fixed cached service account token (#46)

* fixed cached service account token Signed-off-by: raffaelespazzoli <raffaele.spazzoli@gmail.com> * incorporated andy's feedback Signed-off-by: raffaelespazzoli <raffaele.spazzoli@gmail.com> Signed-off-by: raffaelespazzoli <raffaele.spazzoli@gmail.com>
redhat-cop · Sep 4, 2022 · 1590b4e · 1590b4e
1 parent a2c00b8
commit 1590b4e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/controllers/patch_controller.go b/controllers/patch_controller.go
@@ -18,6 +18,8 @@ package controllers
 
 import (
 	"context"
+	"os"
+	"time"
 
 	"github.com/redhat-cop/operator-utils/pkg/util"
 	"github.com/redhat-cop/operator-utils/pkg/util/apis"
@@ -132,11 +134,26 @@ func getJWTToken(context context.Context, serviceAccountName string, kubeNamespa
 	log := log.FromContext(context)
 
 	restConfig := context.Value("restConfig").(*rest.Config)
-	expiration := int64(600)
+	lenght, found := os.LookupEnv("SERVICE_ACCOUNT_TOKEN_EXPIRATION_DURATION")
+	//default is 1 year
+	defaultDuration, _ := time.ParseDuration("8760h")
+	var duration time.Duration
+	if found {
+		parsedDuration, err := time.ParseDuration(lenght)
+		if err != nil {
+			log.Error(err, "unable to parse SERVICE_ACCOUNT_TOKEN_EXPIRATION_DURATION to duration, continuing with", "default duration", defaultDuration)
+			duration = defaultDuration
+		} else {
+			duration = parsedDuration
+		}
+	} else {
+		duration = defaultDuration
+	}
 
+	seconds := int64(duration.Seconds())
 	treq := &authv1.TokenRequest{
 		Spec: authv1.TokenRequestSpec{
-			ExpirationSeconds: &expiration,
+			ExpirationSeconds: &seconds,
 		},
 	}
 
@@ -153,6 +170,8 @@ func getJWTToken(context context.Context, serviceAccountName string, kubeNamespa
 		return "", err
 	}
 
+	log.Info("token expiration: " + treq.Status.ExpirationTimestamp.String())
+
 	return treq.Status.Token, nil
 }
 

diff --git a/readme.md b/readme.md
@@ -384,6 +384,7 @@ The `deployer` service accounts from all namespaces are selected as target of th
 ### Patch Controller Security Considerations
 
 The patch enforcement enacted by the patch controller is executed with a client which uses the service account referenced by the `serviceAccountRef` field. So before a patch object can actually work an administrator must have granted the needed permissions to a service account in the same namespace. The `serviceAccountRef` will default to the `default` service account if not specified.
+This operator uses the TokenRequest API to get a token to instantiate an internal controller to watch for the target(s) and source(s) of a patch. The token request API returns time bound token. At the moment, this token is refreshed when the patch is changed or when the operator is restarted. It is a responsibility of the administrator to make sure that the token is refreshed before its expiration or the patch will stop being enforced. By default, tokens have a 1 year expiration period. This default can be changed via the `SERVICE_ACCOUNT_TOKEN_EXPIRATION_DURATION` environment variable. Environment variables can be set following these [instructions](https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md#env) The expected format is of [time.Duration](https://pkg.go.dev/time#ParseDuration)
 
 ### Patch Controller Performance Considerations