Skip to content

Commit

Permalink
spire-server: default to 5 minute refresh hint
Browse files Browse the repository at this point in the history 
if the trust bundle for a domain does not specify a refresh_hint, default to 5 minutes for refreshing the bundle

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
  • Loading branch information
@sorindumitru
sorindumitru committed Aug 2, 2023
1 parent c19d369 commit 2116ec1
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pkg/server/bundle/client/manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ const (
// configs from the source and reconciles it against the current bundle
// updaters.
configRefreshInterval = time.Second * 10

// defaultRefreshInterval is how often the managed reloads the trust bundle
// for a trust domain if that trust domain does not specify a refresh hin in
// its current trust bundle.
defaultRefreshInterval = time.Minute * 5
)

type TrustDomainConfig struct {
Expand Down Expand Up @@ -337,6 +342,9 @@ func (m *Manager) notifyBundleRefreshed(ctx context.Context, nextRefresh time.Du
}

func calculateNextUpdate(b *spiffebundle.Bundle) time.Duration {
if _, ok := b.RefreshHint(); ok == false {
return defaultRefreshInterval
}
return bundleutil.CalculateRefreshHint(b) / attemptsPerRefreshHint
}

Expand Down
7 changes: 7 additions & 0 deletions pkg/server/bundle/client/manager_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) {
localBundle.SetRefreshHint(time.Hour)
endpointBundle := spiffebundle.FromX509Authorities(trustDomain, []*x509.Certificate{createCACertificate(t, "endpoint")})
endpointBundle.SetRefreshHint(time.Hour * 2)
noRefreshBundle := spiffebundle.FromX509Authorities(trustDomain, []*x509.Certificate{createCACertificate(t, "endpoint")})

source := NewTrustDomainConfigSet(TrustDomainConfigMap{
trustDomain: TrustDomainConfig{
Expand Down Expand Up @@ -56,6 +57,12 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) {
endpointBundle: endpointBundle,
nextRefresh: calculateNextUpdate(endpointBundle),
},
{
name: "endpoint bundle does not specify refresh_hint",
localBundle: localBundle,
endpointBundle: noRefreshBundle,
nextRefresh: time.Minute * 5,
},
}

for _, testCase := range testCases {
Expand Down

0 comments on commit 2116ec1

Please sign in to comment.