Skip to content

fix: #23100 Change workloadidentity token cache expiry based on token expiry. #23133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Jun 2, 2025
Merged

fix: #23100 Change workloadidentity token cache expiry based on token expiry. #23133

merged 15 commits into from
Jun 2, 2025

Conversation

jagpreetstamber
Copy link
Contributor

@jagpreetstamber jagpreetstamber commented May 23, 2025
edited
Loading

Different Microsoft Entra tenants can enforce different lifetimes for managed identity tokens, default is 3 hours, using which earlier cache expiry was set. Lowering it to 30 minutes to avoid any issues with Entra tenants setting the token expiry to 1 hour.

Closes #23100

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@jagpreetstamber jagpreetstamber requested a review from a team as a code owner May 23, 2025 14:38
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented May 23, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@jagpreetstamber jagpreetstamber changed the title #23100 Change workloadidentity token cache expiry to 30 minutes. fix #23100 Change workloadidentity token cache expiry to 30 minutes. May 23, 2025
@jagpreetstamber jagpreetstamber changed the title fix #23100 Change workloadidentity token cache expiry to 30 minutes. fix #23100 Change workloadidentity token cache expiry to 10 minutes. May 23, 2025
@jagpreetstamber jagpreetstamber changed the title fix #23100 Change workloadidentity token cache expiry to 10 minutes. fix: #23100 Change workloadidentity token cache expiry to 10 minutes. May 23, 2025
@crenshaw-dev
Copy link
Member

crenshaw-dev commented May 23, 2025
edited
Loading

Shouldn't we just use the token's expiry? Something like this:

diff --git a/util/git/creds.go b/util/git/creds.go
index 4657c4a20..9e48a3bc9 100644
--- a/util/git/creds.go
+++ b/util/git/creds.go
@@ -743,8 +743,8 @@ func (creds AzureWorkloadIdentityCreds) getAccessToken(scope string) (string, er
 		return "", fmt.Errorf("failed to get Azure access token: %w", err)
 	}
 
-	azureTokenCache.Set(key, token, 2*time.Hour)
-	return token, nil
+	azureTokenCache.Set(key, token, token.ExpiresOn.Sub(time.Now()))
+	return token.Token, nil
 }
 
 func (creds AzureWorkloadIdentityCreds) GetAzureDevOpsAccessToken() (string, error) {
diff --git a/util/workloadidentity/workloadidentity.go b/util/workloadidentity/workloadidentity.go
index 24aef2ffa..64679b02c 100644
--- a/util/workloadidentity/workloadidentity.go
+++ b/util/workloadidentity/workloadidentity.go
@@ -13,7 +13,7 @@ const (
 )
 
 type TokenProvider interface {
-	GetToken(scope string) (string, error)
+	GetToken(scope string) (azcore.AccessToken, error)
 }
 
 type WorkloadIdentityTokenProvider struct {
@@ -29,17 +29,17 @@ func NewWorkloadIdentityTokenProvider() TokenProvider {
 	return WorkloadIdentityTokenProvider{tokenCredential: cred}
 }
 
-func (c WorkloadIdentityTokenProvider) GetToken(scope string) (string, error) {
+func (c WorkloadIdentityTokenProvider) GetToken(scope string) (azcore.AccessToken, error) {
 	if initError != nil {
-		return "", initError
+		return azcore.AccessToken{}, initError
 	}
 
 	token, err := c.tokenCredential.GetToken(context.Background(), policy.TokenRequestOptions{
 		Scopes: []string{scope},
 	})
 	if err != nil {
-		return "", err
+		return azcore.AccessToken{}, err
 	}
 
-	return token.Token, nil
+	return token, nil
 }

@jagpreetstamber
Copy link
Contributor Author 

+func (c WorkloadIdentityTokenProvider) GetToken(scope string) (azcore.AccessToken, error) {

Makes sense, I will update he PR

@codecov Codecov
Copy link

codecov bot commented May 23, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 91.66667% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.08%. Comparing base (b39ca15) to head (48ba4e2).
⚠️ Report is 413 commits behind head on master.

Files with missing lines Patch % Lines
util/helm/creds.go 86.36% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #23133      +/-   ##
==========================================
+ Coverage   60.01%   60.08%   +0.06%     
==========================================
  Files         342      342              
  Lines       57845    57872      +27     
==========================================
+ Hits        34718    34771      +53     
+ Misses      20352    20331      -21     
+ Partials     2775     2770       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

agaudreault
agaudreault requested changes May 23, 2025
View reviewed changes
@jagpreetstamber
Change workloadidentity token cache expiry to 30 minutes.
227141a 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Use expiry of the token to set the cache expiry.
a3736ed 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
crenshaw-dev
crenshaw-dev requested changes May 23, 2025
View reviewed changes
@crenshaw-dev
Copy link
Member

Worth adding a unit test?

