From a35e10d42a7b8fab23411ed34c4ff91e8dd4eb56 Mon Sep 17 00:00:00 2001
From: Qingchuan Hao <qingchuan.hao@microsoft.com>
Date: Tue, 24 Feb 2026 01:19:59 +0000
Subject: [PATCH] bump acr refresh token cache TTL to 60 minutes

Signed-off-by: Qingchuan Hao <qingchuan.hao@microsoft.com>
---
 pkg/credentialprovider/azure_credentials.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/credentialprovider/azure_credentials.go b/pkg/credentialprovider/azure_credentials.go
index 19ca116227..2aa4d91293 100644
--- a/pkg/credentialprovider/azure_credentials.go
+++ b/pkg/credentialprovider/azure_credentials.go
@@ -39,8 +39,10 @@ import (
 // Refer: https://github.com/kubernetes/kubernetes/blob/master/pkg/credentialprovider/azure/azure_credentials.go
 
 const (
-	maxReadLength   = 10 * 1 << 20 // 10MB
-	defaultCacheTTL = 5 * time.Minute
+	maxReadLength = 10 * 1 << 20 // 10MB
+	// Since the ACR Refresh token TTL is around 3 hours, too short TTL may cause frequent token exchange and bring
+	// throttleling risk, so we set the cache TTL to 60 minutes, which is a trade-off between security and performance.
+	defaultCacheTTL = 60 * time.Minute
 
 	AcrAudience = "https://containerregistry.azure.net"
 )