From 269170d30003f6ea01aeace09de7913e99f4d020 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wojciech=20So=C5=82tys?=
 <74361703+Sawthis@users.noreply.github.com>
Date: Wed, 31 Jul 2024 08:13:24 +0200
Subject: [PATCH] Improve Service Account cleaner (#11502)

---
 .../serviceaccountcleaner.go                  |  2 +-
 .../serviceaccountcleaner_test.go             | 36 +++++++++----------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner.go b/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner.go
index 7085ed359a34..1b8d0290938a 100644
--- a/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner.go
+++ b/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner.go
@@ -98,7 +98,7 @@ func serviceAccountKeysCleaner(w http.ResponseWriter, r *http.Request) {
 
 	// options are provided as GET query:
 	// time that latest version of secret needs to exist before older ones can be destroyed
-	cutoffTimeHours := 5
+	cutoffTimeHours := 1
 	keys, ok := r.URL.Query()["age"]
 	if ok && len(keys[0]) > 0 {
 		cutoffTimeHours, err = strconv.Atoi(keys[0])
diff --git a/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner_test.go b/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner_test.go
index 8263c9bee55a..15e444596dd7 100644
--- a/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner_test.go
+++ b/cmd/cloud-run/service-account-keys-cleaner/serviceaccountcleaner_test.go
@@ -6,8 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/kyma-project/test-infra/pkg/gcp/iam"
-	"github.com/kyma-project/test-infra/pkg/gcp/secretmanager"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -17,6 +15,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/kyma-project/test-infra/pkg/gcp/iam"
+	"github.com/kyma-project/test-infra/pkg/gcp/secretmanager"
+
 	gcpiam "google.golang.org/api/iam/v1"
 	"google.golang.org/api/option"
 	gcpsecretmanager "google.golang.org/api/secretmanager/v1"
@@ -281,10 +282,9 @@ func TestServiceAccountKeysCleaner(t *testing.T) {
 		t.Errorf("could not generate fake secret version data: %s", err)
 	}
 
-	timeTenHoursAgo := time.Now().Add(time.Duration(-10) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
-	timeSixHoursAgo := time.Now().Add(time.Duration(-6) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
-	// timeThreeHoursAgo := time.Now().Add(time.Duration(-3) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
-	timeOneHoursAgo := time.Now().Add(time.Duration(-1) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
+	timeThreeHoursAgo := time.Now().Add(time.Duration(-3) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
+	timeTwoHoursAgo := time.Now().Add(time.Duration(-2) * time.Hour).UTC().Format("2006-01-02T15:04:05.000000Z")
+	time59MinutesAgo := time.Now().Add(time.Duration(-59) * time.Minute).UTC().Format("2006-01-02T15:04:05.000000Z")
 
 	tests := []struct {
 		name             string
@@ -308,11 +308,11 @@ func TestServiceAccountKeysCleaner(t *testing.T) {
 			name: "secret without labels",
 			secrets: map[string]*fakeSecret{"secret_no_label": {
 				Labels:   map[string]string{},
-				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"}},
+				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"}},
 			}},
 			expectedSecrets: map[string]*fakeSecret{"secret_no_label": {
 				Labels:   map[string]string{},
-				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"}},
+				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"}},
 			}},
 			keys:             make(map[string]map[string]bool),
 			expectedKeys:     make(map[string]map[string]bool),
@@ -323,11 +323,11 @@ func TestServiceAccountKeysCleaner(t *testing.T) {
 			name: "secret with correct labels, one enabled version",
 			secrets: map[string]*fakeSecret{"secret_one_version": {
 				Labels:   map[string]string{"type": "service-account"},
-				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"}},
+				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"}},
 			}},
 			expectedSecrets: map[string]*fakeSecret{"secret_one_version": {
 				Labels:   map[string]string{"type": "service-account"},
-				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"}},
+				Versions: map[string]*fakeSecretVersion{"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"}},
 			}},
 			keys:             make(map[string]map[string]bool),
 			expectedKeys:     make(map[string]map[string]bool),
@@ -339,15 +339,15 @@ func TestServiceAccountKeysCleaner(t *testing.T) {
 			secrets: map[string]*fakeSecret{"secret_new": {
 				Labels: map[string]string{"type": "service-account"},
 				Versions: map[string]*fakeSecretVersion{
-					"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"},
-					"2": {Data: fakeSecretVersionData, Date: timeOneHoursAgo, State: "enabled"},
+					"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"},
+					"2": {Data: fakeSecretVersionData, Date: time59MinutesAgo, State: "enabled"},
 				},
 			}},
 			expectedSecrets: map[string]*fakeSecret{"secret_new": {
 				Labels: map[string]string{"type": "service-account"},
 				Versions: map[string]*fakeSecretVersion{
-					"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"},
-					"2": {Data: fakeSecretVersionData, Date: timeOneHoursAgo, State: "enabled"},
+					"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"},
+					"2": {Data: fakeSecretVersionData, Date: time59MinutesAgo, State: "enabled"},
 				},
 			}},
 			keys:             map[string]map[string]bool{fakeSecretEmail: {fakeSecretKey: true, fakeSecretKey2: true}},
@@ -360,15 +360,15 @@ func TestServiceAccountKeysCleaner(t *testing.T) {
 			secrets: map[string]*fakeSecret{"secret_outdated": {
 				Labels: map[string]string{"type": "service-account"},
 				Versions: map[string]*fakeSecretVersion{
-					"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "enabled"},
-					"2": {Data: fakeSecretVersionData2, Date: timeSixHoursAgo, State: "enabled"},
+					"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "enabled"},
+					"2": {Data: fakeSecretVersionData2, Date: timeTwoHoursAgo, State: "enabled"},
 				},
 			}},
 			expectedSecrets: map[string]*fakeSecret{"secret_outdated": {
 				Labels: map[string]string{"type": "service-account"},
 				Versions: map[string]*fakeSecretVersion{
-					"1": {Data: fakeSecretVersionData, Date: timeTenHoursAgo, State: "destroyed"},
-					"2": {Data: fakeSecretVersionData2, Date: timeSixHoursAgo, State: "enabled"},
+					"1": {Data: fakeSecretVersionData, Date: timeThreeHoursAgo, State: "destroyed"},
+					"2": {Data: fakeSecretVersionData2, Date: timeTwoHoursAgo, State: "enabled"},
 				},
 			}},
 			keys:             map[string]map[string]bool{fakeSecretEmail: {fakeSecretKey: true, fakeSecretKey2: true}},