@jagpreetstamber
Use exp claim from JWT to set the cache expiry for ACR token.
4450c94 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber jagpreetstamber changed the title fix: #23100 Change workloadidentity token cache expiry to 10 minutes. fix: #23100 Change workloadidentity token cache expiry based on token expiry. May 23, 2025
@jagpreetstamber
Copy link
Contributor Author

Worth adding a unit test?

Yes I am working on unit tests for same.

crenshaw-dev
crenshaw-dev reviewed May 23, 2025
View reviewed changes
@jagpreetstamber
Add unit tests for the changes.
4269782 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Copy link
Contributor Author

@crenshaw-dev @agaudreault The PR is ready for review, Please review the same.

@jagpreetstamber
Fix static checks.
ef68e86 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
agaudreault
agaudreault requested changes May 23, 2025
View reviewed changes
@jagpreetstamber
Resolve Comments.
6199ee2 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Merge branch 'master' into master
a92c87c
@jagpreetstamber
Fix Tests..
18a40f4 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Merge branch 'master' into master
fdcdf10
agaudreault
agaudreault reviewed May 29, 2025
View reviewed changes
@jagpreetstamber
Add Tests for CalclulateCacheExpiryBasedOnTokenExpiry
76dec0a 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
crenshaw-dev
crenshaw-dev requested changes Jun 2, 2025
View reviewed changes
@jagpreetstamber
Resolve comments:
d82e473 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Merge branch 'master' into master
0335fee
crenshaw-dev
crenshaw-dev reviewed Jun 2, 2025
View reviewed changes
crenshaw-dev
crenshaw-dev reviewed Jun 2, 2025
View reviewed changes
crenshaw-dev
crenshaw-dev reviewed Jun 2, 2025
View reviewed changes
@jagpreetstamber
Resolve comments
40c6208 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
@jagpreetstamber
Fix Tests
48ba4e2 
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
crenshaw-dev
crenshaw-dev approved these changes Jun 2, 2025
View reviewed changes
Copy link
Member

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@crenshaw-dev crenshaw-dev enabled auto-merge (squash) June 2, 2025 20:17
@crenshaw-dev crenshaw-dev merged commit c0c6abe into argoproj:master Jun 2, 2025
27 checks passed
@agaudreault
Copy link
Member

/cherry-pick release-3.0

@gcp-cherry-pick-bot GCP Cherry-Pick Bot
Copy link

Cherry-pick failed with Merge error c0c6abedc4034509eeac76625b839b88e2be433c into temp-cherry-pick-fe2430-release-3.0

chansuke pushed a commit to chansuke/argo-cd that referenced this pull request Jun 4, 2025
@jagpreetstamber @chansuke
fix: argoproj#23100 Change workloadidentity token cache expiry based …
ac2ae7b 
…on token expiry. (argoproj#23133)

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
agaudreault pushed a commit to agaudreault/argo-cd that referenced this pull request Jun 4, 2025
@jagpreetstamber @agaudreault
fix: argoproj#23100 Change workloadidentity token cache expiry based …
009d1c3 
…on token expiry. (argoproj#23133)

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault agaudreault mentioned this pull request Jun 4, 2025
Merged
14 tasks
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@jagpreetstamber @dsuhinin
fix: argoproj#23100 Change workloadidentity token cache expiry based …
4a8ad53 
…on token expiry. (argoproj#23133)

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Signed-off-by: dsuhinin <suhinin.dmitriy@gmail.com>
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@jagpreetstamber @dsuhinin
fix: argoproj#23100 Change workloadidentity token cache expiry based …
e719a1b 
…on token expiry. (argoproj#23133)

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Signed-off-by: dsuhinin <suhinin.dmitriy@gmail.com>
enneitex pushed a commit to enneitex/argo-cd that referenced this pull request Aug 24, 2025
@jagpreetstamber @enneitex
fix: argoproj#23100 Change workloadidentity token cache expiry based …
0a11932 
…on token expiry. (argoproj#23133)

Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Signed-off-by: enneitex <etienne.divet@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

@agaudreault agaudreault agaudreault approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

argocd-repo-server fails to refresh Azure DevOps Workload-Identity token (HTTP 302 after ~60 min) on Argo CD v3.0.3
3 participants
@jagpreetstamber @crenshaw-dev @agaudreault