Implement a way to time out tokens based on (in)activity

[simo5]

When OAuthClient is configure with accessTokenTimeoutSeconds then tokens obtained with the specific client get a TimeoutsIn field that marks when the token is to be considered timed out.
The timeout is in seconds since token CreationTimestamp
As the token is used it is pushed into a bucket which is regularly flushed (for now).

This replaces #17161 which github inexplicably and unilaterally decided to close after a wrong push (can't be reopened)

[simo5]

/hold
need to wait for api merge in openshift/api

[enj]

Here is the diffs I used:

http://pastebin.test.redhat.com/538893 (for everything but the main timeout validator file)
https://www.diffchecker.com/ln16YiA7 (for the validator file)

[enj]

Check for IsInvalid here.

[simo5]

done

[enj]

Add docs.

[simo5]

ack

[simo5]

I am actually going to change flush timeout handling a little, and will put here docs on what it means

[enj]

Most of my validation additions are missing.

[simo5]

Ok I think I have it now

[enj]

I don't really like that we have to export the type to call this, but we seem to do this in other places as well so I suppose its fine (granted controllers seem to have a Run method instead of a Start).

I think we want a defer utilruntime.HandleCrash() in the hook though.

[simo5]

Ok, changed Start() -> Run() and added a HandleCrash call in it

[enj]

V(5)

[simo5]

ack

[enj]

I think we can reset the timer to save resources and this way the timer is always stooped even when we receive from the channel (I could not tell from the docs if that was required).

resetTimerAndFlush := func() {
	closeTimer()
	nextTimer.Reset(a.flushTimeout)
	nextTimeout = time.Now().Add(a.flushTimeout)
	a.flush(nextTimeout.Add(a.safetyMargin))
}

[simo5]

good point, done

[enj]

I had some comments explaining this math which I think are useful.

[simo5]

added

[enj]

I believe I had some extra glogs in this func and some other places in this file?

[simo5]

I did not import all of them as some things simply changed, any specific thing you want to generate logs out of ? You can describe the thought process about what you think should be logged too.

[enj]

Combine the two error cases.

[simo5]

done

[enj]

Should we also count total failures?

[simo5]

Any token not flushed is a failure, do we need to be very explicit about it ?

[simo5]

Ok I should have addressed all comments but the clock one.
I changed slightly how the defaultTimeout handling works.
Next a change to how we change the flushTimeout, current code can only make it shrink but never grow back. going to change this so we can recover after an admin fat fingered a too short interval on an oauthClient configuration

[simo5]

Finally #17662 got in and I was able to properly generate the internal API changes, code has been updated

[enj]

nit: I believe this can be made private.

[simo5]

ok

[enj]

*config.TokenConfig.AccessTokenTimeoutSeconds == 0 is valid

[simo5]

fixed

[enj]

I had some related validation in pkg/oauth/registry/oauthaccesstoken/strategy.go that went with this as well.

[simo5]

Yeah I saw that, but given we can update the field with any (valid) value, I do not see much value in adding this kind of validation just at token creation.

[enj]

OK I suppose that is fine.

[enj]

You probably want to use *tokenData to avoid copying the struct unnecessarily.

[simo5]

I was doing that before, but when I added RankedSet the compiler complained, changing it to not be apointer made it work.

[enj]

Right because you will have to update everything to use *tokenData otherwise it will not implement the interface.

[enj]

if timeout := config.TokenConfig.AccessTokenTimeoutSeconds; timeout != nil && *timeout != 0 { is a bit easier to read.

[simo5]

ok

[enj]

We want this on create as well.

[simo5]

indeed

[enj]

Want negative check here as well.

[enj]

And same checks on update too I believe.

[simo5]

yeah about negative, update automatically checks for anything doen at create

[enj]

@simo5 please add unit tests for all the validation bits, should be easy to extend/copy existing tests.

[enj]

I do not think we want to log the error in these places since it is likely to leak the token value.

[enj]

here

[enj]

Err actually I see you are logging the token name, do not do that xD

[enj]

here

[simo5]

no token name here

[enj]

here

[simo5]

neither here, is the err what you want me drop ? (doing that anyway)

[enj]

mostly nits

[enj]

nit: type assertion

[simo5]

done

[enj]

Shouldn't you just use a pointer the whole time? The channel having tokenData and the set having *tokenData is weird.

[simo5]

whatever :)

[enj]

nit: use *timeout on this line

[simo5]

ok

[enj]

nit: if timeout := c.ExtraOAuthConfig.Options.TokenConfig.AccessTokenInactivityTimeoutSeconds; timeout != nil would make it so you do not have to repeat that whole thing on the next line.

[simo5]

ok

[enj]

nit: just make this a map[string]string, don't need the flag / pointer stuff.

[simo5]

easier this way for me

[enj]

uh isn't this too small per validation?

[simo5]

it passes tests ...

[simo5]

hint the min timeout is reference timeout / 3 ie 100 seconds is the current absolute minimum

[enj]

glog comments.

[enj]

You may want a.data.Len() as well?

[simo5]

no, I rally only want to show what we tried to flush, and what succeeded, data.Len() is all the stuff in the queue

[enj]

A glog here may be useful.

[simo5]

why ?

[enj]

A glog here may be useful.

[simo5]

no

[enj]

A glog here may be useful.

[simo5]

why ?

[enj]

A glog here may be useful.

[simo5]

uh ?

[enj]

We should error if oldToken.TimeoutsIn == 0 && newToken.TimeoutsIn != 0 to prevent a token that was never supposed to timeout from being updated to timeout. Probably needs a comment describing how this race could happen between multiple masters.

[simo5]

yes

[simo5]

flake: #17974

[simo5]

flake: #17731

[simo5]

flake: #16484

[simo5]

/retest

[enj]

/lgtm

Manually approving the apps changes since they are generated code. David did not seem too concerned.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: enj, simo5

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/apps/OWNERS
• pkg/auth/OWNERS [enj]
• pkg/cmd/OWNERS [enj]
• pkg/oauth/OWNERS [enj]
• test/integration/OWNERS [enj]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[simo5]

/retest

[simo5]

/retest

[simo5]

/retest

[simo5]

/retest

[simo5]

/retest

[simo5]

flake: #17985

[simo5]

/retest

[simo5]

/retest

[simo5]

flake: #16994

[simo5]

/retest

[simo5]

flake: #17697

[simo5]

/retest

[simo5]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[simo5]

/retest

[simo5]

flake: #15630
/retest

[openshift-ci-robot]

@simo5: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_image_ecosystem	0fc882a	link	/test extended_image_ecosystem

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[simo5]

/retest

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[openshift-merge-robot]

Automatic merge from submit-queue.