)); ok {
-		return val.(string), nil
+		ti := val.(tokenInfo)
+		return ti.token, ti.expiry, nil
 	}
 
 	// if not found in cache: request new token
@@ -70,18 +71,27 @@ func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience
 		CreateToken(context.TODO(), serviceAccount.Name, &tokenRequest, metav1.CreateOptions{})
 
 	if err != nil {
-		return "", fmt.Errorf("could not request a token for %s: %w", serviceAccount, err)
+		return "", time.Time{}, fmt.Errorf("could not request a token for %s: %w", serviceAccount, err)
 	}
 
 	// we need a duration until this token expires, use the expiry time - (now + 5min)
 	// this gives us a buffer so that it doesn't expire between when we retrieve it and when we use it
 	expiryTtl := tokenRequestResponse.Status.ExpirationTimestamp.Time.Sub(time.Now().Add(expirationBufferTime))
 
-	c.tokenCache.Set(cacheKey(serviceAccount, audience), tokenRequestResponse.Status.Token, expiryTtl)
+	ti := tokenInfo{
+		token:  tokenRequestResponse.Status.Token,
+		expiry: tokenRequestResponse.Status.ExpirationTimestamp.Time,
+	}
+	c.tokenCache.Set(cacheKey(serviceAccount, audience), ti, expiryTtl)
 
-	return tokenRequestResponse.Status.Token, nil
+	return tokenRequestResponse.Status.Token, tokenRequestResponse.Status.ExpirationTimestamp.Time, nil
 }
 
 func cacheKey(serviceAccount types.NamespacedName, audience string) string {
 	return fmt.Sprintf("%s/%s/%s", serviceAccount.Namespace, serviceAccount.Name, audience)
 }
+
+type tokenInfo struct {
+	token  string
+	expiry time.Time
+}
diff --git a/pkg/kncloudevents/event_dispatcher.go b/pkg/kncloudevents/event_dispatcher.go
@@ -345,7 +345,7 @@ func (d *Dispatcher) createRequest(ctx context.Context, message binding.Message,
 
 	if oidcServiceAccount != nil {
 		if target.Audience != nil && *target.Audience != "" {
-			jwt, err := d.oidcTokenProvider.GetJWT(*oidcServiceAccount, *target.Audience)
+			jwt, _, err := d.oidcTokenProvider.GetJWT(*oidcServiceAccount, *target.Audience)
 			if err != nil {
 				return nil, fmt.Errorf("could not get JWT: %w", err)
 			}

diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go
@@ -157,7 +157,7 @@ func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context
 		}
 	}
 
-	token, err := s.tokenProvider.GetJWT(types.NamespacedName{
+	token, expiry, err := s.tokenProvider.GetJWT(types.NamespacedName{
 		Namespace: sb.Namespace,
 		Name:      *sb.Status.Auth.ServiceAccountName,
 	}, *sb.Status.SinkAudience)
@@ -169,7 +169,7 @@ func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context
 	applyConfig = applyConfig.WithStringData(map[string]string{
 		"token": token,
 	}).WithAnnotations(map[string]string{
-		"expiry": time.Now().Add(time.Hour).Format(timeFormat),
+		"expiry": expiry.Format(timeFormat),
 	})
 
 	_, err = s.kubeclient.CoreV1().Secrets(sb.Namespace).Apply(ctx, applyConfig, metav1.ApplyOptions{FieldManager: controllerAgentName})