From f46a378f78c03a0925405e1b53d9d2ff56dcad8a Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Sat, 29 Dec 2018 22:18:28 -0500
Subject: [PATCH] Shorten re-read period for token files to work with
 ProjectedTokenVolumeSource

Kubernetes-commit: a432a7cf683e4ea304ae8e39e191a438e37a813e
---
 transport/token_source.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/transport/token_source.go b/transport/token_source.go
index 818baffd..8595df27 100644
--- a/transport/token_source.go
+++ b/transport/token_source.go
@@ -47,14 +47,14 @@ func TokenSourceWrapTransport(ts oauth2.TokenSource) func(http.RoundTripper) htt
 func NewCachedFileTokenSource(path string) oauth2.TokenSource {
 	return &cachingTokenSource{
 		now:    time.Now,
-		leeway: 1 * time.Minute,
+		leeway: 10 * time.Second,
 		base: &fileTokenSource{
 			path: path,
-			// This period was picked because it is half of the minimum validity
-			// duration for a token provisioned by they TokenRequest API. This is
-			// unsophisticated and should induce rotation at a frequency that should
-			// work with the token volume source.
-			period: 5 * time.Minute,
+			// This period was picked because it is half of the duration between when the kubelet
+			// refreshes a projected service account token and when the original token expires.
+			// Default token lifetime is 10 minutes, and the kubelet starts refreshing at 80% of lifetime.
+			// This should induce re-reading at a frequency that works with the token volume source.
+			period: time.Minute,
 		},
 	}
 }