in internal/credsretriever/refreshing_cache.go [240:282]
func (r *cachedCredentialRetriever) onCredentialRenewal(key string, entry cacheEntry) {
ctx, cancel := context.WithTimeout(
logger.ContextWithField(entry.requestLogCtx, "from", "renewal-thread"), renewalTimeout)
defer cancel()
log := logger.FromContext(ctx)
if r.refreshRateLimiter.Allow() {
err := r.refreshRateLimiter.Wait(ctx)
if err != nil {
log.Errorf("Problem waiting, will schedule refresh to next sweep")
return
}
_, _, err = r.callDelegateAndCache(ctx, entry.originatingRequest)
if err == nil {
// if we retrieved the credentials successfully, exit we don't need to do anything else
promCacheState.WithLabelValues("hit").Inc()
return
}
if eksauth.IsIrrecoverableApiError(err) {
log.Infof("Removing credentials from cache, got non recoverable error: %s", err.Error())
promCacheError.WithLabelValues("NonRecoverable").Inc()
r.internalCache.Delete(entry.originatingRequest.ServiceAccountToken)
return
}
log.Infof("Could not renew, will try to keep existing creds. Error is recoverable: %s", err.Error())
} else {
log.Infof("Rate limited! Will try to keep creds locally")
}
// if there was an error, try to keep the old credentials in the agent if they haven't expired
oldCreds := entry.credentials
oldCredsDuration := oldCreds.Expiration.Time.Sub(r.now())
if oldCredsDuration > r.minCredentialTtl {
calculatedRetryInterval := r.retryInterval + time.Duration(rand.Int63n(int64(r.maxRetryJitter)))
newRefreshTtl := minDuration(oldCredsDuration, calculatedRetryInterval)
log.WithField("ttl", newRefreshTtl).
Infof("Credentials still valid for at least %0.2fs, keeping them will try again after ttl expires", oldCredsDuration.Seconds())
r.internalCache.SetWithRefreshExpire(key, entry, newRefreshTtl, oldCredsDuration)
} else {
promCacheState.WithLabelValues("evicted").Inc()
log.Infof("Evicting credentials since they are too old")
}
}