add expire early credential wrapper

k8s-infra-cherrypick-robot · Jul 12, 2024 · a7cad3c · a7cad3c
1 parent aec602a
commit a7cad3c
Show file tree

Hide file tree

Showing 4 changed files with 209 additions and 0 deletions.
diff --git a/pkg/azclient/armauth/expire_early_wrapper.go b/pkg/azclient/armauth/expire_early_wrapper.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package armauth
+
+import (
+	"context"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+)
+
+// expireEarlyTokenCredential is a wrapper around the azcore.TokenCredential that
+// returns an earlier ExpiresOn timestamp to avoid conditions like clockSkew, or a race
+// condition during polling.
+// See: https://github.com/hashicorp/terraform-provider-azurerm/issues/20834 for more details
+type expireEarlyTokenCredential struct {
+	cred azcore.TokenCredential
+}
+
+func NewExpireEarlyTokenWrapper(cred azcore.TokenCredential) azcore.TokenCredential {
+	return &expireEarlyTokenCredential{
+		cred: cred,
+	}
+}
+
+func (w *expireEarlyTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	token, err := w.cred.GetToken(ctx, options)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+
+	twoHoursFromNow := time.Now().Add(2 * time.Hour)
+	// IMDS may have the MI token already, and have an expiration of less than 2h when we receive the token. We don't want to set that value beyond the ExpiresOn time and potentially miss a refresh
+	// So we just return earlier here. See discussion here: https://github.com/Azure/karpenter-provider-azure/pull/391/files#r1648633051
+	if token.ExpiresOn.Before(twoHoursFromNow) {
+		return token, nil
+	}
+	// If the token expires in more than 2 hours, this means we are taking in a new token with a fresh 24h expiration time or one already in the cache that hasn't been modified by us, so we want to set that to two hours so
+	// we can refresh it early to avoid the polling bugs mentioned in the above issue
+	token.ExpiresOn = twoHoursFromNow
+	return token, nil
+}
diff --git a/pkg/azclient/armauth/expire_early_wrapper_test.go b/pkg/azclient/armauth/expire_early_wrapper_test.go
@@ -0,0 +1,78 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package armauth
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"go.uber.org/mock/gomock"
+)
+
+func Test_expireEarlyTokenCredential_GetToken(t *testing.T) {
+	type fields struct {
+		token azcore.AccessToken
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		wantErr bool
+	}{
+		{
+			name: "valid token",
+			fields: fields{
+				token: azcore.AccessToken{
+					Token:     "token",
+					ExpiresOn: time.Now().Add(4 * time.Hour),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid token",
+			fields: fields{
+				token: azcore.AccessToken{
+					Token:     "token",
+					ExpiresOn: time.Now().Add(1 * time.Hour),
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cntl := gomock.NewController(t)
+			defer cntl.Finish()
+			cred := NewMockTokenCredential(cntl)
+			cred.EXPECT().GetToken(gomock.Any(), gomock.Any()).Return(tt.fields.token, nil).AnyTimes()
+			w := &expireEarlyTokenCredential{
+				cred: cred,
+			}
+			got, err := w.GetToken(context.Background(), policy.TokenRequestOptions{})
+			if (err != nil) != tt.wantErr {
+				t.Errorf("expireEarlyTokenCredential.GetToken() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got.ExpiresOn.After(time.Now().Add(2 * time.Hour)) {
+				t.Errorf("expireEarlyTokenCredential.GetToken() = %v, should expire within 2 hour", got)
+			}
+		})
+	}
+}
diff --git a/pkg/azclient/armauth/token_credential_mock_test.go b/pkg/azclient/armauth/token_credential_mock_test.go
diff --git a/pkg/azclient/auth.go b/pkg/azclient/auth.go
@@ -80,6 +80,7 @@ func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, client
 		if err != nil {
 			return nil, err
 		}
+		managedIdentityCredential = armauth.NewExpireEarlyTokenWrapper(managedIdentityCredential)
 	}
 
 	var (