better handle projected SA volume defaults

Yelp · Jun 6, 2024 · 6ffd941 · 6ffd941
1 parent feaad97
commit 6ffd941
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/task_processing/plugins/kubernetes/task_config.py b/task_processing/plugins/kubernetes/task_config.py
@@ -25,6 +25,9 @@
 from task_processing.plugins.kubernetes.types import ProjectedSAVolume
 from task_processing.plugins.kubernetes.types import SecretVolume
 from task_processing.plugins.kubernetes.types import SecretVolumeItem
+from task_processing.plugins.kubernetes.utils import (
+    DEFAULT_PROJECTED_SA_TOKEN_EXPIRATION_SECONDS,
+)
 from task_processing.plugins.kubernetes.utils import get_sanitised_kubernetes_name
 from task_processing.plugins.kubernetes.utils import mode_to_int
 
@@ -194,6 +197,7 @@ def _valid_secret_volumes(
 def _valid_projected_sa_volumes(
     sa_volumes: Sequence[ProjectedSAVolume],
 ) -> Tuple[bool, Optional[str]]:
+    min_expiration = 600
     for volume in sa_volumes:
         if not volume.get("audience"):
             return (
@@ -205,10 +209,15 @@ def _valid_projected_sa_volumes(
                 False,
                 "No token container_path set for projected service account volume",
             )
-        if volume.get("expiration_seconds", 1800) < 600:
+        if (
+            volume.get(
+                "expiration_seconds", DEFAULT_PROJECTED_SA_TOKEN_EXPIRATION_SECONDS
+            )
+            < min_expiration
+        ):
             return (
                 False,
-                "Expiration for service account projected token must be at least 600 seconds",
+                f"Expiration for service account projected token must be at least {min_expiration} seconds",
             )
     return (True, None)
 

diff --git a/task_processing/plugins/kubernetes/utils.py b/task_processing/plugins/kubernetes/utils.py
@@ -37,8 +37,11 @@
     from task_processing.plugins.kubernetes.types import ObjectFieldSelectorSource
     from task_processing.plugins.kubernetes.types import ProjectedSAVolume
 
+
 logger = logging.getLogger(__name__)
 
+DEFAULT_PROJECTED_SA_TOKEN_EXPIRATION_SECONDS = 1800
+
 
 def get_capabilities_for_capability_changes(
     cap_add: PVector[str],
@@ -374,7 +377,7 @@ def get_pod_service_account_token_volumes(
     """Build projected service account volumes for pod
 
     :param PVector["ProjectedSAVolume"] sa_volumes: list of projected service account volume configs
-    :return: listof kubernetes pod volume objects
+    :return: list of kubernetes pod volume objects
     """
     return [
         V1Volume(
@@ -384,7 +387,10 @@ def get_pod_service_account_token_volumes(
                     V1VolumeProjection(
                         service_account_token=V1ServiceAccountTokenProjection(
                             audience=volume["audience"],
-                            expiration_seconds=volume.get("expiration_seconds", 1800),
+                            expiration_seconds=volume.get(
+                                "expiration_seconds",
+                                DEFAULT_PROJECTED_SA_TOKEN_EXPIRATION_SECONDS,
+                            ),
                             path="token",
                         ),
                     ),