const maxTTL … const gcPeriod … const maxJitter … // NewManager returns a new token manager. func NewManager(c clientset.Interface) *Manager { … } type Manager … // GetServiceAccountToken gets a service account token for a pod from cache or // from the TokenRequest API. This process is as follows: // * Check the cache for the current token request. // * If the token exists and does not require a refresh, return the current token. // * Attempt to refresh the token. // * If the token is refreshed successfully, save it in the cache and return the token. // * If refresh fails and the old token is still valid, log an error and return the old token. // * If refresh fails and the old token is no longer valid, return an error func (m *Manager) GetServiceAccountToken(namespace, name string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) { … } // DeleteServiceAccountToken should be invoked when pod got deleted. It simply // clean token manager cache. func (m *Manager) DeleteServiceAccountToken(podUID types.UID) { … } func (m *Manager) cleanup() { … } func (m *Manager) get(key string) (*authenticationv1.TokenRequest, bool) { … } func (m *Manager) set(key string, tr *authenticationv1.TokenRequest) { … } func (m *Manager) expired(t *authenticationv1.TokenRequest) bool { … } // requiresRefresh returns true if the token is older than 80% of its total // ttl, or if the token is older than 24 hours. func (m *Manager) requiresRefresh(tr *authenticationv1.TokenRequest) bool { … } // keys should be nonconfidential and safe to log func keyFunc(name, namespace string, tr *authenticationv1.TokenRequest) string { … }