chore: Expire token 30 seconds early to mitigate mid-reconcile expirations

Author: Baarsgaard

controllers/client/grafana_client.go

@@ -37,6 +37,10 @@ type JWTCache struct {
 
 var jwtCache *JWTCache
 
+// Revoke tokens early expecting them to be rotated hourly, see 'ExpirationSeconds' in KEP1205
+// Should mitigate mid-reconcile expiration
+const tokenExpirationCompensation = -30 * time.Second
+
 // getBearerToken will read JWT token from given file and cache it until it expires.
 // accepts filepath arg for testing
 func getBearerToken(bearerTokenPath string) (string, error) {
@@ -72,13 +76,13 @@ func getBearerToken(bearerTokenPath string) (string, error) {
 	}
 
 	tokenExpiration := claims.Expiry.Time()
-	if tokenExpiration.Before(time.Now()) {
-		return "", fmt.Errorf("token expired at %s, expected %s to be rotated", tokenExpiration.String(), bearerTokenPath)
+	if tokenExpiration.Add(tokenExpirationCompensation).Before(time.Now()) {
+		return "", fmt.Errorf("token expired at %s, expected %s to be renewed. Tokens are considered expired 30 seconds early", tokenExpiration.String(), bearerTokenPath)
 	}
 
 	jwtCache = &JWTCache{
 		Token:      token,
-		Expiration: tokenExpiration,
+		Expiration: tokenExpiration.Add(tokenExpirationCompensation),
 	}
 
 	return token, nil

controllers/client/grafana_client_test.go

@@ -330,7 +330,7 @@ func TestGetBearerToken(t *testing.T) {
 		Audience:  jwt.Audience{"https://grafana.operator.com"},
 		IssuedAt:  jwt.NewNumericDate(now),
 		NotBefore: jwt.NewNumericDate(now),
-		Expiry:    jwt.NewNumericDate(now.Add(time.Duration(30 * float64(time.Second)))),
+		Expiry:    jwt.NewNumericDate(now.Add(time.Duration(60 * float64(time.Second)))),
 	}
 
 	// Generate key