✨ Adding a token getter to get service account tokens

[skattoju]

Description

As part of #737 user provided service accounts will be used to manage cluster extensions, the token getter implemented in this PR enables this by providing an interface to fetch tokens given a service account. It also implements a cache where fetched tokens are stored saving requests to the api server for subsequent requests. Fixes #972

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	3b2949f
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/6686f15bcfe6650009a78b01
😎 Deploy Preview	https://deploy-preview-1006--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.07%. Comparing base (872b7f7) to head (3b2949f).
Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1006      +/-   ##
==========================================
+ Coverage   77.19%   78.07%   +0.87%     
==========================================
  Files          17       18       +1     
  Lines        1206     1254      +48     
==========================================
+ Hits          931      979      +48     
  Misses        193      193              
  Partials       82       82              

Flag	Coverage Δ
e2e	56.54% <ø> (ø)
unit	53.74% <100.00%> (+1.84%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[everettraven]

Overall I think this looks really good, great work! There are a few smaller changes I'd recommend

[joelanford]

The number of locks will grow unbounded here, right? Maybe this is unnecessary complexity to start off with. WDYT about skipping the keyLock altogether. For now, maybe it's fine to get a global lock in the Get method. That would allow only one token to be requested at a time. If that becomes a problem, we can introduce key locks later.

[everettraven]

Looking back through this a second time I was wondering the same thing. I get why the key lock was created but agree that this is probably more complex than necessary for a first pass

[skattoju]

ok ill remove the key locks for now

[everettraven]

Using the expiration seconds field here feels unintuitive to me. Maybe we should add another field to the struct called something like rotationThreshold that is a time.Duration type?

[joelanford]

Or maybe we make it some hardcoded fraction of expirationSeconds? Maybe if we're within 10% or something (i.e. if expiration is 100s, then we would get a new token anytime after 90s)

[skattoju]

yeah i guess setting that to expirationSeconds may be too much.. I will add a rotationThreshold so its configurable..

[skattoju]

So if expirationSeconds is 100s and we set rotationThreshold to 10s we we would create a new token if its been more than 90s since the token was created like you suggested 👍

[joelanford]

If we allow expiration seconds and rotation threshold to be independently configurable, we probably need to do some sanity validation to make sure they make sense.

But I'm not sure we actually need rotation threshold to be configurable if we just make it expirationDuration * 0.1 or whatever we think is a reasonable ratio. I feel like we may be over-engineering this.

[joelanford]

We should change this to a time.Duration type and change the name to expirationDuration. The name ("Seconds" suffix) and value (integer number of nanoseconds in 5 minutes) lead a reader to an incorrect conclusion.

[skattoju]

I guess that was int64 because the TokenRequest api takes an pointer to an int64.. its better as a time.Duration 👍

[joelanford]

How do we envision Clean and TokenExists being used?

[skattoju]

Clean would be to remove entries from the cache when extensions are uninstalled or unused items need to be cleaned up for some other reason. TokenExists is debatable, as I added to make it testable.

[skattoju]

These are made redundant by reapExpiredTokens so I have removed them

[everettraven]

Thanks for bearing with us on all the reviews @skattoju - I think this is in a good state now!

[joelanford]

Why would we keep expired tokens around? Seems like they could be reaped as soon as they expire.

[skattoju]

Now that you mention it, it seems like we can get rid of that expiredDuration parameter 🤔

[joelanford]

Will rotationThresholdAfterNow always evaluate to 0 when RotationThresholdPercentage < 100? Seems like (RotationThresholdPercentage / 100) is an integer division.

RotationThresholdPercentage should probably be a float64 so that we can do something like this:

Suggested change

	rotationThresholdAfterNow := metav1.Now().Add(t.expirationDuration * (RotationThresholdPercentage / 100))
	rotationThresholdAfterNow := metav1.Now().Add(time.Duration(float64(t.expirationDuration) * RotationThresholdPercentage)

[joelanford]

also, any reason for RotationThresholdPercentage to be exported? Seems like we could unexport it.

[joelanford]

t.expirationDuration needs to be converted to an integer number of seconds to be used in the TokenRequest API.

[joelanford]

Suggested change

	Spec: authenticationv1.TokenRequestSpec{ExpirationSeconds: ptr.To[int64](int64(t.expirationDuration))},
	Spec: authenticationv1.TokenRequestSpec{ExpirationSeconds: ptr.To[int64](int64(t.expirationDuration/time.Second))},