Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use expiring cache with the OIDC tokens #7335

Merged
merged 2 commits into from
Oct 6, 2023
Merged

Use expiring cache with the OIDC tokens #7335

merged 2 commits into from
Oct 6, 2023

Conversation

Cali0707
Copy link
Member

@Cali0707 Cali0707 commented Oct 5, 2023

Fixes #7331

Proposed Changes

  • Use the k8s apimachinery expiring cache to keep the tokens and evict them when they expire

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

Release Note

OIDC tokens are now cached to improve performance.

@Cali0707
Use expiring cache with the OIDC tokens
ea5a650 
Signed-off-by: Calum Murray <cmurray@redhat.com>
@knative-prow knative-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 5, 2023
@Cali0707
Copy link
Member Author

Cali0707 commented Oct 5, 2023

/cc @creydr @Leo6Leo

@knative-prow knative-prow bot requested review from creydr and Leo6Leo October 5, 2023 19:09
@codecov
Copy link

codecov bot commented Oct 5, 2023
edited
Loading

Codecov Report

Attention: 112 lines in your changes are missing coverage. Please review.

Comparison is base (ce67d85) 77.52% compared to head (0b3f8a8) 76.92%.
Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7335      +/-   ##
==========================================
- Coverage   77.52%   76.92%   -0.60%     
==========================================
  Files         250      252       +2     
  Lines       13573    13693     +120     
==========================================
+ Hits        10522    10533      +11     
- Misses       2525     2635     +110     
+ Partials      526      525       -1
Files Coverage Δ
pkg/auth/token_provider.go 0.00% <0.00%> (ø)
pkg/auth/token_verifier.go 0.00% <0.00%> (ø)

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Cali0707
Copy link
Member Author

Cali0707 commented Oct 5, 2023

/test upgrade-tests

creydr
creydr reviewed Oct 6, 2023
View reviewed changes
Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR. Looking good 👍
Just left one comment

@Cali0707
Use / as delimiter
0b3f8a8 
Signed-off-by: Calum Murray <cmurray@redhat.com>
@Cali0707 Cali0707 requested a review from creydr October 6, 2023 13:18
creydr
creydr approved these changes Oct 6, 2023
View reviewed changes
Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @Cali0707 for your contribution!

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 6, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 6, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 6, 2023
pierDipi
pierDipi reviewed Oct 6, 2023
View reviewed changes
pkg/auth/token_provider.go
Comment on lines +34 to +36
const (
expirationBufferTime = time.Second * 30
)
Copy link
Member

@pierDipi pierDipi Oct 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd make this higher to also account for clock skew which could be in the minutes order at times, something like 5/10 minutes seems safer

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Cali0707 @creydr any thoughts here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clock skew is a good point. I'll create an issue to fix it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

created #7351

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh whoops, sorry I missed this! @pierDipi or @creydr - what is clock skew in this context? I've only encountered it before in digital circuits

@knative-prow knative-prow bot merged commit 9de5275 into knative:main Oct 6, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@creydr creydr creydr approved these changes

@pierDipi pierDipi pierDipi left review comments

@Leo6Leo Leo6Leo Leo6Leo left review comments

@odacremolbap odacremolbap Awaiting requested review from odacremolbap

Assignees

@creydr creydr

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add caching to OIDC TokenProvider
4 participants
@Cali0707 @creydr @pierDipi @Leo6Leo