From 3f2950f27fd06f0922800a391fb2ba940ad4708c Mon Sep 17 00:00:00 2001
From: squat <lserven@gmail.com>
Date: Wed, 12 Jun 2024 08:00:17 +0200
Subject: [PATCH 1/2] fix: use durations for TTL

Previously, we defined the TTL as a duration on the CLI but as an
integer corresponding to seconds in the HTTP API. Let's standardize on
one format: duration.

Signed-off-by: squat <lserven@gmail.com>
---
 .github/workflows/ci.yml | 2 +-
 README.md                | 2 +-
 server.go                | 9 +++------
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f525d02..cf8c9f6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,7 +62,7 @@ jobs:
       run: |
         kubectl -n namespace-provisioner port-forward service/namespace-provisioner 8080 &
         until lsof -nP -iTCP:8080 -sTCP:LISTEN >/dev/null; do sleep 1; done
-        curl localhost:8080/api/v1/namespace?ttl=1 -X POST -H "Authorization: bearer PASSWORD" > kubeconfig
+        curl localhost:8080/api/v1/namespace?ttl=1s -X POST -H "Authorization: bearer PASSWORD" > kubeconfig
         kubectl --kubeconfig kubeconfig get pods
         sleep 5
         [ $(kubectl get ns | grep np- | wc -l) -eq 0 ]
diff --git a/README.md b/README.md
index 968ae8c..f3e7978 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ The Namespace Provisioner runs an API server over HTTP that exposes two API endp
 #### Namespace Creation - POST /api/v1/namespace
 
 The Namespace creation endpoint accepts the following optional query parameters:
-1. `ttl`: the time in seconds that the Namespace should exist in the Kubernetes cluster; if 0 is given, then the Namespace Provisioner’s default lifetime is applied.
+1. `ttl`: the duration, e.g. `30s`, `5m`, `1h`, that the Namespace should exist in the Kubernetes cluster; if 0 is given, then the Namespace Provisioner’s default lifetime is applied.
 All provisioned Namespaces will be labeled with a Unix timestamp equal to the current time plus this duration; and
 1. `url`; the URL of the Kubernetes API that the generated Kubeconfig should use.
 
diff --git a/server.go b/server.go
index abd9fd3..65e81e4 100644
--- a/server.go
+++ b/server.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 	"time"
 
@@ -98,13 +97,12 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 	}(start)
 
 	ttl := h.ttl
+	var err error
 	if r.URL.Query().Has("ttl") {
-		s, err := strconv.Atoi(r.URL.Query().Get("ttl"))
-		if err != nil {
+		if ttl, err = time.ParseDuration(r.URL.Query().Get("ttl")); err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
-		ttl = time.Duration(s) * time.Second
 		if ttl == 0 || (h.ttl > 0 && ttl > h.ttl) {
 			ttl = h.ttl
 		}
@@ -143,8 +141,7 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 			Labels:    h.labels,
 		},
 	}
-	sa, err := h.c.CoreV1().ServiceAccounts(namespace).Create(r.Context(), sa, metav1.CreateOptions{})
-	if err != nil {
+	if sa, err = h.c.CoreV1().ServiceAccounts(namespace).Create(r.Context(), sa, metav1.CreateOptions{}); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

From 25c825ac5192f0d18d82660fa1f7b611a37cce46 Mon Sep 17 00:00:00 2001
From: squat <lserven@gmail.com>
Date: Wed, 12 Jun 2024 08:02:23 +0200
Subject: [PATCH 2/2] manifests: add TTL to ConfigMap

Signed-off-by: squat <lserven@gmail.com>
---
 .github/workflows/ci.yml             | 1 +
 manifests/namespace-provisioner.yaml | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cf8c9f6..acaa2b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,6 +54,7 @@ jobs:
           namespace: namespace-provisioner
         data:
           server: "$SERVER"
+          ttl: 1h
         EOF
         kubectl apply -f manifests/example-grants/pods.yaml
         kubectl -n namespace-provisioner set image deployment namespace-provisioner namespace-provisioner=quay.io/observatorium/namespace-provisioner:test
diff --git a/manifests/namespace-provisioner.yaml b/manifests/namespace-provisioner.yaml
index 82ffe68..ad51f21 100644
--- a/manifests/namespace-provisioner.yaml
+++ b/manifests/namespace-provisioner.yaml
@@ -36,6 +36,7 @@ metadata:
     app.kubernetes.io/part-of: namespace-provisioner
 data:
   server: https://kubernetes
+  ttl: 1h
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -163,6 +164,7 @@ spec:
         - --listen-internal=:9090
         - --cluster-role=namespace-provisioner-grant
         - --server=$(SERVER)
+        - --ttl=$(TTL)
         - --token=$(TOKEN)
         env:
         - name: TOKEN
@@ -175,6 +177,11 @@ spec:
             configMapKeyRef:
               name: namespace-provisioner
               key: server
+        - name: TTL
+          valueFrom:
+            configMapKeyRef:
+              name: namespace-provisioner
+              key: ttl
         ports:
         - containerPort: 8080
           name: http