Skip to content

Commit

Permalink
UPSTREAM: <carry>: kube-controller-manager: add service serving cert …
Browse files Browse the repository at this point in the history
…signer to token controller

:100644 100644 b32534e... 3e694fc... M	pkg/controller/serviceaccount/tokens_controller.go

OpenShift-Rebase-Source: 891b28f
  • Loading branch information
deads2k authored and bertinatto committed Dec 11, 2024
1 parent 7071e5f commit a4e2c7f
Showing 1 changed file with 20 additions and 9 deletions.
29 changes: 20 additions & 9 deletions pkg/controller/serviceaccount/tokens_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ import (
"k8s.io/kubernetes/pkg/serviceaccount"
)

const ServiceServingCASecretKey = "service-ca.crt"

// RemoveTokenBackoff is the recommended (empirical) retry interval for removing
// a secret reference from a service account when the secret is deleted. It is
// exported for use by custom secret controllers.
Expand All @@ -66,6 +68,9 @@ type TokensControllerOptions struct {
// MaxRetries controls the maximum number of times a particular key is retried before giving up
// If zero, a default max is used
MaxRetries int

// This CA will be added in the secrets of service accounts
ServiceServingCA []byte
}

// NewTokensController returns a new *TokensController.
Expand All @@ -76,9 +81,10 @@ func NewTokensController(serviceAccounts informers.ServiceAccountInformer, secre
}

e := &TokensController{
client: cl,
token: options.TokenGenerator,
rootCA: options.RootCA,
client: cl,
token: options.TokenGenerator,
rootCA: options.RootCA,
serviceServingCA: options.ServiceServingCA,

syncServiceAccountQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
workqueue.DefaultTypedControllerRateLimiter[serviceAccountQueueKey](),
Expand Down Expand Up @@ -134,7 +140,8 @@ type TokensController struct {
client clientset.Interface
token serviceaccount.TokenGenerator

rootCA []byte
rootCA []byte
serviceServingCA []byte

serviceAccounts listersv1.ServiceAccountLister
// updatedSecrets is a wrapper around the shared cache which allows us to record
Expand Down Expand Up @@ -352,22 +359,23 @@ func (e *TokensController) deleteToken(ns, name string, uid types.UID) ( /*retry
return true, err
}

func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool) {
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool, bool) {
caData := secret.Data[v1.ServiceAccountRootCAKey]
needsCA := len(e.rootCA) > 0 && !bytes.Equal(caData, e.rootCA)
needsServiceServingCA := len(e.serviceServingCA) > 0 && bytes.Compare(secret.Data[ServiceServingCASecretKey], e.serviceServingCA) != 0

needsNamespace := len(secret.Data[v1.ServiceAccountNamespaceKey]) == 0

tokenData := secret.Data[v1.ServiceAccountTokenKey]
needsToken := len(tokenData) == 0

return needsCA, needsNamespace, needsToken
return needsCA, needsServiceServingCA, needsNamespace, needsToken
}

// generateTokenIfNeeded populates the token data for the given Secret if not already set
func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAccount *v1.ServiceAccount, cachedSecret *v1.Secret) ( /* retry */ bool, error) {
// Check the cached secret to see if changes are needed
if needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsToken && !needsNamespace {
if needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
return false, nil
}

Expand All @@ -386,8 +394,8 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
return false, nil
}

needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
if !needsCA && !needsToken && !needsNamespace {
needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
if !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
return false, nil
}

Expand All @@ -402,6 +410,9 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
if needsCA {
liveSecret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
}
if needsServiceServingCA {
liveSecret.Data[ServiceServingCASecretKey] = e.serviceServingCA
}
// Set the namespace
if needsNamespace {
liveSecret.Data[v1.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)
Expand Down

0 comments on commit a4e2c7f

Please sign in to comment.