feat: gracefully handle ephemeral errors

Author: isometry

api/v1/clustertoken_types.go

@@ -42,11 +42,18 @@ type ClusterTokenSpec struct {
 
 	// +optional
 	// +kubebuilder:validation:Format:=duration
-	// +kubebuilder:default:="10m"
+	// +kubebuilder:default:="30m"
 	// +kubebuilder:example:="45m"
 	// Specify how often to refresh the token (maximum: 1h)
 	RefreshInterval metav1.Duration `json:"refreshInterval"`
 
+	// +optional
+	// +kubebuilder:validation:Format:=duration
+	// +kubebuilder:default:="5m"
+	// +kubebuilder:example:="1m"
+	// Specify how long to wait before retrying on transient token retrieval error
+	RetryInterval metav1.Duration `json:"retryInterval"`
+
 	// +optional
 	// +kubebuilder:example:={"metadata": "read", "contents": "read"}
 	// Specify the permissions for the token as a subset of those of the GitHub App
@@ -128,6 +135,10 @@ func (t *ClusterToken) GetRefreshInterval() time.Duration {
 	return t.Spec.RefreshInterval.Duration
 }
 
+func (t *ClusterToken) GetRetryInterval() time.Duration {
+	return t.Spec.RetryInterval.Duration
+}
+
 func (t *ClusterToken) GetSecretNamespace() string {
 	return t.Spec.Secret.Namespace
 }

api/v1/token_types.go

@@ -43,11 +43,18 @@ type TokenSpec struct {
 
 	// +optional
 	// +kubebuilder:validation:Format:=duration
-	// +kubebuilder:default:="10m"
+	// +kubebuilder:default:="30m"
 	// +kubebuilder:example:="45m"
 	// Specify how often to refresh the token (maximum: 1h)
 	RefreshInterval metav1.Duration `json:"refreshInterval"`
 
+	// +optional
+	// +kubebuilder:validation:Format:=duration
+	// +kubebuilder:default:="5m"
+	// +kubebuilder:example:="1m"
+	// Specify how long to wait before retrying on transient token retrieval error
+	RetryInterval metav1.Duration `json:"retryInterval"`
+
 	// +optional
 	// +kubebuilder:example:={"metadata": "read", "contents": "read"}
 	// Specify the permissions for the token as a subset of those of the GitHub App
@@ -121,6 +128,10 @@ func (t *Token) GetRefreshInterval() time.Duration {
 	return t.Spec.RefreshInterval.Duration
 }
 
+func (t *Token) GetRetryInterval() time.Duration {
+	return t.Spec.RetryInterval.Duration
+}
+
 func (t *Token) GetSecretNamespace() string {
 	return t.Namespace
 }

api/v1/zz_generated.deepcopy.go

@@ -236,7 +236,7 @@ spec:
                       type: string
                   type: object
                 refreshInterval:
-                  default: 10m
+                  default: 30m
                   description: "Specify how often to refresh the token (maximum: 1h)"
                   example: 45m
                   format: duration
@@ -258,6 +258,14 @@ spec:
                     type: integer
                   maxItems: 500
                   type: array
+                retryInterval:
+                  default: 5m
+                  description:
+                    Specify how long to wait before retrying on transient
+                    token retrieval error
+                  example: 1m
+                  format: duration
+                  type: string
                 secret:
                   properties:
                     annotations:

config/crd/bases/github.as-code.io_clustertokens.yaml

@@ -236,7 +236,7 @@ spec:
                       type: string
                   type: object
                 refreshInterval:
-                  default: 10m
+                  default: 30m
                   description: "Specify how often to refresh the token (maximum: 1h)"
                   example: 45m
                   format: duration
@@ -258,6 +258,14 @@ spec:
                     type: integer
                   maxItems: 500
                   type: array
+                retryInterval:
+                  default: 5m
+                  description:
+                    Specify how long to wait before retrying on transient
+                    token retrieval error
+                  example: 1m
+                  format: duration
+                  type: string
                 secret:
                   description: Override the default token secret name and type
                   properties:

config/crd/bases/github.as-code.io_tokens.yaml

@@ -244,7 +244,7 @@ spec:
                       type: string
                   type: object
                 refreshInterval:
-                  default: 10m
+                  default: 30m
                   description: "Specify how often to refresh the token (maximum: 1h)"
                   example: 45m
                   format: duration
@@ -266,6 +266,14 @@ spec:
                     type: integer
                   maxItems: 500
                   type: array
+                retryInterval:
+                  default: 5m
+                  description:
+                    Specify how long to wait before retrying on transient
+                    token retrieval error
+                  example: 1m
+                  format: duration
+                  type: string
                 secret:
                   properties:
                     annotations:
@@ -633,7 +641,7 @@ spec:
                       type: string
                   type: object
                 refreshInterval:
-                  default: 10m
+                  default: 30m
                   description: "Specify how often to refresh the token (maximum: 1h)"
                   example: 45m
                   format: duration
@@ -655,6 +663,14 @@ spec:
                     type: integer
                   maxItems: 500
                   type: array
+                retryInterval:
+                  default: 5m
+                  description:
+                    Specify how long to wait before retrying on transient
+                    token retrieval error
+                  example: 1m
+                  format: duration
+                  type: string
                 secret:
                   description: Override the default token secret name and type
                   properties:

deploy/charts/github-token-manager/templates/crds.yaml

@@ -23,6 +23,7 @@ type tokenManager interface {
 	GetSecretBasicAuth() bool
 	GetInstallationID() int64
 	GetRefreshInterval() time.Duration
+	GetRetryInterval() time.Duration
 	GetSecretNamespace() string
 	GetSecretName() string
 	GetSecretLabels() map[string]string

internal/tokenmanager/token_manager.go

@@ -137,9 +137,15 @@ func (s *tokenSecret) Reconcile() (result reconcile.Result, err error) {
 	if apierrors.IsNotFound(err) {
 		// Secret not found, so create it
 		if err := s.CreateSecret(); err != nil {
-			log.Error(err, "failed to create secret")
+			if errors.Is(err, ghait.TransientError{}) {
+				log.Error(err, "transient error creating secret")
+				return reconcile.Result{RequeueAfter: s.owner.GetRetryInterval()}, nil
+			}
+
+			log.Error(err, "fatal error creating secret")
 			return result, err
 		}
+
 		return reconcile.Result{RequeueAfter: s.owner.GetRefreshInterval()}, nil
 	}
 
@@ -163,9 +169,15 @@ func (s *tokenSecret) Reconcile() (result reconcile.Result, err error) {
 	s.Secret = secret
 
 	if err := s.UpdateSecret(); err != nil {
-		log.Error(err, "failed to update secret")
+		if errors.Is(err, ghait.TransientError{}) {
+			log.Error(err, "transient error updating secret")
+			return reconcile.Result{RequeueAfter: s.owner.GetRetryInterval()}, nil
+		}
+
+		log.Error(err, "fatal error updating secret")
 		return result, err
 	}
+
 	return reconcile.Result{RequeueAfter: s.owner.GetRefreshInterval()}, nil
 }