Remove expiry field and hardcode the token expiry to 1 hour

Signed-off-by: Max Cao <[email protected]>
kedacore · Dec 5, 2024 · a2e587b · a2e587b
1 parent e261888
commit a2e587b
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 58 deletions.
diff --git a/apis/keda/v1alpha1/triggerauthentication_types.go b/apis/keda/v1alpha1/triggerauthentication_types.go
@@ -384,7 +384,6 @@ type AwsSecretManagerSecret struct {
 type BoundServiceAccountToken struct {
 	Parameter          string `json:"parameter"`
 	ServiceAccountName string `json:"serviceAccountName"`
-	Expiry             string `json:"expiry"`
 }
 
 func init() {

diff --git a/config/crd/bases/keda.sh_clustertriggerauthentications.yaml b/config/crd/bases/keda.sh_clustertriggerauthentications.yaml
@@ -305,14 +305,11 @@ spec:
               boundServiceAccountToken:
                 items:
                   properties:
-                    expiry:
-                      type: string
                     parameter:
                       type: string
                     serviceAccountName:
                       type: string
                   required:
-                  - expiry
                   - parameter
                   - serviceAccountName
                   type: object

diff --git a/config/crd/bases/keda.sh_triggerauthentications.yaml b/config/crd/bases/keda.sh_triggerauthentications.yaml
@@ -304,14 +304,11 @@ spec:
               boundServiceAccountToken:
                 items:
                   properties:
-                    expiry:
-                      type: string
                     parameter:
                       type: string
                     serviceAccountName:
                       type: string
                   required:
-                  - expiry
                   - parameter
                   - serviceAccountName
                   type: object

diff --git a/pkg/scaling/resolver/scale_resolvers.go b/pkg/scaling/resolver/scale_resolvers.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"time"
 
 	"github.com/aws/smithy-go/ptr"
 	"github.com/go-logr/logr"
@@ -608,39 +607,30 @@ func resolveAuthSecret(ctx context.Context, client client.Client, logger logr.Lo
 }
 
 func resolveBoundServiceAccountToken(ctx context.Context, client client.Client, logger logr.Logger, namespace string, bsat *kedav1alpha1.BoundServiceAccountToken, acs *authentication.AuthClientSet) string {
-	serviceAccountName, expiry := bsat.ServiceAccountName, bsat.Expiry
+	serviceAccountName := bsat.ServiceAccountName
 	if serviceAccountName == "" {
 		logger.Error(fmt.Errorf("error trying to get token"), "serviceAccountName is required")
 		return ""
 	}
 	var err error
-	expirySeconds := ptr.Int64(3600) // default expiry is 1 hour
-	if expiry != "" {
-		duration, err := time.ParseDuration(expiry)
-		if err != nil {
-			logger.Error(err, "error trying to parse expiry duration", "expiry", expiry)
-			return ""
-		}
-		expirySeconds = ptr.Int64(int64(duration.Seconds()))
-	}
 
-	// check if service account exists in the namespace
 	serviceAccount := &corev1.ServiceAccount{}
 	err = client.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: namespace}, serviceAccount)
 	if err != nil {
 		logger.Error(err, "error trying to get service account from namespace", "ServiceAccount.Namespace", namespace, "ServiceAccount.Name", serviceAccountName)
 		return ""
 	}
-	return generateToken(ctx, serviceAccountName, namespace, expirySeconds, acs)
+	return generateToken(ctx, serviceAccountName, namespace, acs)
 }
 
-func generateToken(ctx context.Context, serviceAccountName, namespace string, expiry *int64, acs *authentication.AuthClientSet) string {
+func generateToken(ctx context.Context, serviceAccountName, namespace string, acs *authentication.AuthClientSet) string {
+	expirationSeconds := ptr.Int64(3600) // We default the token expiry to 1 hour
 	token, err := acs.CoreV1Interface.ServiceAccounts(namespace).CreateToken(
 		ctx,
 		serviceAccountName,
 		&authenticationv1.TokenRequest{
 			Spec: authenticationv1.TokenRequestSpec{
-				ExpirationSeconds: expiry, // kubernetes prevents token expiry to be less than 10 minutes
+				ExpirationSeconds: expirationSeconds,
 			},
 		},
 		metav1.CreateOptions{},

diff --git a/pkg/scaling/resolver/scale_resolvers_test.go b/pkg/scaling/resolver/scale_resolvers_test.go
@@ -50,7 +50,6 @@ var (
 	cmKey                     = "mycmkey"
 	cmData                    = "cmDataHere"
 	bsatSAName                = "bsatServiceAccount"
-	bsatExpiry                = "10m"
 	bsatData                  = "k8s-bsat-token"
 	trueValue                 = true
 	falseValue                = false
@@ -471,7 +470,6 @@ func TestResolveAuthRef(t *testing.T) {
 							{
 								Parameter:          "token",
 								ServiceAccountName: bsatSAName,
-								Expiry:             bsatExpiry,
 							},
 						},
 					},
@@ -487,38 +485,6 @@ func TestResolveAuthRef(t *testing.T) {
 			expected:            map[string]string{"token": bsatData},
 			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
 		},
-		{
-			name: "triggerauth exists bound service account token, but expiry invalid",
-			existing: []runtime.Object{
-				&kedav1alpha1.TriggerAuthentication{
-					ObjectMeta: metav1.ObjectMeta{
-						Namespace: namespace,
-						Name:      triggerAuthenticationName,
-					},
-					Spec: kedav1alpha1.TriggerAuthenticationSpec{
-						PodIdentity: &kedav1alpha1.AuthPodIdentity{
-							Provider: kedav1alpha1.PodIdentityProviderNone,
-						},
-						BoundServiceAccountToken: []kedav1alpha1.BoundServiceAccountToken{
-							{
-								Parameter:          "token",
-								ServiceAccountName: bsatSAName,
-								Expiry:             "10g",
-							},
-						},
-					},
-				},
-				&corev1.ServiceAccount{
-					ObjectMeta: metav1.ObjectMeta{
-						Namespace: namespace,
-						Name:      bsatSAName,
-					},
-				},
-			},
-			soar:                &kedav1alpha1.AuthenticationRef{Name: triggerAuthenticationName},
-			expected:            map[string]string{"token": ""},
-			expectedPodIdentity: kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone},
-		},
 		{
 			name: "clustertriggerauth exists, podidentity nil",
 			existing: []runtime.Object{
@@ -694,7 +660,6 @@ func TestResolveAuthRef(t *testing.T) {
 							{
 								Parameter:          "token",
 								ServiceAccountName: bsatSAName,
-								Expiry:             bsatExpiry,
 							},
 						},
 					},
@@ -725,7 +690,6 @@ func TestResolveAuthRef(t *testing.T) {
 							{
 								Parameter:          "token",
 								ServiceAccountName: bsatSAName,
-								Expiry:             bsatExpiry,
 							},
 						},
 					},