fix(gcp service): Adapt to token regen behavior change (#21411)

* fix(GcpAuthenticator): Handle metadata behaviour change with token regen * fix(GcpAuthenticator): Handle metadata behaviour change with token regen * changelog file * rename changelog file * improve readability * Add additional changelog info * change text to pass spell check * fmt
vectordotdev · Oct 11, 2024 · 6ff1fd6 · 6ff1fd6
1 parent 4b3de83
commit 6ff1fd6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/changelog.d/gcp_adjust_token_regeneration.fix.md b/changelog.d/gcp_adjust_token_regeneration.fix.md
@@ -0,0 +1,13 @@
+Adjusts GcpAuthenticator token regeneration to reflect recent metadata server behaviour changes.
+
+metadata-server (0.4.292 and above) will return a cached token during the last 300-60 seconds of its lifetime (rather than the currently documented behaviour of returning a fresh token during the last 300 seconds).
+
+If a request for a fresh token is made to the metadata server during that window:
+
+- it will return a cached token
+- it will also trigger a background refresh process
+- if the refresh is successful, the metadata server will update its cache
+
+This change deals with this scenario by retrying the token refresh after 2 seconds if a cached token is determined to have been returned from the metadata server.
+
+authors: garethpelly
diff --git a/src/gcp.rs b/src/gcp.rs
@@ -209,8 +209,16 @@ impl GcpAuthenticator {
                         Ok(()) => {
                             sender.send_replace(());
                             let expires_in = inner.token.read().unwrap().expires_in() as u64;
-                            deadline =
-                                Duration::from_secs(expires_in - METADATA_TOKEN_EXPIRY_MARGIN_SECS);
+                            // Rather than an expected fresh token, the Metadata Server may return
+                            // the same (cached) token during the last 300 seconds of its lifetime.
+                            // This scenario is handled by retrying the token refresh after the
+                            // METADATA_TOKEN_ERROR_RETRY_SECS period when a fresh token is expected
+                            let new_deadline = if expires_in <= METADATA_TOKEN_EXPIRY_MARGIN_SECS {
+                                METADATA_TOKEN_ERROR_RETRY_SECS
+                            } else {
+                                expires_in - METADATA_TOKEN_EXPIRY_MARGIN_SECS
+                            };
+                            deadline = Duration::from_secs(new_deadline);
                         }
                         Err(error) => {
                             error!(