fix: Lazy refresh should refresh tokens 4 minutes before expiration.

[hessjcg]

Added a 4 minute buffer to refreshing tokens and certificates to avoid creating race condition that would allow the connector to create an ephemeral certificate with an expired auth token.

Now, IAM auth tokens are now refreshed 4 minutes before they token expire. Also, the Lazy Refresh Strategy will refresh the client certificate 4 minutes before the expiration of the certificate and the IAM auth token.

This should mitigate some of the strange certificate expiration errors commonly found in Cloud Run, see: #2059

[jackwotherspoon]

This may mitigate some token expiration problems in Cloud Run.

Fixes #2059

We don't know for sure that this will fix the above issue right? We should probably mark this as "Related to #2509" and have it tested in the wild first before marking as fixed. Thoughts?

[hessjcg]

This may mitigate some token expiration problems in Cloud Run.
Fixes #2059

We don't know for sure that this will fix the above issue right? We should probably mark this as "Related to #2509" and have it tested in the wild first before marking as fixed. Thoughts?

Good point. I set this as "related to."

[enocom]

LGTM. One small nit.

[enocom]

Do we have a constant for this value somewhere? I think we should use it to avoid future mistakes in buffering.

[jackwotherspoon]

➕ 1

[hessjcg]

Good idea, yes. RefreshCalculator.DEFAULT_REFRESH_BUFFER

[sanmahapatra]

LGTM

[sanmahapatra]

nit: Since we also refresh for reasons other than expiry maybe a better name is refreshIfRequired or refreshIfNecessary or something similar.

[hessjcg]

Fixed.