Add more leeway for JWT expiration time (!619) · Merge requests · GitLab.org / cluster-integration / GitLab Agent for Kubernetes

Brian Williams requested to merge bwill/adjust-jwt-expiration into master Mar 30, 2022

Currently, the JWTs created by KAS are only valid for 5 seconds, which means that they are highly susceptible to clock drift. I was trying to do some local development and kept running into

{"level":"error","time":"2022-03-30T14:59:16.035-0500","msg":"Error handling a connection","mod_name":"reverse_tunnel","error":"rpc error: code = Unauthenticated desc = unauthenticated","correlation_id":"01FZE6JCJ1JRCS8J96762DB556"}

After a lot of debugging, I discovered that the issue was because the JWTs being created by KAS were already expired. I have no idea how this was happening with a GDK setup, but somehow the clocks between Rails web and KAS were off by more than 5 seconds. Increasing the leeway for exp solved the issue for me. I think it's reasonable to increase leeway for the exp claim to at least a couple minutes, to account for these clock drift issues.

Edited Mar 30, 2022 by Brian Williams

Add more leeway for JWT expiration time

Merge request reports