chore: update expiry and refresh mechanism

connection/eks.go

@@ -110,7 +110,7 @@ func getSignedSTSURI(ctx gocontext.Context, cluster string, cred aws.Credentials
 	}
 
 	request.Header.Add(clusterIDHeader, cluster)
-	request.Header.Add("X-Amz-Expires", "0")
+	request.Header.Add("X-Amz-Expires", "86400") // 24 hours
 	signer := signerv4.NewSigner()
 	signedURI, _, err := signer.PresignHTTP(ctx, cred, request, emptyStringSha256, "sts", "us-east-1", time.Now())
 	if err != nil {

context/context.go

@@ -383,20 +383,15 @@ func (k Context) Kubernetes() (*dutyKubernetes.Client, error) {
 	}
 	connHash := conn.Hash()
 	if client, exists := k8sclientcache.Get(k, connHash); exists == nil {
-		if err := client.RefreshWithExpiry(k, 15*time.Minute); err != nil {
+		if err := client.Refresh(k); err != nil {
 			return nil, err
 		}
 		return client.Client, nil
 	}
-	c, rc, err := conn.Populate(k, true)
+	client, err := NewKubernetesClient(k, conn)
 	if err != nil {
 		return nil, err
 	}
-	client := &KubernetesClient{
-		Client:     dutyKubernetes.NewKubeClient(c, rc),
-		Connection: conn,
-	}
-	client.SetExpiry(15 * time.Minute)
 	_ = k8sclientcache.Set(k, connHash, client)
 	return client.Client, nil
 }

context/kuberetes_client.go

@@ -6,6 +6,7 @@ import (
 
 	dutyKubernetes "github.com/flanksource/duty/kubernetes"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/samber/lo"
 )
 
 type KubernetesClient struct {
@@ -14,16 +15,32 @@ type KubernetesClient struct {
 	expiry     time.Time
 }
 
-func (c *KubernetesClient) SetExpiry(d time.Duration) {
-	c.expiry = time.Now().Add(d)
+var defaultExpiry = 15 * time.Minute
+
+func NewKubernetesClient(ctx Context, conn KubernetesConnection) (*KubernetesClient, error) {
+	c, rc, err := conn.Populate(ctx, true)
+	if err != nil {
+		return nil, fmt.Errorf("error refreshing kubernetes client: %w", err)
+	}
+	client := &KubernetesClient{
+		Client:     dutyKubernetes.NewKubeClient(c, rc),
+		Connection: conn,
+	}
+
+	client.SetExpiry(defaultExpiry)
+	return client, nil
 }
-func (c *KubernetesClient) ExpireAt(t time.Time) {
-	if !t.IsZero() {
-		c.expiry = t
+
+func (c *KubernetesClient) SetExpiry(def time.Duration) {
+	// Try parsing BearerToken as JWT and extract expiry
+	if expiry := extractExpiryFromJWT(lo.FromPtr(c.Config).BearerToken); !expiry.IsZero() {
+		c.expiry = expiry
+	} else {
+		c.expiry = time.Now().Add(def)
 	}
 }
 
-func (c *KubernetesClient) RefreshWithExpiry(ctx Context, d time.Duration) error {
+func (c *KubernetesClient) Refresh(ctx Context) error {
 	if !c.HasExpired() {
 		return nil
 	}
@@ -40,18 +57,12 @@ func (c *KubernetesClient) RefreshWithExpiry(ctx Context, d time.Duration) error
 	c.Config.Username = rc.Username
 	c.Config.Password = rc.Password
 
-	// Try parsing BearerToken as JWT and extract expiry
-	if expiry := extractExpiryFromJWT(c.Config.BearerToken); !expiry.IsZero() {
-		c.ExpireAt(expiry)
-	} else {
-		c.SetExpiry(d)
-	}
-
+	c.SetExpiry(defaultExpiry)
 	return nil
 }
 
 func (c KubernetesClient) HasExpired() bool {
-	if c.Connection.CanExpire() {
+	if c.Connection.CanExpire() && !c.expiry.IsZero() {
 		// We give a 1 minute window as a buffer
 		return time.Until(c.expiry) <= time.Minute
 	}

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/flanksource/commons v1.36.1
 	github.com/flanksource/gomplate/v3 v3.24.55
 	github.com/go-git/go-git/v5 v5.12.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/cel-go v0.22.1
 	github.com/google/go-cmp v0.6.0
 	github.com/google/gops v0.3.28
@@ -168,7 +169,6 @@ require (
 	github.com/goccy/go-yaml v1.12.0 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect