update credentials cache

kedacore · Jan 15, 2024 · c46ff93 · c46ff93
1 parent 468c522
commit c46ff93
Showing 1 changed file with 16 additions and 36 deletions.
diff --git a/pkg/scalers/azure_pipelines_scaler.go b/pkg/scalers/azure_pipelines_scaler.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/go-logr/logr"
 	v2 "k8s.io/api/autoscaling/v2"
 	"k8s.io/metrics/pkg/apis/external_metrics"
@@ -149,9 +150,8 @@ type azurePipelinesMetadata struct {
 }
 
 type authContext struct {
-	token     string
-	expiredOn time.Time
-	pat       string
+	cred *azidentity.ChainedTokenCredential
+	pat  string
 }
 
 // NewAzurePipelinesScaler creates a new AzurePipelinesScaler
@@ -178,7 +178,7 @@ func NewAzurePipelinesScaler(ctx context.Context, config *ScalerConfig) (Scaler,
 	}, nil
 }
 
-func getAuthMethod(config *ScalerConfig) (string, kedav1alpha1.AuthPodIdentity, error) {
+func getAuthMethod(logger logr.Logger, config *ScalerConfig) (string, *azidentity.ChainedTokenCredential, kedav1alpha1.AuthPodIdentity, error) {
 	pat := ""
 	if val, ok := config.AuthParams["personalAccessToken"]; ok && val != "" {
 		// Found the personalAccessToken in a parameter from TriggerAuthentication
@@ -188,15 +188,19 @@ func getAuthMethod(config *ScalerConfig) (string, kedav1alpha1.AuthPodIdentity,
 	} else {
 		switch config.PodIdentity.Provider {
 		case "", kedav1alpha1.PodIdentityProviderNone:
-			return "", kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("no personalAccessToken given or PodIdentity provider configured")
+			return "", nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("no personalAccessToken given or PodIdentity provider configured")
 			// return "", kedav1alpha1.AuthPodIdentity{Provider: kedav1alpha1.PodIdentityProviderNone}, nil
 		case kedav1alpha1.PodIdentityProviderAzure, kedav1alpha1.PodIdentityProviderAzureWorkload:
-			return "", kedav1alpha1.AuthPodIdentity{Provider: config.PodIdentity.Provider}, nil
+			cred, err := azure.NewChainedCredential(logger, config.PodIdentity.GetIdentityID(), config.PodIdentity.Provider)
+			if err != nil {
+				return "", nil, kedav1alpha1.AuthPodIdentity{}, err
+			}
+			return "", cred, kedav1alpha1.AuthPodIdentity{Provider: config.PodIdentity.Provider}, nil
 		default:
-			return "", kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure pipelines", config.PodIdentity.Provider)
+			return "", nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("pod identity %s not supported for azure pipelines", config.PodIdentity.Provider)
 		}
 	}
-	return pat, kedav1alpha1.AuthPodIdentity{}, nil
+	return pat, nil, kedav1alpha1.AuthPodIdentity{}, nil
 }
 
 func parseAzurePipelinesMetadata(ctx context.Context, logger logr.Logger, config *ScalerConfig, httpClient *http.Client) (*azurePipelinesMetadata, kedav1alpha1.AuthPodIdentity, error) {
@@ -237,15 +241,14 @@ func parseAzurePipelinesMetadata(ctx context.Context, logger logr.Logger, config
 		return nil, kedav1alpha1.AuthPodIdentity{}, fmt.Errorf("failed to extract organization name from organizationURL")
 	}
 
-	pat, podIdentity, err := getAuthMethod(config)
+	pat, cred, podIdentity, err := getAuthMethod(logger, config)
 	if err != nil {
 		return nil, kedav1alpha1.AuthPodIdentity{}, err
 	}
 	// // Trim any trailing new lines from the Azure Pipelines PAT
 	meta.authContext = authContext{
-		pat:       strings.TrimSuffix(pat, "\n"),
-		token:     "",
-		expiredOn: time.Now(),
+		pat:  strings.TrimSuffix(pat, "\n"),
+		cred: cred,
 	}
 
 	if val, ok := config.TriggerMetadata["parent"]; ok && val != "" {
@@ -345,22 +348,7 @@ func validatePoolID(ctx context.Context, logger logr.Logger, poolID string, meta
 }
 
 func getToken(ctx context.Context, logger logr.Logger, metadata *azurePipelinesMetadata, podIdentity kedav1alpha1.AuthPodIdentity, scope string) (string, error) {
-	cred, err := azure.NewChainedCredential(logger, podIdentity.GetIdentityID(), podIdentity.Provider)
-	if err != nil {
-		return "", err
-	}
-
-	if metadata.authContext.token != "" {
-		now := time.Now()
-		offset := metadata.authContext.expiredOn.Sub(now)
-		//if there is more than 1 minute before expiration use existing token
-		if offset > (time.Second * 60) {
-			return metadata.authContext.token, nil
-		}
-	}
-
-	//No token or is expired or near to expiration
-	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
+	token, err := metadata.authContext.cred.GetToken(ctx, policy.TokenRequestOptions{
 		Scopes: []string{
 			scope,
 		},
@@ -369,14 +357,6 @@ func getToken(ctx context.Context, logger logr.Logger, metadata *azurePipelinesM
 	if err != nil {
 		return "", err
 	}
-
-	//update metadata auth context and return token
-	metadata.authContext = authContext{
-		token:     token.Token,
-		expiredOn: token.ExpiresOn,
-		pat:       metadata.authContext.pat,
-	}
-
 	return token.Token, nil
 }