Skip to content

Implement a Go struct for fetching and caching authentication tokens for a ServiceAccount #972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #737
everettraven opened this issue Jun 25, 2024 · 1 comment · Fixed by #1006
Closed
Tracked by #737

Implement a Go struct for fetching and caching authentication tokens for a ServiceAccount #972

everettraven opened this issue Jun 25, 2024 · 1 comment · Fixed by #1006
Assignees
@skattoju
Labels
epic/provided-sa

Comments

@everettraven
Copy link
Contributor

everettraven commented Jun 25, 2024
edited
Loading

In order to utilize a provided ServiceAccount to install and manage content, operator-controller needs to be capable of fetching an authentication token for a given ServiceAccount. Once retrieved, this token can then be used to create clients that authenticate as the ServiceAccount to perform operations on the cluster.

The scope of this issue is limited to specifically implementing a Go type to fetch and cache these authentication tokens and does not include utilizing the token retrieved.

While the exact implementation may vary, here are some things to consider:

  • Use the TokenRequest API to fetch an authentication token for a provided ServiceAccount
  • Cache the authentication token so that when subsequent requests for the same ServiceAccount are made we can return a valid token without hitting the Kube API server (limits load on Kube API server)
  • Token rotation. Tokens are not always long-lived and may require rotation, especially when caching tokens. If we identify that the token in the cache is no longer valid, another request for a valid token should be made.

A high-level overview of what the logic flow could look like:

graph LR
  A(ServiceAccount)
  B(TokenGetter)
  C(TokenRequest)
  D(Token)
  E(Token Cache)
  F{In Cache?}
  G{Expired?}
  
  A -- Provided To --> B
  B --> F
  F -- Yes --> G
  F -- No --> C
  G -- Yes --> C
  G -- No --> E
  C -- Returns --> D
  E -- Returns --> D
  D -- Stored in --> E
Loading

Acceptance Criteria:

  • A new Go library/type is created that:
    • Fetches authentication tokens for a provided ServiceAccount
    • Caches tokens
    • Rotates cached tokens when no longer valid
  • Unit tests
@everettraven everettraven mentioned this issue Jun 25, 2024
Closed
7 tasks
This was referenced Jun 25, 2024
Closed
Closed
@skattoju
Copy link
Contributor

/assign

@everettraven everettraven moved this to Implementing in OLM v1 Jul 1, 2024
@skattoju skattoju mentioned this issue Jul 2, 2024
Merged
4 tasks
@everettraven everettraven moved this from Implementing to Done in OLM v1 Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skattoju skattoju

Labels
epic/provided-sa
Projects
OLM v1
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

✨ Adding a token getter to get service account tokens skattoju/operator-controller
2 participants
@everettraven @skattoju