fix: Lazy refresh should refresh tokens 4 minutes before expiration.

GoogleCloudPlatform / cloud-sql-jdbc-socket-factory

A collection of Java libraries for connecting securely to Cloud SQL

Apache License 2.0

234 stars 119 forks source link

fix: Lazy refresh should refresh tokens 4 minutes before expiration. #2063

Closed hessjcg closed 2 months ago

hessjcg commented 2 months ago

Added a 4 minute buffer to refreshing tokens and certificates to avoid creating race condition that would allow the connector to create an ephemeral certificate with an expired auth token.

Now, IAM auth tokens are now refreshed 4 minutes before they token expire. Also, the Lazy Refresh Strategy will refresh the client certificate 4 minutes before the expiration of the certificate and the IAM auth token.

This should mitigate some of the strange certificate expiration errors commonly found in Cloud Run, see: #2059

jackwotherspoon commented 2 months ago

This may mitigate some token expiration problems in Cloud Run.

Fixes https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/issues/2059

We don't know for sure that this will fix the above issue right? We should probably mark this as "Related to #2509" and have it tested in the wild first before marking as fixed. Thoughts?

hessjcg commented 2 months ago

This may mitigate some token expiration problems in Cloud Run. Fixes #2059

We don't know for sure that this will fix the above issue right? We should probably mark this as "Related to #2509" and have it tested in the wild first before marking as fixed. Thoughts?

Good point. I set this as "related to."